Every person has the right to the protection of their personal data (telephone number, bank account details, address, etc.). Privacy is central to the human spirit. Surprisingly, for many years, cultures have placed emphasis on convenience rather than privacy. But now, in modern times, data protection is of the essence. News of data breaches seems to filter our way daily, and cybersecurity risks are a plague on businesses of all sizes, not to mention the average consumer.
Data protection legislation is a relative newcomer. It's something that is being worked on at both the state and federal levels in the United States, with senators like Kirsten Gillibrand leading the pack in New York. It stems from the concerns raised about the increasing processing of personal information and the establishment of data banks. Unauthorized, careless, or ignorant processing of personal data can lead to great harm.
Data protection legislation safeguards individuals' fundamental rights and freedoms. Not complying with data protection legislation can lead to situations where it's possible to steal money from a person's bank account or endangering their life by manipulating health information.
Data Protection Laws and Regulations in the US
An ever-increasing amount of data is generated from more and more devices. Needless to say, we can barely keep up. This data explosion puts privacy and security in the spotlight. The US has data protection laws enacted on federal and state levels, but it's not comparable to the GDPR.
This is the relevant legislation you should know about:
US Privacy Act of 1974
The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals held by US government agencies. The public is informed about the record systems covered by the Privacy Act by publishing notices in the Federal Register. Government agencies are required to follow data minimization practices when collecting data. When considering what data to collect, they have to focus on relevant and necessary information. Some of the new developments of the Privacy Act include the right of citizens to correct information errors.
HIPAA
HIPAA is an acronym and it stands for Health Insurance Portability and Accountability Act. Companies that access, process, or maintain large volumes of health data need to have sound security measures in place to ensure HIPAA compliance. People can inadvertently or purposefully expose patient information, so it’s necessary to safeguard all methods of data transmission, including email, Internet, or private clouds. Every practice in the US has to comply with the HIPAA security, privacy, and transactions regulations. They'll take effect in the fall of 2022. There's no need to panic, though.
COPPA
COPPA, or the Children's Online Privacy Protection Act, is a federal law that deals with websites, apps, and other web-based operators that collect personal information from kids under the age of 13. Technology companies need to offer notice and, above all, get parental consent before collecting data from children. That information is collected in a confidential manner and remains secure. Parents have the option to revoke their consent at any time. When the law was passed, sites didn't even have privacy policies. Consumers, especially the youngest, need better data security and privacy protection.
GLBA
The Gramm-Leach-Bliley Act, GLBA for short, controls the way financial institutions handle the personal information of individuals. The safeguards taken have to be appropriate for the size, complexity, and scope of activities of the organization. Financial institutions must develop privacy practices and policies that explain exactly how they collect, sell, share, and reuse consumer information. The GLBA applies to any company offering products such as loans and services such as financial advice, investment advice, or insurance. GLBA compliance enhances the reputation of the organization and increases consumer trust.
The UK General Data Protection Regulation (UK GDPR)
In the UK, the main piece of legislation governing data protection is the UK General Data Protection Regulation, which forms part of the law of England, Wales, Scotland, and Northern Ireland. It has applied in the UK since January 1, 2021. Personal data is at the core of the GDPR. Special categories of sensitive personal data are given greater protection, such as details about ethnic origins, religious beliefs, political opinions, genetic and biometric data, health information, trade union facts, and data about an individual’s sex life or orientation. The key principles at the heart of the law should guide every step of modern privacy management programs. Let’s highlight some of them, shall we?
- Data minimization. Data collected and processed should be directly relevant and necessary to accomplish a specific goal. Therefore, data controllers have to identify the minimum amount of personal information they need.
- Integrity and confidentiality. There should be appropriate security measures in place to protect personal data. Personal information must be protected against accidental loss, destruction or damage. If a data breach takes place, data protection regulators will examine the company’s setup.
Since the UK GDPR is a relatively new legislation, there has been limited reported litigation. If a person suspects their data may have been compromised, they can file a data breach claim. The amount of compensation that can be awarded for a data breach claim in the UK will depend on the nature of the incident and what impact it has had. If the data breach has affected the individual financially and mentally, the compensation received should reflect this. The issue of quantum remains unpredictable. It’s necessary to prove financial loss, but the amounts that can be claimed for emotional distress are quite low. The English court is unwilling to allow class actions to be brought.
There are numerous laws in the US, with staggering differences between them. Some are equal to the GDPR standards, but others are not. The US has more relaxed data protection laws, so it doesn’t come as a surprise that consumers don’t trust companies with their data. Congress needs to create a single legislative data protection mandate to safeguard privacy. When this will be addressed, there’s no way to know. The GDPR is a good starting point for developing an all-encompassing law. A stricter regulation brings about many benefits. From a business standpoint, they translate into innovation, better communication, and more loyal customers.
For those in New York State:
"Under the New York Privacy Act, consumers have the right to notice, access, portable data, correct, delete, and appeal automated decision-making. A controller that processes a consumer's personal data must provide notice in a publicly and persistently available as well as a conspicuous and readily accessible manner."
You can read more about the New York Privacy Act here.