SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS.pdf

SECTOR SPECIFIC REGULATIONS AND
A FEW HICCUPS MORE: U.S.A AND ITS
PRIVACY LAWS
Your Guide to U.S.A's Privacy
Laws and its Shortcomings.
© 2021 Tsaaro. All rights reserved.
WHITEPAPER

08
With the emergence of innovation on a
daily basis, privacy is increasingly
becoming complex. Various regions in the
world have understood the risks
pertaining to Data Privacy and have
introduced certain regulations to
safeguard the privacy of individuals' data.
Virtually every country has laid down its
privacy laws and ancillary regulations.
The World Superpower a.k.a United States
has introduced its system to keep up with
the evolving technology. However, in the
absence of a central federal level privacy
law, there are a series of different
vertically-focused privacy laws forming a
complex patchwork of laws and
regulations dealing in specific sectors and
mediums.
INTRODUCTION PROBLEM
The structural flaw with the privacy laws of
the United States is the absence of a
unified code that deals with particular
subjects and a document that is exhaustive
in nature. The European Union GDPR is
exactly what the United States lacks, due to
having different statutes (both federal and
State) to regulate specific sectors that result
in the entire structure is uneven. The legal
framework of the United States regulating
the emerging privacy concerns lack the
ability to streamline the procedure and
curb risks altogether by establishing a
defined mechanism, in its entirety.
Timeline of the American Privacy Landscape.
The existing Federal and State Legislations, regulating matters pertaining to
privacy.
A graphical representation of the State-Wise privacy statutes.
The problems that plague the current privacy scenario.
The way forward with suggestions to curb the limitations of the existing
framework.
This whitepaper would be covering the following aspects:
STRUCTURE

1960
Privacy Torts
1974
Privacy Act of 1974
1996
Health Insurance Portability and
Accountability Act of 1996
1998
COPPA Children's Online Privacy
1999
Gramm Leach Bliley Act
1890
Brandeis "Right to Privacy" Law Review
Article
2018
General Data Protection Regulation
(GDPR) went into effect
2020
California passes California Consumer
Privacy Act (CCPA)
2021
Virginia and Colorado passes respective
state laws
TIMELINEOFTHEAMERICANLANDSCAPE

PRIVACY ACT OF 1974
Right of U.S. Citizens to access/copy data.
Right of Citizens to correct any informational errors.
Government Agencies to adopt data minimization policies.
Restriction of unnecessary access to data.
No sharing of information between Government Agencies, unless
necessary.
On account of the Watergate Scandal, this Act aimed at balancing the
rights of the individuals. This Act laid down certain restrictions on the
collection and retention of data by the Government Agencies. This
legislation could be considered as one of the primary references of
digital privacy in the American Legal Landscape, incorporating certain
principles which are, commonly referred to as privacy by design, at
present. These principles are:
There is no single comprehensive data protection legislation
in the United States. However, there are various statutes
enacted on the Federal and State Levels which are sector-
specific to protect the personal data of the people residing in
the United States.
FEDERALSTATUTESINUSAPRIVACYLANDSCAPE

CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
GRAMM-LEACH-BLILEY ACT (GLBA)
Expanding and tightening consumer data privacy safeguards and
restrictions to protect the Non-public Personal Information (NPI).
However, as per GLBA, any information collected regarding an
individual to provide financial products or services is subject to the
condition that the information was not already publicly accessible.
The law states that financial institutions are required to explain how
all the customer data is shared and provide the customers with an
opportunity to opt-out.
GLBA safeguards the collected personal data with a security plan
created by the institution. However, there’s a loophole wherein the
third parties affiliated with the financial institutions are not under any
obligation to provide privacy controls to the customers for them to
restrict the sharing of NPI.
Also referred to as the Financial Modernization Act of 1999, the Gramm-
Leach-Bliley Act’s main focal point is:
COPPA prohibits the collection of information pertaining to children
below the age of 13, within and beyond the territory of the United
States.
The recent amendments to COPPA broadened the applicability of the
statute by widening the types of Personal Information that must be
protected.
The provisions of COPPA are applicable to Third-Parties, as well, that
use children’s data. The originating websites must ensure the safety of
children by ensuring reasonable measures and safeguards and also
only releasing such information to organizations that are capable of
keeping the data secure.
The COPPA was America’s first step towards safeguarding the online
privacy of children. The passing of this specific statute was with the
objective to protect the digital privacy of minors.

FAIR CREDIT REPORTING ACT (FCRA)
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT (HIPAA)
Enacted to streamline the flow of Healthcare information, this
complex framework includes data privacy and security sanctions as
well.
Lays down the concept of Data Confidentiality, essentially providing
who would get access to the Protected Health Information (PHI).
Provides groundwork for explicit consent, as using such data is
subject to explicit consent if it is being used for marketing purposes.
Limitations on how information related to patients is obtained,
stored, accessed or released thereby safeguarding the same against
theft or fraud.
Known as the Kennedy-Kassebaum Act, the HIPAA was enacted on 21
August 1996, to regulate Health Insurance in the United States:
Privacy of information for the files of consumer reporting agencies,
regulating the manner in which credit reporting agencies collect,
access and use/share the data collected in consumer reports and,
providing the customers access to their credit reports.
FCRA provides for the secure destruction of Personal Information
and regulates the use of certain types of information received from
affiliated organisations for marketing purposes.
The Statute is enforced by the Federal Trade Commission and the
Consumer Financial Protection Bureau. The violations of FCRA carry
fines including incurred damages (if any).
The Federal Statute of FCRA passed on 26th October 1970, promotes
accuracy, transparency and privacy of the information in consumer
credit bureau files:

California
(CCPA)
New York
Maryland
Virginia
ENACTMENT
STATE
Massuchusets
RIGHT TO
DELETION
RIGHT TO
ACCESS
RIGHT TO
OPT-OUT
North Dakota
Hawaii
Colorado
RIGHT TO
RECTIFICATION
PRIVATE
RIGHT OF
ACTION
THEU.S.STATE-WISEREGULATIONS
The above chart refers to CCPA and not the
updated provisions of CPRA, as the same
has not come into effect yet.

STATE-WISEREGULATIONS
Certain States introduced their statutes to regulate privacy in
their legislation till there's no Federal Statute that protects the
privacy of a resident.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA) &
CALIFORNIA PRIVACY RIGHTS ACT (CPRA)
The most striking feature of the CCPA is the wider ambit of the
definition of "personal information" to include information that can
identify, relate to, describe or is capable of being associated with
directly or indirectly with a particular individual or a household.
CCPA provides for an exhaustive list of identifiers and provides the
consumers with the right to access through DSAR also restricting
businesses from selling customers’ personal information without
informing, providing a web notice and giving them an opportunity to
opt-out from the same.
Similar to GDPR, CCPA incorporates the right to delete, providing the
customers with a chance to sue on account of a data breach.
CPRA often termed as an update to CCPA, builds on the existing
framework adding to the consumer rights, business obligations
along with a dedicated Data Privacy Protection Agency. The CPRA is
would be completely operative since January 2023.
Enacted on 28 June 2018, the state of California enacted CCPA to extend
consumer privacy protection to the internet, becoming in itself the most
comprehensive digital-focused privacy regulation in the United States:

VIRGINIA CONSUMER DATA PROTECTION ACT
(VCDPA)
Providing the consumers with the right to access data and, data
deletion; right to opt-out and entrusts the organizations with an
obligation to conduct data protection assessments.
VCDPA provides an extensive definition of Personal Data and who
could be considered as consumers, within the purview of the Act.
VCDPA does not incorporate the right to private action, unlike the
CPRA, but imposes hefty penalties to curb the concerns of data
privacy breaches.
Enacted on March 2 2021, the VCDPA became the second state after
California to officially adopt and enact a comprehensive regulation that
deals with consumer privacy.
COLORADO PRIVACY ACT (COLOPA)
ColoPA vests the consumers with rights such as the right to access,
correction, deletion, data portability, right to appeal and the right to
Opt-Out.
The scope of ColoPA is broader than CCPA when it comes to
revenue thresholds. ColoPA explicitly omits individuals acting in a
commercial capacity as under the statute; controllers are not
required to consider the data of employees as PII when they collect
and process the same.
The scope of ColoPA is quite similar to CCPA, including the
definitions of Personal Data, Sale of Personal Information.
ColoPA also sets categories of exempt data, dividing them into two
categories i.e. Entity-level exemptions and Data-level exemptions
Set to take effect on July 1 2023, Colorado became the third state to
enact comprehensive privacy legislation.
MASSACHUSETTS DATA PRIVACY LAW
Formerly known as “Standards for The Personal Information of
Residents of the Commonwealth”, this proposed law places an obligation
on organisations to notify individuals in case of a security breach. This
statute is largely similar to the CCPA, and a vital difference is that
consumers are vested with the right to sue for any violation.

NEW YORK PRIVACY ACT
Similar to Massachusetts and unlike CCPA, New York’s Act would
vest the individual with the right to pursue action for any violation,
making this statute stringent.
Another key distinction is the addition of Data Fiduciary and
emphasizing on all organisations to be legally responsible for every
consumer data that they possess.
The Act is also closely similar to EU GDPR due to its provision for the
consumers with the ability to correct inaccurate information.
The proposed New York’s Act contains all the important principles of
CCPA.
HAWAII CONSUMER PRIVACY PROTECTION ACT
Similar to the CCPA, the proposed Hawaii Act offers all of the rights and
protections, inclusive of the clause wherein a website located out of
anywhere, could be held liable if it doesn't operate with adequate
protection.
MARYLAND ONLINE CONSUMER PROTECTION ACT
Another state proposed Bill, with the potential to expand on the scope of
CCPA. Like other states, Maryland Bill also incorporates the concept of
Probabilistic Identifiers and even goes beyond the scope of CCPA when it
comes to disclosing third-party involvement going so far as to obligate
the companies to disclose any information that is passed to such Third-
parties.
NORTH DAKOTA'S HB-1485
This Bill completely restricts any website from transmitting any
information to third parties without obtaining the consent of its users.
However, there is no right to rectification or deletion once consent is
legally obtained by the Controller.

Federal Trade Commission (FTC) has an important role to play here, as it
has the general power to prohibit certain trade practices under section
5 of the FTC Act. However, companies have begun testing FTC legal
authority to review data security practices. Furthermore, FTC has limited
jurisdiction over banks, insurance organizations, NPOs and ISPs.
UNEVEN APPROACH
Data is not adequately protected, companies are riddled with
contradictory and competing requirements. This needs a unified
approach to make it easier to protect privacy.
PATCHWWORK INCOMPATIBILITY
Lacking uniform central legislation, the United States ensures that
privacy is maintained within specific sectors through the pertinent
specific laws. It is noteworthy that these laws sometimes have varying
incompatible provisions with respect to what warrants as personal
information and what constitutes a breach.
COMPLICATED ENFORCEMENTS
RESPONSE TO DATA BREACH
Data breach notification and response is the most important aspect of
data privacy. Ongoing vigilance should be adopted instead of a penal or,
remedial approach to data theft and the same should be incentivised
while eliminating the complexities for both consumers and the
institution.
UPDATING THE VALIDITY
The existing laws are enacted to act as a response to a certain scenario
and, there are certain changes that reduce the sectoral boundaries laid
down by these privacy regulations. Therefore to reduce arbitrariness the
definitions along with the legal provisions have to adapt to the changing
needs of privacy to ensure protection.
SHORTCOMINGSOFU.S.PRIVACYSCENARIO

THEWAYFORWARD
The United States should adopt from the
European Union, their approach towards
data privacy by bringing out a single
comprehensive framework to regulate
personal privacy. These are the
recommendations that would be an
ideal way forward for the United States
to overcome its current shortcomings:
It is extremely essential for the individuals to be vested with the legal
resort to sue a company over privacy violations.
SCOPE & APPLICABILTY
The Future Legislation must bring within its ambit all the institutions,
ranging from Government-run agencies to NPOs and every other
narrow sector of the economy. Apart from the social responsibility of an
organization, a data protection breach is also an institutional risk as well.
HARMONISING INCONSISTENCIES
The upcoming legislation should aim to replace the existing patchwork
of statutes. A baseline should be established which lays down all the set
criteria's and can remove the inconsistencies of different requirements
or rights which are laid down by the current sector-wise approach
towards individual privacy.
PRIVATE RIGHT OF ACTION
DATA MINIMIZATION, OPT-IN AND DISCRIMINATION IN
PRIVACY RIGHTS
A company should only collect the information it essentially requires to
provide the service it is offering, and should mandatorily present the
customer with the option of sharing the user data with a Third-party.
Every organization must also provide its customers with Data Subject
Rights (DSR) including deletion, the rectification of stored data.
Companies cannot discriminate against people for exercising their
privacy or cannot force them to pay for increased data security.

1. https://www-nytimes-
com.cdn.ampproject.org/c/s/www.nytimes.com/wirecutter/blog/state-of-privacy-
laws-in-us/amp/
2. https://www.varonis.com/blog/us-privacy-laws/
3. https://www.jdsupra.com/legalnews/u-s-privacy-law-past-present-and-future-
4213418/
4. https://www.lexology.com/library/detail.aspx?g=db4592e2-53c1-4cb6-91a9-
94da1ee14b26.
5. https://www.osano.com/articles/data-privacy-laws
6. https://9to5mac.com/2021/09/08/us-gdpr-style-federal-law/
BIBLIOGRAPHY
CONCLUSION
This ever-evolving regulatory environment would require companies to adapt to the
changing times. The future of US privacy law will reflect some of the key ideas from
the existing state regulations, Employee or Consumer privacy rights, access and
removal requests, and ultimately fines and fine-related requirements, exceptions,
mitigations would be marked down in single legislation curbing the current
shortcomings and integrating the existing patchwork into an exhaustive framework.

Akarsh Singh
Krishna Srivastava
(CEO & Co-Founder Tsaaro)
Akarsh is a fellow in Information Privacy by
IAPP, the highest certification in the field of
privacy. His expertise lies in Data Privacy and
Information Security Compliance.
(Co-Founder & Head of Cyber Security
Tsaaro)
Krishna is an ex-KPMG data security
consultant. He has vast experience in
Information Security and Data Privacy
Compliance.
Tsaaro provides privacy and cybersecurity
services to help organizations meet
regulatory requirements while
maintaining a robust security
infrastructure.
Our industry-standard privacy
services include Privacy compliance, DPO-
as-a-service, Vulnerability Assessment &
Penetration Testing, Cyber Strategy, DPIA
to name a few, delivered by our expert
privacy professionals recognized by IAPP.
At Privado, we are building tools for
compliance with Data Privacy Laws such
as GDPR, CCPA. Companies now have to
do a lot to comply with these laws like
take consent, do vendor assessments,
privacy assessments, etc. We simplify and
automate these tasks so that companies
can demonstrate privacy compliance. We
want to bring visibility to the use of data
to the privacy team.
CONTACTUS
You can assess risk with respect to
personal data and strengthen your data
security by contacting Tsaaro.
Email us:
info@tsaaro.com
Tsaaro India Office
Manyata Embassy Business Park,
Ground Floor, E1 Block,
Beech Building, Outer Ring Road,
Bangalore- 560045
India
P: +91-0522–3581306
Tsaaro Netherlands Office
Regus Schiphol Rijk
Beech Avenue 54-62,
Het Poortgebouw,
Amsterdam, 1119 PW,
Netherlands
P: +31-686053719
Addresses:
COMPANYPROFILE
Vaibhav Antil
(Co-Founder at Privado.ai)
Vaibhav is an ex-IITian with experience of
over 7 years. He's a Certified Information
Privacy Manager (CIPM) from IAPP.

SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS.pdf

Recommended

Recommended

More Related Content

Similar to SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS.pdf

Similar to SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS.pdf (20)

More from DaviesParker

More from DaviesParker (15)

Recently uploaded

Recently uploaded (20)

SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS.pdf