There are privacy laws being passed seemingly every day; however, there is no comprehensive national U.S. law and current laws are largely a patchwork of state and federal laws.
Since there are no federal privacy laws regulating the actions of many companies, they’re pretty much free to do what they want with your data, unless there is a state law governing its use.
- In most states, companies can use, share, or sell any data they collect about you without notifying you that they’re doing so.
- No national law standardizes when (or if) a company must notify you if your data is breached or exposed to unauthorized parties.
- If a company shares your data, including sensitive information such as your health or location, with third parties (like data brokers), those third parties can further sell it or share it without notifying you.
Yikes! So why isn’t someone doing something about this? Well, California has what is probably the most comprehensive privacy law. The regulations allow a person to sue a company for violations. California also requires a “global opt out” to remove one’s data from sharing by device or browser, instead of being forced to opt out on each site individually. California is one of only three states with a comprehensive privacy policy. The others are Colorado and Virginia.
Beyond these, there is a hodgepodge of state privacy laws. Federal laws encompass an alphabet soup of laws covering specific data and situations, including:
- The Health Insurance Portability and Accountability Act (HIPAA) covers only communication between you and “covered entities,” which include doctors, hospitals, pharmacies, insurers, and other similar businesses. People tend to think HIPAA covers all health data, but it doesn’t.
- The Fair Credit Reporting Act (FCRA) covers information in your credit report. It limits who is allowed to see a credit report, what the credit bureaus can collect, and how information is obtained.
- The Family Educational Rights and Privacy Act (FERPA) details who can request student education records. This includes giving parents, eligible students, and other schools the right to inspect education records maintained by a school.
- The Gramm-Leach-Bliley Act (GLBA) requires consumer financial products, such as loan services or investment-advice services, to explain how they share data, as well as the customer’s right to opt out. The law doesn’t restrict how companies use the data they collect, as long as they disclose such usage beforehand.
- The Electronic Communications Privacy Act (ECPA) restricts government wiretaps on telephone calls and other electronic signals (though the USA Patriot Act redefined much of this). Since ECPA was written well before the modern internet, it doesn’t protect against modern surveillance tactics.
- The Children’s Online Privacy Protection Rule (COPPA) applies to data collection practices regarding children under 13 years old.
- The Video Privacy Protection Act (VPPA) prevents the disclosure of VHS rental records. VPPA does not apply to streaming companies, though.
- The Federal Trade Commission Act (FTC Act) empowers the FTC to go after an app or website that violates its own privacy policy.
