1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
There is no comprehensive federal law that governs data privacy in the United States. Rather, US privacy law is a complex patchwork of national and state laws and regulations that address particular issues or sectors, and some more general state laws that govern the collection, storage, safeguarding, disposal and use of personal data collected from their residents. In addition, there are many guidelines developed by governmental agencies and industry groups, which are considered to be ‘best practices'.
At the national level, the Federal Trade Commission (FTC) has broad jurisdiction over commercial entities under its authority to prevent unfair or deceptive trade practices. The FTC Act has been applied to offline and online privacy and data security policies. Under this act, the FTC may take action against organisations for:
- failure to implement and maintain reasonable data security measures;
- failure to comply with posted privacy policies; and
- unauthorised disclosure of personal data.
All 50 states have also enacted unfair or deceptive acts or practices (UDAP) statutes which mirror Section 5 of the FTC Act, and under which state attorneys general can bring suit. Many also provide for a personal right of action.
The most comprehensive state data privacy legislation to date is the California Consumer Privacy Act (CCPA), which became effective on 1 January 2020. The CCPA grants consumers significant control over their personal information and imposes substantial duties on entities that collect personal information from a California resident. Nevada and Maine have also enacted consumer data privacy laws, and several other states have pending legislation.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
There are a number of federal sector-specific and issue-specific privacy laws and regulations. Some of the most well-known include:
- the Children's Online Privacy Protection Act (COPPA), which governs the collection of information about minors under 13 years;
- the Health Insurance Portability and Accountability Act, which governs the collection of health information by ‘covered entities' (health plans, healthcare clearinghouses and healthcare providers) and their ‘business associates';
- the Gramm-Leach-Bliley Act, which governs personal information collected by banks and financial institutions;
- the Family Educational Rights and Privacy Act, which governs student education records and student-related personally identifiable information;
- the Fair Credit Reporting Act (FCRA), which regulates the collection and use of credit information;
- the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), which regulates unsolicited commercial email;
- the Telephone Consumer Protection Act (TCPA), which regulates telemarketing through automatic telephone dialling systems and artificial pre-recorded voice technology; and
- the Electronic Communications Privacy Act (ECPA) (also called the ‘Wiretap Act'), which regulates wire, oral, and electronic communications.
At the state level, Illinois was the first US state to regulate the collection of biometric information with its Biometric Information Privacy Act, which requires informed written consent and provides for a private right of action for any individual harmed by a violation. Several other states have since adopted biometric privacy statutes (but without a private right of action).
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
For years, many US companies engaging in cross-border transfers of personal data between Europe and the United States had relied on the Safe Harbour programme, using EU-approved model contracts, or for multinationals, implementing binding corporate rules. The Safe Harbour framework was struck down by the Court of Justice of the European Union (CJEU) in October 2015 (in Schrems v Facebook, or Schrems I). A new Privacy Shield framework was released by the US Department of Commerce and the European Commission in February 2016, which was intended to create more robust, enforceable rights protecting international data transfers.
Just recently, however, in July 2020, the CJEU invalidated the EU-US Privacy Shield (in Schrems II). Given this new decision, companies involved in international data transfers should consider alternative transfer frameworks, such as standard contracting clauses and binding corporate rules.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The FTC is the primary enforcer of US national privacy laws. It has broad authority to bring enforcement actions against organisations that have violated consumers' privacy rights under Section 5 of the FTC Act, as well as other federal laws (eg, COPPA, FCRA, CAN-SPAM), with the power to impose monetary penalties and to require companies to take affirmative steps to remediate unlawful behaviour. The FTC may initiate an investigation, issue a cease and desist order and file a complaint in court. The FTC also reports to Congress on privacy issues and recommends the enactment of necessary privacy legislation.
Other governmental agencies – such as the Department of Health and Human Services, the Federal Communications Commission, the Securities and Exchange Commission, the Consumer Financial Protection Bureau and the Department of Commerce – may enforce sector-specific laws within the scope of their regulatory authority.
Several federal statutes also provide for a private right of action, such as the TCPA, the FCRA the and ECPA.
Violations of the CCPA are enforceable by the California attorney general, who is authorised to impose injunctions and pursue civil penalties of up to $2,500 per violation. The CCPA also grants consumers a limited private right of action for data breaches. Like the CCPA, enforcement of the various state laws governing privacy and data protection, including state UDAP statutes, is under the purview of the state attorney general, and may or may not include a private right of action.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Due to the lack of a comprehensive federal privacy regulation, businesses tend to rely somewhat heavily on industry standards and general best practices for guidance on privacy compliance. While not enforceable by law, these self-regulatory frameworks have accountability components that are increasingly being used as a tool for enforcement by regulators. For example, the National Institute of Standards and Technology released a Privacy Framework and a Cybersecurity Framework to help organisations identify and manage privacy and data security risks. Both are well-known and widely used benchmarks of protecting personal information.
In addition, there are guidelines issued by industry groups that set the standards for a particular industry. The advertising industry, for instance, requires members of various advertising groups (eg, the Digital Advertising Alliance) to comply with the groups' guidelines for online behavioural advertising, which requires participants to:
- be transparent about data collection;
- provide consumer control over data use; and
- limit the collection of sensitive data.
As another example, the Payment Card Industry Data Security Standard sets the privacy standards for organisations that handle credit cards to increase controls around cardholder data and reduce credit card fraud.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
While Section 5 of the Federal Trade Commission Act and state unfair or deceptive acts or practices statutes apply universally to companies and individuals doing business in the United States, the sector-specific laws apply only to those covered entities as defined by the specific statute. For instance, the Gramm-Leach-Bliley Act applies to financial institutions, such as banks, securities firms and insurance companies. The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, healthcare clearinghouses and healthcare providers that conduct certain financial and administrative transactions electronically, as well as to persons or entities that perform certain functions or activities that involve the use or disclosure of personal health information.
The more comprehensive state privacy laws (eg, the California Consumer Privacy Act (CCPA), data breach notification laws) generally apply to any business collecting personal information from or about a resident of that state, subject to the specific criteria and exceptions set forth in the state law.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Because privacy law in the United States is a patchwork of hundreds of state and federal laws, specific statues must be consulted to determine exemptions.
A business may be exempt from compliance with a privacy law if it does not meet the criteria set forth in the statute. For instance, under the CCPA, a business may be exempt from the duties set forth in the law if it meets one or more of the following criteria:
- It has a gross revenue of less than $25 million per year;
- It annually buys, receives, sells or shares the personal information of fewer than 50,000 consumers, households or devices for commercial purposes; or
- It derives less than 50% of its annual revenues from selling consumers' personal information.
Many states also have exemptions for data that is regulated by certain federal laws – for example, HIPAA-based exemptions are very common.
Depending on the statute, a business may also be exempt if the personal data collected, used or otherwise processed is de-identified or aggregated. Most statutes and the guidelines issued by the Federal Trade Commission also provide exemptions from privacy requirements for law enforcement purposes.
2.3 Does the data privacy regime have extra-territorial application?
US privacy laws are enforced only by the US and state courts and agencies, so the jurisdictional scope is limited to the United States and its territories. However, some of the state privacy laws, such as the CCPA, may apply to residents of the state even when the resident is not physically present in that state (eg, on vacation or temporarily travelling in another area of the United States).
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
As the protections afforded by state statutes vary from one state to another, there is no uniform set of definitions across all states or all regulations. Under the California Consumer Privacy Act (CCPA), the most comprehensive state privacy law which has served as a model for other state privacy laws, the terms are defined as follows.
(a) Data processing
Under the CCPA, ‘processing': Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means.
(b) Data processor
Under the CCPA, a ‘service provider': Any for-profit entity that processes personal information on behalf of a covered business.
(c) Data controller
Under the CCPA, a covered ‘business': Any for-profit entity that:
- does business in California;
- collects (or has collected on its behalf) personal information of California residents and determines the purposes and means of the processing of that personal information; and
- meets certain thresholds of gross revenue or amount of personal information collected.
(d) Data subject
Under the CCPA, ‘consumer': All California residents, even if they are temporarily outside of the state (eg, on vacation). This definition does not cover visitors to California.
(e) Personal data
Under the CCPA, ‘personal information': Information that identifies, relates to, describes or is reasonably capable of being associated with a particular consumer or household, including (but not limited to):
- personal identifiers (eg, name, postal address, email address, online IP address, social security number);
- internet activity information; and
- employment, educational and commercial information.
(f) Sensitive personal data
The CCPA does not distinguish sensitive personal data from personal information. The protection of specific classes of sensitive personal information (eg, health data, financial data and data of children) is governed by sector-specific state and federal laws.
‘Consent' is not defined under the CCPA and requires further guidance from the attorney general.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
Under the CCPA, consumers have the right to opt-out of the sale of their personal information. A ‘sale' or ‘selling' is broadly defined as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration".
‘Aggregate consumer information', ‘de-identified', ‘probabilistic identifier', ‘pseudonymise' and ‘pseudonymisation' are all defined terms under the CCPA, relating to the degree to which data can identify a person.
‘Biometric information' is expansively defined in the CCPA as "an individuals' physiological, biological or behavioural characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity". Listed examples include:
- imagery of the iris, retina, fingerprint, face, hand, palm or vein patterns;
- voice recordings;
- keystroke patterns or rhythms;
- gait patterns or rhythms; and
- sleep, health or exercise data that contains identifying information.
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
There are no US privacy laws that require data controller and processor registration. Some states have started to require data brokers to register with the state, upon which the state makes the registry available to the public via a website. Vermont started this trend with the passage of H 764; and was later followed by California, which adopted legislation (AB 1202) supplemental to the California Consumer Privacy Act (CCPA) requiring the registration of data brokers. It is expected that more states will likely implement data broker registries in the future.
In Vermont, failure to register and make the required disclosures may result in fines of $50 for each day the data broker fails to register, up to a maximum of $10,000 per year. In California, there are also penalties for failing to register, including a civil penalty of $100 per day of non-registration, and expenses incurred by the attorney general in investigating and prosecuting an action for failure to register.
4.2 What is the process for registration?
To register in either Vermont or California, data brokers must provide their name, primary email, and physical and website addresses. Additionally, in California, data brokers may provide "any additional information or explanation the data broker chooses to provide concerning its data collection practices". In Vermont, data brokers must also specify whether they permit consumers to opt out of:
- the data broker's collection of brokered personal information;
- its databases; or
- certain sales of data.
The following details must further be included:
- the method for requesting opt-out;
- if the opt-out applies to only certain activities or sales, which ones; and
- whether the data broker permits a consumer to authorise a third party to perform the opt-out on the consumer's behalf.
In California, the CCPA right to opt out of the sale of personal information applies to data brokers. Thus, data brokers must:
- contact consumers directly to provide notice that the data broker sells personal information and to provide the right to opt-out; or
- confirm that the source from which the data broker obtained the personal information provided the consumer with a notice at the point of collection; and
- obtain signed attestation from the source describing and including an example of the notice that the source provided to the consumer.
If proceeding under the second limb above, the data broker must retain the signed attestation for a period of two years and provide it to the consumer upon request.
There is a fee for registering as a data broker in both states. The fee is $100 in Vermont and $360 in California.
4.3 Is registered information publicly accessible?
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
There are a handful of privacy laws under which the processing of personal data is prohibited without a user's consent. For example, the Children's Online Privacy Protection Act (COPAA) prohibits entities from processing personal data of children under 13 years old without verifiable parental consent. Also, some state biometric privacy laws prohibit the processing of biometric information without consent (eg, the Illinois Biometric Information Privacy Act).
More typical in the United States are privacy laws that prohibit the sharing or sale of personal information without a user's consent. For example:
- several states have financial privacy laws which require that individuals opt in to allow financial institutions to share non-public personal information with third parties;
- a number of states require consent to disclose genetic information;
- the Family Educational Rights and Privacy Act requires student or parent signature for schools to disclose personally identifiable information of students; and
- several states have privacy laws prohibiting internet service providers from disclosing customer information absent express permission.
Further, the California Consumer Privacy Act (CCPA) provides consumers with the right to ‘opt out' of the sale or sharing of the personal information.
Under the CCPA, businesses also have the right to refuse a data subject request and to continue processing the personal data if the business has a legitimate business purpose for doing so, such as:
- completing a transaction for which the personal information was collected;
- providing goods or services requested by the consumer; or
- otherwise performing a contract between the business and the consumer.
In the online context, the use of strictly necessary cookies, such as those required to make websites function, is also considered lawful and does not require consumer consent.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Notice and consent are the key principles that apply when processing personal data in the United States, and these vary depending on the type of data being processed.
- the Health Insurance Portability and Accountability Act applies to health information processed by specific ‘covered entities' (eg, healthcare providers, health plans and healthcare clearinghouses), and their ‘business associates' (entities that help covered entities to carry out their healthcare activities);
- the Gramm-Leach-Bliley Act applies to ‘financial institutions'; and
- the COPAA applies to entities collecting information about, or targeting, children under 13 years of age.
The CCPA requires both:
- short-form notices "at or before the point of collection" revealing the categories of information being collected and the intended purposes (eg, pop-ups, cookie banners).
Some statutes require informed consent to collect, use or sell or share personal information. However, consent is the exception rather than the rule.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
- Identify the rights individuals have with respect to their data (eg, erasure, copy, change/update, stop or limit use);
- Provide a description of the information collected;
- Provide lists of information sold or shared and, separately, disclosed for a business purpose;
- Provide a statement of non-discrimination of those who exercise CCPA rights;
- Provide information on opting out of sale of personal information (as well as a ‘Do Not Sell My Personal Information' site); and
- Provide at least two forms of contact for individuals to submit requests (including at least a toll-free number or an email address if the business is online only).
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
A number of privacy laws in the United States prohibit the sharing or sale of personal information absent a user's consent. These are discussed in question 5. Further, the California Consumer Privacy Act provides consumers with the right to opt out of the sale or sharing of their personal information, and requires that sites and services provide a ‘Do Not Sell My Personal Information' button or link.
Additionally, a number of laws mandate that entities provide policy policies (see question 5), and entities are bound by the representations they make in their privacy policies.
In addition, US ‘wiretap' laws (including the Electronic Communications Privacy Act) have been interpreted broadly by the courts in some jurisdictions, such that they have been held to apply in instances where plug-ins or cookies cause a user's computer to send information back to a website regarding the user's browsing history. As such, it is important that plug-in and cookie notices are detailed and accurate, and that consent is obtained.
Web scraping is another area being litigated in the courts. The Supreme Court is currently considering whether to grant cert in hiQ Labs, Inc v LinkedIn Corp, 938 F 3d 985 (9th Cir 2019), which concerns the scope of the Computer Fraud and Abuse Act (CFAA). In the underlying case, the web scraper was determined not to be liable under the CFAA because LinkedIn's website is publicly accessible. There are numerous other claims under which web scrapers are also sued – for example:
- breach of contract;
- copyright infringement;
- common law misappropriation;
- unfair competition;
- trespass and conversion;
- Digital Millennium Copyright Act anti-circumvention provisions;
- Section 5 of the Federal Trade Commission Act; and
- state unfair or deceptive acts or practices laws.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
There are no US privacy laws that apply to the transfer of data abroad. However, there are international laws that apply to the transfer of data abroad. For example, the EU General Data Protection Regulation prohibits cross-border data transfers except where one of three exceptions applies:
- an adequacy decision;
- appropriate safeguards; or
In the United States, the European Commission made a partial finding of adequacy about the United States for personal data transfers covered by the EU-US Privacy Shield framework, and there were 5,300-plus participants in the framework. But in Schrems II, the adequacy decision was invalidated on grounds that US digital surveillance policies and practices – including the Foreign Intelligence Surveillance Act and Executive Order 12,333 (sanctioning bulk data collections) – are inconsistent with European fundamental rights giving citizens the rights to privacy and data protection.
‘Appropriate safeguards' include standard contractual clauses and binding corporate rules, among other things. For companies that are subject to surveillance by law enforcement, however, these mechanisms may no longer be valid, pursuant to the same reasoning relied on in the Schrems II decision.
The last category, derogations, include things such as consent or occasional transfers that are necessary to perform or enter into a contract. This last category is not intended to be relied upon for consistent transfers because, for example, the consent requirements are difficult to meet and consent can be withdrawn at any time; and the ‘necessary' exception does not permit consistent transfers and requires that the transfer be required to perform the core purpose of the contract.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Some best practices when transferring personal data include the following:
- Provide notice to the end user of the information being transferred and the reason for the transfer;
- Obtain consent from the end user to the transfer (or alternatively, at least provide the right to opt out);
- Enter into a contract with the third party with which the data is being shared, setting forth restrictions on the security, use and further sharing of the personal information, and maintain a level of control over the shared information; and
- Ensure that the transfer of personal data is done securely.
If you are an entity engaged in data transfers with the European Union, it is advisable to take a close look at your policies and practices regarding responding to requests for information from US law enforcement, including:
- the number of requests you have received;
- the number of user accounts involved and how many of the users were EU data subjects;
- the basis for the requests (and whether the basis allows for a right to a remedy in the event that their rights were violated); and
- whether an EU data subject has ever contended that his or her rights had been violated as a result of your sharing of information with law enforcement.
The more information that you have to show that you have not provided information to US law enforcement pursuant to surveillance requests that do not offer EU data subjects a remedy in the event their rights are violated, the safer the footing you should be on going forward with respect to EU-US data transfers pursuant to, for example, standard contractual clauses.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Federal privacy statutes offer certain data subject rights. For example:
- the Health Insurance Portability and Accountability Act gives patients the right to view and receive copies of their health information;
- the Gramm-Leach-Bliley Act gives consumers a right to opt out if they do not want their financial information shared with non-affiliated third parties;
- the Family Educational Rights and Privacy Act affords parents the rights to access, correct and have some control over the disclosure of personally identifiable information in their children's educational records;
- the Children's Online Privacy Protection Act gives parents the right to review the personal information collected about a child, the right to revoke consent and the right to refuse further use or collection of personal information about a child, and the right to request that a child's personal information be deleted; and
- the Fair Credit Reporting Act gives consumers the right to obtain a copy of a consumer report, the right to dispute incomplete or inaccurate information, and the right to restrict access to those with a valid need for access.
Several states have also enacted or proposed legislation that provides consumers or data subjects with one or more rights. For example, the California Consumer Privacy Act (CCPA) provides consumers with:
- a right to access the categories and specific pieces of personal information held by covered businesses;
- a right to delete data;
- a right to portability of personal information; and
- a right to opt out of sales of personal information.
Maine's data privacy law includes a right to restrict data processing and an opt-in requirement for the sale of personal information. Nevada's data privacy law provides a right to opt out of the sale of personal information.
Several exemptions may apply. For example, the CCPA provides several exemptions to the deletion of personal data, including where the data is necessary to:
- complete a transaction for which the personal data was collected;
- detect security incidents;
- exercise free speech;
- debug or repair errors in a service; or
- comply with a legal obligation.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
Consumers may submit verified requests to the businesses to exercise their rights.
7.3 What remedies are available to data subjects in case of breach of their rights?
All 50 states have unfair or deceptive acts or practices statutes, many of which provide for a private right of action, and numerous common law claims are available to data subjects in the case of breach of their rights. Additionally, a handful of state and federal privacy laws provide with consumers a private right of action for certain types of violations of their data privacy rights. For example:
- the CCPA provides a limited private right of action pertaining to data security breaches of non-encrypted and non-redacted personal information;
- the Telephone Consumer Protection Act provides for a private right of action for violations and statutory damages in the amount of $500 for each violation and up to $1,500 for each wilful violation; and
- the Illinois Biometric Information Privacy Act provides a private right of action for any person ‘aggrieved' by a violation thereof, and permits recovery of statutory damages of $1,000 per negligent violation or $5,000 if the violation is deemed intentional or reckless.
The Fair Credit Reporting Act, the Electronic Communications Privacy Act and the Video Privacy Protection Act (VPPA) are other examples of privacy statutes which provide for private rights of action. The VPPA broadly prevents disclosure of personally identifiable rental records of "prerecorded video cassette tapes or similar audio visual material", and offers civil remedies not less than $2500.
Consumers can additionally submit complaints to state and federal entities for law enforcement action against violators.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Appointing a data protection officer is not mandatory in the United States. However, depending on the organisation, the type of data it collects, the nature of its business and how it operates, it may well be advisable that the company have either an in-house or third-party resource to address the day-to-day issues around data protection and privacy.
Especially for companies involved in the regular and systematic processing or storing of significant amounts of personal information, a data protection officer (DPO) may play a critical role in the data protection governance structure. The DPO can help to navigate the constantly evolving landscape of data protection in the United States and offer expert guidance on demonstrating compliance with the patchwork of state laws. By serving as a liaison between upper management and the company's employees and staff, the DPO can monitor data protection efforts and keep the organisation apprised of its compliance obligations, as well as helping to mitigate liability and/or damages or penalties in the event of a breach or other data privacy investigation.
8.2 What qualifications or other criteria must the data protection officer meet?
The DPO of a US-based company should first and foremost have a robust knowledge and understanding of the changing state privacy laws as they continue to roll out, as well as monitoring guidance issued by the state attorneys general. This may require:
- regular consultation with in-house counsel;
- updated privacy certifications;
- participation in privacy conferences and industry association events; and
- subscriptions to compliance reporting service updates to stay informed of new developments in the field.
Aside from being well versed in privacy and data protection law, the DPO should have a foundational knowledge of the relevant data privacy infrastructure pieces and stakeholders, such as IT, cybersecurity, human resources, general counsel, marketing, third parties and managers. Experience in risk assessments and strong communication skills are also qualifications that a company should seek when appointing a DPO.
Because the role of DPO is complex and multifaceted, it requires an independent position within the organisation. While other company employees, such as in-house counsel or IT staff, may be knowledgeable about privacy and data protection issues, to avoid distraction or any conflicts, the DPO should be a separate and unbiased entity.
8.3 What are the key responsibilities of the data protection officer?
The role of DPO is fairly comprehensive and often includes a variety of tasks. As an expert in data protection, the DPO should:
- develop and maintain ongoing training and awareness to promote compliance with the applicable regulations and mitigate operational risk;
- maintain an inventory of personal data and/or processing activities; and
- monitor organisational practices to identify new processes or changes to existing processes and ensure the implementation of privacy by design principles.
The DPO may also be responsible for:
- conducting regular data privacy impact assessments to address potential issues proactively.
The DPO would also ideally serve as the point of contact for inquiries from government officials and requests and complaints from individuals (eg, requests to access, modify, delete, or opt out of the sale of personal information under the California Consumer Privacy Act). To oversee and implement the company's data protection strategy, the DPO must engage both internal (eg, board of directors, management, employees) and external (eg, regulators, third parties, clients) stakeholders in regular communication about data privacy and ongoing compliance efforts.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Since a DPO is not required in the United States, the responsibility for data privacy may theoretically be outsourced to an individual or entity outside the company. A DPO does not have to be a company employee and can instead act more as a consultant on privacy-related issues, working for several companies simultaneously.
In lieu of, or in addition to, a DPO, many organisations in the United States are also turning to privacy management software systems (eg, OneTrust or WireWheel) that are capable of automating some compliance-related tasks, such as creating data maps or providing a platform for receiving and responding to data subject requests.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Record keeping in the privacy context is critical to demonstrate compliance and accountability. In addition to maintaining documentation of the types of personal data that are collected and how and to where the data flows (eg, between systems, between processes, between countries), an organisation should document, whenever possible:
- communications between internal and external privacy stakeholders;
- the legal basis or the business purposes for processing personal data;
- any internal policies and procedures relating to data privacy (eg, collecting sensitive data, handling data of minors, de-identification or encryption of data, secure destruction of data); participation in data privacy training activities;
- the results of and any actions taken in response to a privacy impact assessment/data privacy impact assessment;
- data subject requests; and
- metrics for data privacy complaints (eg, number, root cause, risk, resolution).
As a best practice for transparency, organisations may provide a repository of privacy information for employees, such as an internal data privacy intranet, through which employees can access training and awareness materials, privacy and breach notification policies, and DPO or privacy personnel contact information. Appropriate public-facing privacy materials may be provided on the company's website or other customer interfaces to demonstrate compliance and build trust with consumers.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Wherever possible, to mitigate operational risk, data privacy policies and procedures should be embedded in organisational practices. For instance, data privacy should be integrated into record retention, marketing practices, information security practices, HR and employee health and safety practices, cookies and online tracking mechanisms, third-party contracts and agreements and so on.
Businesses in the United States should also strive to develop a privacy management framework that aligns with the best practices set forth in the General Data Protection Regulation, including:
- data minimisation (collecting and processing only personal data for which the company has a legitimate business purposes);
- data accuracy (keeping only relevant and up-to-date data); and
- accountability and transparency.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach laws, each typically specifying definitions of ‘personal information' and a ‘breach', as well as requirements for notice and exemptions to the requirement.
Entities are generally required to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data collected, to protect the unauthorised access, destruction, use, modification or disclosure of personal data. There is no precise definition of ‘reasonable security measures', and entities instead tend to evaluate applicable industry norms and practices, the risks at stake and prior enforcement actions where a company was found not to have taken adequate security measures. Several security frameworks exist – such as the National Institute of Standards and Technology Cybersecurity Framework and the International Organization for Standardization 27001 series for information security management – to assist entities in demonstrating implementation and maintenance of reasonable security measures.
In addition, nearly all federal privacy statutes (eg, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act, the Children's Online Privacy Protection Act and the Fair Credit Reporting Act) require that reasonable security procedures and practices be followed.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
At least 20 states require that certain data breaches (eg, affecting at least 500 or 1000 residents) must be reported to the attorney general, and potentially an additional state agency. While each state has a different definition of ‘personal information', in general, a data breach may require notification if any of the following information is leaked:
- name and social security or ID number (eg, driver's licence number);
- account number and password (eg, for a bank account);
- health information;
- ‘biological characteristics' or biometric information; or
- username and password (eg, for a healthcare system).
Certain jurisdictions require the notice to the attorney general to include a sample or template of the notification that will be submitted to the affected individuals, whereas other jurisdictions require the use of a particular data breach reporting form.
In addition, numerous federal laws also require data breach notification, such as the GLBA and the HIPAA. Some Federal Trade Commission (FTC) rules and regulations also speak to data breach notification. For example, the FTC has a ‘health breach notification' rule that applies to all health data (not just HIPAA-covered health data).
Entities are encouraged to voluntarily report to the federal government cyber incidents that:
- result in a significant loss of data, or a significant loss in control or availability of a system;
- impact on a large number of victims;
- affect critical infrastructure; or
- impact on national security, economic security or public health and safety.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
The affected individuals must be notified of covered data breaches. Notification must typically be made in writing and as expeditiously as possible within a certain timeframe (eg, seven, 30 or 45 days). In some circumstances, substitute notice may be permitted if:
- a business must notify a threshold number of persons;
- the cost of notifying exceeds a certain threshold; or
- the notifying entity does not have sufficient contact information.
Substitute notice may include:
- notification by email;
- notice to or publication in the media; and/or
- a conspicuous posting on the notifying entity's website.
States with notice content requirements typically require that the following be included in the notice:
- the date of the notice;
- a description of the incident;
- the date or date range of the breach;
- a description of the actions that the business is taking to remedy the breach;
- the type of personal information affected in the breach;
- whether notification was delayed due to a law enforcement investigation;
- the contact information at the notifying entity for law enforcement, state and/or federal agencies; and
- advice for consumers to be vigilant and on how to protect themselves from fraud.
Certain exemptions may apply. For example, an entity may not be required to notify affected individuals if:
- it determines that there is no reasonable likelihood of harm to the affected individuals as a result of the breach; or
- misuse of the personal information has not occurred and is unlikely to occur.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
Entities should pay careful attention to the applicable definitions of ‘breach' and ‘personal information' and/or ‘private information' in order to ascertain whether a security incident constitutes a breach and therefore triggers notification requirements. If an entity maintains data from a third party, the entity may also have to provide notice of the breach to the third party.
Preparation well in advance of any data security incidents is the best defence, including:
- the implementation of reasonable data security measures; and
- the documentation of an incident response outlining steps to identify, respond to and recover from data security incidents.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
There is little federal legislation defining the scope of an employee's right to privacy in the workplace. Rather, the protection of personal data in the employment sector is largely based on state law, which varies significantly, in the context of background checks, personnel records, biometric information and electronic communications. Federal privacy legislation relating to COVID-19 has been proposed; if passed, this would have significant impacts on employee privacy.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
In the United States, monitoring and surveillance of employees are generally permitted to the same extent as with the public, subject to the applicable federal and state laws. Employers that engage in electronic workplace monitoring and surveillance must comply with at least:
- the Electronic Communications Privacy Act;
- the Stored Communications Act;
- the National Labor Relations Act; and
- state laws governing wiretapping, privacy and data security, and employment discrimination.
In general, an employer must have a legitimate business purpose for conducting employee surveillance. Such purposes may include:
- limiting liability for employee misconduct;
- managing employee productivity and performance;
- protecting the employer's brand and trade secrets; and
- deterring theft and violence and ensuring employee safety.
Most US states also prohibit video or audio surveillance in workplace areas designated for employee health or personal comfort, such as restrooms and locker rooms. Monitoring of employees in common areas such as lobbies, hallways, workrooms and breakrooms, on the other hand, is often permissible; but many times, audio recordings (with or without accompanying video) are not permitted without varying degrees of consent.
When analysing whether an employee's right to privacy has been violated, courts will generally balance the employee's reasonable expectation of privacy against the employer's business interests in monitoring the employee, also weighing factors such as:
- the general nature of the work environment;
- the means of monitoring utilised by the employer; and
- whether the employer gave notice to the employee of its monitoring and surveillance policies.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
- identifies which employees may be monitored;
- notifies employees that they have no expectation of privacy in the workplace and that their electronic communications may be monitored;
- identifies a list of communications that may be monitored (eg, email, telephone, internet activity, documents saved on the employer's system, social media posting); and
- explains how and when the monitoring and surveillance is done (eg, monitoring keystrokes, forwarding emails, video surveillance, recording telephone conversations).
Written acknowledgment of the policy and consent to monitoring should be required of each employee. Further, to the extent that employers wish to engage in audio monitoring, they should study state laws carefully with respect to the consent requirements.
11 Online issues
- the types of cookies used on the website;
- the purpose for cookie tracking; and
- identification of any third parties that have access to the cookies information.
Under the CCPA, cookie consent is based on an opt-out mechanism.
Nevada, Maine and Minnesota have also enacted specific laws (and many other states have legislation pending) directed to internet service providers (ISPs) that restrict how ISPs collect, use and disclose consumer data online, including cookies. Maine's law, which took effect in July 2019, is considered to be the most controversial, as it requires opt-in consent before sharing or using cookie data. This law is currently being challenged by four ISPs, which argue that it violates First Amendment protections. The Nevada and Minnesota laws both require that an ISP keep certain personal information about its customers private, unless the customer gives permission to disclose the information.
At the federal level, a cookie identifier is considered to be personal information under the Children's Online Privacy Protection Act (COPPA), and websites must have verifiable parental consent before tracking or using cookies data from children under the age of 13.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
We are not aware of any laws or regulations in the United States that directly impose requirements or restrictions on cloud computing services specifically in the context of data privacy. However, numerous federal and state laws more generally impose requirements and restrictions to the extent that the cloud computing entity is ‘covered' and/or the data to which the cloud computing service is directed is ‘protected'. This would include, for example, state data breach laws and data breaches under:
- the Health Insurance Portability and Accountability Act (HIPAA);
- the Children's Online Privacy Protection Act;
- the Gramm-Leach-Bliley Act;
- the Family Educational Rights and Privacy Act; and
- broader regulations, such as the Clarifying Lawful Overseas Use of Data Act.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
In the networked context, two states – California and Oregon – have enacted specific legislation directed to Internet of Things (IoT) and connected devices. These newly enacted laws, which took effect in January 2020, require manufacturers of connected devices to equip those devices with ‘reasonable security features'. Several other states – including Illinois, Kentucky, Massachusetts, Maryland, New York, Rhode Island, Vermont and Virginia – are considering legislation similar to the California and Oregon laws.
The applicability of California's IoT law is incredibly broad. The definition of ‘connected device' is "any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address". Remarkably, the law applies to all connected devices sold or offered for sale in California, regardless of where they are manufactured. Oregon's law, in contrast, is narrower in its application, as it is limited to connected devices used primarily for personal, family or household purposes.
While there has not yet been any enforcement of these new IoT and connected devices laws, we can expect that this will be an active area, given the proliferation of these devices and expected growth – especially in the current environment, with the necessity around the world to telework. This is surely an area that requires attention, particularly for manufacturers of IoT and connected devices.
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
Data privacy disputes in the United States are typically held in state courts if the claim is a violation of a state privacy law (including an unfair or deceptive acts or practices (UDAP) statute), and there is no diversity and/or the amount in controversy does not exceed $75,000. Data privacy disputes are held in federal district courts if:
- the claim is a violation of federal law; or
- the claim is a violation of state law (including a UDAP statute), but there is diversity and the amount in controversy exceeds $75,000.
Additionally, the Federal Trade Commission (FTC) can bring an investigation under Section 5 of the Federal Trade Commission Act; and other government agencies (eg, the Federal Communications Commission, the Consumer Financial Protection Bureau, the Securities and Exchange Commission and the Department of Commerce) can also enforce certain laws.
12.2 What issues do such disputes typically involve? How are they typically resolved?
Common litigation claims regarding privacy law include FTC Act Section 5 investigations and state UDAP violations regarding, among other things:
- misleading privacy policies or security breaches;
- Telephone Consumer Protection Act (TCPA) violations for robocalls;
- Illinois Biometric Information Privacy Act (BIPA) violations for unauthorised use of biometric information (eg, facial scans/misuse of photographs);
- Children's Online Privacy Protection Act (COPPA) violations for targeting or obtaining data from children under 13 years of age without parental consent;
- Gramm-Leach-Bliley Act violations (eg, lost/stolen devices, data breaches);
- Health Insurance Portability and Accountability Act violations (eg, lost/stolen devices, lack of employee training, data breaches, gossiping/sharing personal health information and improper disposal);
- false claims of participating in the Privacy Shield (prior to the invalidation of the Privacy Shield);
- negligence claims;
- Computer Fraud and Abuse Act (CFAA), breach of contract and other claims with respect to data scraping activities.
Privacy cases can result in civil penalties, including preliminary injunctions, damages (actual damages or statutory damages, which increase in the event of wilfulness), and other equitable relief. Several privacy statutes also provide for criminal penalties, including hefty fines, restitution paid to victims and imprisonment.
Privacy cases are often settled.
FTC investigations typically result in consent decrees, whereby the party being investigated generally agrees to certain security measures and not to engage in misleading behaviour for a certain period, typically about 20 years.
12.3 Have there been any recent cases of note?
In July 2020, Europe's top court invalidated the EU-US Privacy Shield (see question 1.3).
In July 2020, the US Supreme Court decided a TCPA case, Barr v American Association of Political Consultants, finding the government debt collection exception to the ban on unsolicited calls using an automatic telephone dialling system unconstitutional. A number of amicus briefs were filed calling for the court to invalidate the entire TCPA, but the court invalidated just the government-debt exception.
In May 2020, the Seventh Circuit decided a BIPA case, Bryant v Compass Group USA, Inc, resolving a district court split and finding that a violation of BIPA's informed consent provision is alone sufficient to confer Article III standing; no additional harm/injury need be alleged.
In March 2020, LinkedIn filed a cert petition with the Supreme Court in a CFAA case concerning web scraping, hiQ Labs, Inc v LinkedIn Corp. On appeal, the Ninth Circuit affirmed the lower court's granting of a preliminary injunction barring LinkedIn from blocking HiQ's access and ability to scrape LinkedIn profiles on grounds that the profiles were publicly available (and thus, access was not ‘without authorisation', as required under the CFAA).
In September 2019, the largest COPPA settlement ever was announced. Google and YouTube agreed to pay a record $170 million to settle allegations that YouTube violated COPPA by collecting children's personal information without required notice or verifiable parental consent. The FTC considered factors including subject matter, visual and audio content, language, audience composition, intended audience and use of animated characters in deciding that numerous YouTube channels were directed to children.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The demand and momentum for a comprehensive federal data privacy law will continue to grow.
Over half of US states have proposed their own comprehensive data privacy laws, and we can expect states to continue introducing and passing new data privacy laws in numerous developing areas (eg, Internet of Things and connected devices, COVID-19/infectious-disease related, biometric, drones, artificial intelligence, internet service providers, data broker registrations). The ever-growing patchwork of state and federal laws will continue to create new challenges for businesses, especially those with widespread operations.
Class action lawsuits concerning data breaches and privacy violations have been a significant risk, and we can expect increased litigation – especially under the California Consumer Privacy Act's (CCPA) new private right of action (and under state unfair or deceptive acts or practices statutes, under which litigants will likely hold the CCPA out as a ‘de facto' standard). Additionally, record-breaking law enforcement penalties were imposed in 2019, including the Federal Trade Commission's and Department of Justice's largest-ever $5 billion dollar penalty imposed on an entity for violating consumers' privacy. Accordingly, privacy compliance and risk-management will continue to grow as an area of increased focus and concern in boardrooms and at executive levels.
We can also expect to see movement towards the negotiation of a new US-EU data transfer framework to replace the Privacy Shield.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Two emerging themes that we see across the new US state privacy laws and regulatory guidance are the need to demonstrate:
- that ‘reasonable' privacy and data protection measures have been established and are being practised; and
- ‘transparency' as to what personal data is being collected and exactly how that personal data is processed.
While the ‘reasonableness' standard is notoriously vague – and may depend on, for example, the scope of the company's activities, the sensitivity of the data collected and used, and the size of the company – there are recognised standards (eg, the National Institute of Standards and Technology Cybersecurity and/or Privacy Frameworks) and general best practices that should be explored and implemented when possible:
- Develop and implement a privacy compliance strategy and framework for risk management that includes establishing a comprehensive governance structure, with buy-in from C-level executives and broad involvement of divisions within the organisation;
- Document any processes and procedures (and related communications and organisational decisions) regarding how data is collected, stored and used.
One of the major challenges in the United States to effectively address privacy and data protection laws is navigating the patchwork system that is currently in place. With no comprehensive privacy law, we have regulation from the federal government to some extent (eg, through the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act and the Children's Online Privacy Protection Act) and technology-specific, industry-specific and more generally applicable laws from a few states – some of which overlap, are contradictory and raise issues regarding pre-emption, for example. Without a comprehensive data privacy law, attorneys, enforcement authorities and businesses alike must continue to monitor each applicable law and regulation – the objective being to ensure that their efforts towards compliance across the board are considered reasonable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.