United States: Data Protection Laws of the World Handbook: Second Edition - United States

E-Commerce And Privacy Alert


The United States has about 20 sector specific or medium specific national privacy or data security laws, and hundreds of such laws among its 50 states. (California alone has more than 25 state privacy and data security laws). These laws address particular problems or industries. They are too diverse to summarize fully in this volume

In addition, the large range of companies regulated by the Federal Trade Commission ("FTC") are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement minimal data security measures or fail to live up to promises in privacy policies.


Varies widely by regulation.


Varies widely by regulation.


No official national authority. However, the FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (e.g. for telemarketing, spamming, and children's privacy). The FTC uses its general authority to prevent unfair and deceptive trade practices to bring enforcement actions against inadequate data security measures, and inadequately disclosed information collection, use and disclosure practices. State Attorneys General typically have similar authority and bring some enforcement actions.

In addition, a wide range of sector regulators, particularly those in the health care and financial services sectors, have authority to issue and enforce privacy regulations.


There is no requirement to register databases.


With the exception of entities regulated by HIPAA, there is no requirement to appoint a data protection officer, although appointment of a chief privacy officer and an IT security officer is a best practice among larger organisations.


US privacy laws and self-regulatory principles vary widely, but generally require pre-collection notice and an opt out for use and disclosure of regulated personal information.

Opt in rules apply in special cases involving information that is considered sensitive under US law, such as for health information, use of credit reports, personal information collected online from children under 13 (see below for the scope of this requirement), video viewing choices, and telecommunication usage information. The FTC interprets as a "deceptive trade practice" failing to obtain opt in consent if a company engages in materially different uses or discloses personal information not disclosed in the privacy policy under which personal information was collected.

States impose a wide range of specific requirements, particularly in the employee privacy area.

The US regulates marketing communications extensively, including telemarketing, fax marketing and email marketing (which is discussed below).


No geographic transfer restrictions apply in the US, except with regard to accountants transferring tax preparation materials. The Commerce Clause likely bars US states from imposing data transfer restrictions and there are no other such restrictions in US national laws.

By contrast, some European data protection authorities take the position that personal data transferred to the United States under the US EU Safe Harbor principles may not be transferred outside the US without another valid legal basis.


Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information (e.g. health or financial information, telecommunications usage information, or information that would require security breach notification). A few states have enacted laws imposing more specific security requirements for data elements that trigger security breach notice requirements. For example, Massachusetts has enacted regulations, which apply to any company that collects or maintains sensitive personal information on Massachusetts resident. Among other things, the Massachusetts regulations require regulated entities to have a comprehensive, written information security program; the regulations also set forth the minimum components of such program. HIPAA regulated entities have much more extensive data security requirements, and some states impose further security requirements (e.g. for payment card data, for social security numbers, or to employ secure data destruction methods). HIPAA security regulations apply to so-called "covered entities" such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their "business associates" which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity.


Security breach notification requirements are a US invention. 46 US states and most US territories require notifying state residents of a security breach involving residents' name plus a sensitive data element – typically, social security number, other government ID number, or credit card or account number in combination with any security code or password that would permit access to a financial account. Notice of larger breaches is typically required to be provided to credit bureaus, and in minority of states, to State Attorneys Generals, and in rare cases to other state officials. National laws require notification in the case of breaches of health care information, breaches of information from financial institutions, and breaches of government agency information.


Violations are generally enforced by the FTC, State Attorneys General, or the regulator for the industry sector in question. Civil penalties are generally significant. In addition, some privacy laws (for example, credit reporting privacy laws, electronic communications privacy laws, video privacy laws, call recording laws, cable communications privacy laws) are enforced through class action lawsuits for significant statutory damages and attorney's fees, and defendants can be sued for actual damages for negligence in mishandling personal information such as payment card data.


The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.

E-mail: The CAN-SPAM Act is a federal law that applies labelling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender's contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. Not only the FTC and State Attorneys General, but also ISPs and corporate email systems can sue violators. Furthermore, knowingly falsifying the origin or routing of a commercial email message is a federal crime.

Text Messages: Federal and state regulations apply to the sending of marketing text messages to individuals. Generally, express, opt-in consent is necessary to send marketing text messages and applicable regulations also specify the form of consent.

Telemarketing: In general, federal law applies to most telemarketing calls and programs, and a state's telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing. For example, national ("federal") and state rules address calling time restrictions, honouring do-not-call registries and opt-out requests, mandatory disclosures to be made during the call, requirements for completing a sale, executing a contract or collecting payment during the call, restrictions on the use of auto-dialers and pre-recorded messages, and record keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.

Callers generally must scrub their calling lists against both a national and multiple state do-notcall registries, as it is prohibited to place a telemarketing call to a number listed in a do-not call registry unless a specific exemption applies. The national do-not-call rules (and several state rules), for example, exempt calls to existing business customers who have purchased a product or service in the last 18 months from the company on whose behalf the call is placed, as long as the customer has not specifically opted out of receiving telemarketing calls from the company. The use of auto-dialers to send pre-recorded messages generally requires affirmative opt-in consent of the recipient.

Fax Marketing: Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient hasn't opted out of receiving fax advertisements and has provided their fax number "voluntarily," a concept which the law specifically defines. The law also requires that each fax advertisement contain specific information, including (i) a "clear and conspicuous" opt out method on the first page of the fax; (ii) a statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful; and (iii) a telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week.


Cookies: There is no specific federal or state law that regulates the use of cookies, web beacons, Flash LSOs and other similar tracking mechanisms. However, undisclosed online tracking of customer activities poses class action risk. The use of cookies and similar tracking mechanisms should be carefully and fully disclosed in a website privacy policy. Furthermore, it is a best practice for websites that allow behavioural advertising on their websites to participate in the Digital Advertising Alliance code of conduct, which includes displaying an icon from which users can opt-out of being tracked for behavioural advertising purposes.

Location Data: Privacy requirements of location-based apps and services is in flux and is a subject of extensive interest and debate. Federal Communications Commission regulations govern the collection and disclosure of location information by telecommunications carriers, including wireless carriers. Further, any location service that targets children under the age of 13 or has actual knowledge that it is collecting location information from children under age 13 must comply with the requirements of the Children's Online Privacy Protection Act (COPPA) Rules – including obtaining prior verifiable parental consent in most circumstances. Both the Federal Trade Commission and California Attorney General's Office have issued best practices recommendations for mobile apps and mobile app platforms, and the California Attorney General has entered into an agreement with major app platforms in which they promise to prompt mobile apps to post privacy policies. Furthermore, a Department of Commerce-led multistakeholder negotiation to develop a code of conduct for mobile app privacy is well underway.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions