US Online Privacy Laws 2023: A Simple Guide to Complicated State & Federal LawsDecember 16, 2022 by Samuel Chapman
The last decade or so has seen a great awakening around data privacy. Once a fringe concern of Electronic Frontier Foundation nerds, privacy is now debated in the halls of governments around the world, as people become ever more aware of how their data is gathered and used against them. Unfortunately, U.S. online privacy laws have been slow to catch up.
For my American readers, this won’t come as much of a surprise. The government of the United States is known for slow responses to new trends, and some factions are hostile to any sort of regulation. As a result, nations in Europe, Africa, Asia and South America are miles ahead of the U.S. on data privacy reforms.
Instead of a single overarching law like the European Union’s General Data Protection Regulation (GDPR), the U.S. has a patchwork quilt of protections and exceptions, continually reinterpreted by judicial opinions.
Making things even more complicated: Due to the power of states under the U.S. Constitution, my home country could be more accurately described as 50 countries and several territories stacked atop each other in a trench coat. Some states have data privacy laws that far outstrip those of the federal government.
It would take a team of lawyers to understand it in full. Luckily, you don’t need to know all the ins and outs of online privacy laws in the U.S. — it’s enough to understand the big picture and how it impacts you. That’s what I’m going to help you with today.
The Basics: Online Privacy Laws in the US
First, let’s nail down a definition of online privacy laws. These laws exist to protect your personal data from being gathered and exploited without your consent.
Personal data is any information that can be used to pick you out from a crowd. Examples include your name, contact information (like your home address, telephone number or email), financial information (like your social security, bank account or credit card numbers) or biometric data (like your face, fingerprints or even handwriting).
Why Protect Personal Data?
Why does this need protecting? Because your personal data is valuable. Corporations want information that tells them how to advertise. Hackers want personal data they can use to guess passwords, breach systems and empty bank accounts. Some data protection laws even exist to protect citizens from the very government that passed them.
The United States doesn’t have one overarching law that regulates all data privacy at the federal level. Over the last 100 years, many laws have been used to prosecute those who misuse personal data. Congress has taken a piece-by-piece approach, solving (or ignoring) problems as they arise without attempting to tackle the whole issue at once.
As a result, privacy disputes in the United States are liable to be resolved under one of over a dozen different laws, and often by executive or judicial fiat. We’ll get into some of the specific laws a bit later, but here are a few rights the U.S. does protect:
- Websites must obtain parental consent before gathering information on children aged 13 or younger.
- Every mass email campaign must include the ability to opt out.
- Financial institutions must protect customer information and are liable for penalties if they let it leak.
- Patient communications with doctors, hospitals, insurance companies and other parts of the healthcare system must remain confidential (though this doesn’t mean all conversations about healthcare are protected).
- Your educational record cannot be released except to you or your family.
- Using a computer to commit theft or fraud is a felony.
- Your video rental history is confidential and protected (yeah, I know, it’s weird).
Conversely, here are a few protections the U.S. currently fails to afford:
- A blanket requirement of informed consent before data gathering. As it stands, an organization can harvest data on you without you knowing, let alone agreeing.
- The right to be notified in case of any data breach. Americans are on the hook to find out for themselves whether a data breach has affected them.
- The right to sue a company for mishandling your data.
- The right to data minimization, in which a company can only collect the data it requires to provide its service — no more.
- The right to be forgotten, which requires organizations to comply with data deletion requests.
Many of the above rights are available for certain groups of people (such as children under 13) or categories of data (such as health charts or academic transcripts). What’s missing is an overarching law to fill in all the gaps. As it happens, a model for such a law already exists in the European Union.
GDPR vs CCPA: The EU and US Approach to Data Privacy
The United States’ attitude toward data privacy looks all the more muddled compared to the straightforward actions of other governments. Chief among these governments is the EU, whose GDPR I’ve already referenced.
If you’ve ever been an American traveling in Europe, you might have noticed that websites accessed from Europe come with a lot more information and choice regarding privacy. That’s all required for GDPR compliance. The regulations are designed to give control back to the public, preventing any organization from gathering data on them without their informed consent.
Some of the most important pillars of GDPR include data minimization (the principle that no company should gather more data than it absolutely needs), protecting data against loss and damage, holding companies accountable for data breaches and forcing companies to reveal why they’re gathering data (and get the subject’s consent).
One of the most progressive planks in GDPR is the “right to erasure” or “right to be forgotten.” This gives any citizen of the EU the right to request that their personal data be removed from a database. The owner of the database must comply, except in some very specific cases of public interest.
The GDPR has almost 100 separate clauses, so I’m not going to unpack all of them here. Suffice to say that it’s widely considered the future of online privacy laws. For evidence, look no further than California, currently the most advanced U.S. state in the data protection space.
California Consumer Privacy Act (CCPA)
In 2018, California passed the California Consumer Privacy Act (CCPA), which not only resembles the EU policy but directly bases several core principles on it. CCPA protects the right to know what information a business gathers on its customers, the right to opt out of that data collection, the right to delete existing data and the right to not be punished for doing any of that.
With that said, CCPA is not a perfect clone of GDPR. For example, while GDPR applies to all companies that process any sensitive data on any EU subject, CCPA only applies to companies that meet certain guidelines.
While CCPA falls short of GDPR in some areas, it goes further in others, particularly concerning what information is protected. GDPR protects all information that might be associated with any individual. CCPA also covers any information that could identify a household or a device, protecting against device fingerprinting that doesn’t technically identify an individual.
OK, I’ve thrown a lot of alphabet soup at you so far. Let’s step back and get a handle on why all these laws and regulations are so important.
Why Are US Data Privacy Laws Important?
Think about all of your personal data that might be floating around right now. Almost any piece of it can be used against you, and there’s frequently a profit motive for database managers to exploit what they’ve got.
If you’re like most people, you’ve probably used your home address to order a package online. Without data privacy laws, there’s nothing to stop Amazon or eBay from selling your home address to advertisers, who can use it to target ads based on your location.
The problems don’t stop there. The more different databases your home address ends up in, the more chances there are for a data breach to expose it. All it takes is one ad distributor with lax password security standards and your home address could be available on the dark web for anyone to snap up.
Now picture the same dangers, but attached to every single piece of sensitive data that could be connected to you. Your social security number. Your credit card number. Your internet search history. Your fingerprints. Without data privacy laws, they can all be logged without your knowledge or consent, sold to the highest bidder, and leaked to third parties with criminal intentions.
Of course, there are steps the average person can take to protect themselves. Using a virtual private network (VPN), an ad blocker and a malware detector can go a long way. But collective problems can’t be solved with individual solutions. We can expect the assault on our privacy to continue until it’s made illegal. That’s why laws are so important.
Understanding US Federal Data Privacy Laws
By now, you know that U.S. online privacy laws exist, but in a piecemeal fashion that fails to cover many eventualities. Here are a few of the bricks in the unfinished privacy edifice.
U.S. Privacy Act of 1974
The Privacy Act of 1974 protects U.S. citizens from certain abuses of information by government bodies. According to its text, no government agency may maintain a secret database of personal data, and all agencies must follow fair-use guidelines when keeping information or exchanging it with other agencies. If an agency fails to comply, affected citizens can sue.
If you’ve followed the history of government data collection anytime in the last 50 years, you already know there are loopholes in this act big enough to fly a satellite through. Law enforcement agencies are free to exempt themselves, and information exchanges are not considered covered if they fall under “routine use.”
Of course, the Privacy Act only applies to the government. Corporations are often free to abuse your information as they like.
The Family Educational Rights and Privacy Act (FERPA) prevents schools from releasing information about a student’s education without consent.
You may also hear it called the Buckley Amendment after the senator who sponsored it. Under FERPA, students over 18 — or the parents of students under 18 — must give a school permission to disclose any educational transcripts.
The Electronic Communications Privacy Act (ECPA) protects individuals from having their electronic communications monitored by their employers or the government. Much of ECPA is now considered outdated due to the Patriot Act and the evolution of technology since it was passed.
In contrast, the Computer Fraud and Abuse Act (CFAA), passed in the same year, has been updated several times. It imposes penalties for using a computer to commit fraud, steal anything of value (including passwords and credentials) or trade in restricted goods.
The Video Privacy Protection Act (VPPA) makes it illegal to reveal what videos somebody has rented.
Note that while VPPA might appear to be a dinosaur, it’s still relevant today. Websites like Facebook and Netflix gather data on user behavior and sell it to advertisers, who target consumers with invasive ads that are more likely to succeed. Lawyers have argued in court that this behavior is a violation of VPPA.
It hasn’t worked yet, but at least it’s valuable as a yardstick for the state of U.S. privacy law: a 40-year-old act, designed to avenge a minor embarrassment for failed Supreme Court nominee Robert Bork, is the best state protection we’ve got against many types of sensitive data harvesting.
The Health Insurance Portability and Accountability Act (HIPAA) is one of a few laws designed to protect specific types of information in sensitive conditions. It makes communication between you and the healthcare system confidential.
Contrary to a common misconception, HIPAA doesn’t make it illegal to talk about health information at all — protected health information only applies to communication with doctors, nurses and other healthcare providers. If you’ve given data up to your Fitbit or Apple Watch, there’s not much you can do.
The Children’s Online Privacy Protection Act (COPPA) requires websites to make their privacy policies clearly available, and to obtain parental consent before handling any data on a child younger than 13.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, makes financial institutions responsible for protecting sensitive information belonging to their customers.
If your credit card company leaks your number in a data breach, GLBA can hold them accountable. Unfortunately, it also lets institutions get away with a lot of data harvesting, provided they’re transparent about it.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) proves that if our government can’t pass a comprehensive privacy law, it’s at least good at coming up with funny acronyms. CAN-SPAM is the law that requires every mass email to include an “unsubscribe” button so you can opt out.
The Fair and Accurate Credit Transactions Act (FACTA) is mostly about making sure citizens have access to regular credit reports, but it also covers some privacy regulations, including a requirement that credit agencies dispose of personal data properly. This is a common theme: privacy regulations showing up as incidental add-ons in other laws.
Which US States Have Personal Data Privacy Laws?
Where the federal government fails, states often blaze their own trails. At the time of writing, five states have comprehensive data privacy laws on the books, though many more have some kind of bill knocking around their legislative process.
California: CCPA and CPRA
As I mentioned earlier, California is the only place in the U.S. where privacy protections equal or surpass those enjoyed in Europe.
California Consumer Privacy Act (CCPA)
In 2018, the populous western state passed the California Consumer Privacy Act (CCPA), a law modeled on ideals similar to those behind Europe’s GDPR.
These include the right to know what data is gathered on them, to know when that data is used or traded, to see the database whenever they want, to decline to have their data sold or to request their data be deleted (the “right to be forgotten”). Regulations apply to all businesses of a certain size, as well as any business whose revenue comes primarily from handling personal data.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA), which extends and reinforces certain provisions of the CCPA, passed in 2020. The stronger model will replace CCPA outright when it goes into effect on the first day of 2023.
Much of CPRA is administrative, refining or clarifying covered categories in the previous bill, but there are a few new developments. CPRA adds a category of “sensitive personal information,” whose leak would be especially damaging to the individuals concerned.
Sensitive personal data includes everything from financial information to religious status to physical location — in fact, not many categories are left outside the more stringent umbrella.
New rights in CPRA include the right to correction (citizens can request that the company correct inaccurate personal data) and the right to restrict sensitive personal information beyond the general restrictions. Citizens now also have the right to know when a system is automatically building a profile on them, and to opt out.
The rights amended by CPRA are too numerous to list in full here, but most of them close loopholes left by CCPA. For example, all rights now apply to third parties handling consumer data, preventing the main data-harvesting corporation from protesting that it, technically, does not have anybody’s information.
In contrast to California’s strong legislation, the Virginia Consumer Data Protection Act (VCDPA) of 2021 has gotten a cold reception from privacy experts. The crux of their objections is the fact that VCDPA allows for data gathering that consumers must opt out of.
This puts the onus on citizens to find and delete their information instead of placing data minimization restrictions on businesses.
PIRG listed several more specific objections to VCDPA. The act doesn’t consider data gleaned from social media to be “personal data,” in spite of many users giving up that information without full consent. This is the classic “tell us your mother’s maiden name and we’ll tell you which Friends character you are” genre of social engineering.
It also shares GDPR’s flaw of only protecting data that applies to individuals, not to households or smart devices — the main area in which California is ahead of Europe. VCDPA bans targeted ads, but not the tracking they’re based on.
In many respects, Virginia’s online privacy law has the appearance of a strong regulation, but misses many of the root causes that make those regulations necessary. Some have speculated that it’s because tech lobbyists were allowed access to committees whose members mysteriously never heard from advocates on the consumer side.
The Colorado Privacy Act (ColoPA) became law in 2021. Its strongest measure is a requirement for a universal opt-out control, essentially a single message citizens can send to opt out of data gathering from every company and website covered by the law. This goes even further than California’s law, though Coloradans must use the designated agent.
Other than that striking feature, the Colorado Privacy Act looks a lot like CPRA, California’s newest set of regulations. For example, Colorado also includes the extra-protected category of sensitive personal data. Under ColoPA, gathering personal data in this category must be opt-in — if you don’t have consent, you can’t harvest it.
As the fourth state to pass a comprehensive privacy bill, Utah deserves credit for getting into the privacy game early. However, the Utah Consumer Privacy Act (UCPA), passed in early 2022 and taking effect at the end of 2023, is weaker than its fellows in some key ways.
Although UCPA protects all the traditional GDPR rights, including the right to access, right to be forgotten and the right to opt out of advertising, it sets more qualifying thresholds than any other U.S. bill so far — even the controversial Virginia package. There’s also no way to opt out of advertising, nor any mention whatsoever of profiling.
The right to delete under UCPA also only applies to data provided by the consumer to the controller. Perhaps worst of all, UCPA runs on an “opt-out” basis, requiring citizens to opt out of each individual act of processing their data. UCPA is a sight better than the people of Utah used to have, but we hope it paves the way for a future bill with fewer compromises.
Connecticut is the newest member of the consumer privacy squad, having passed its law (the aptly named Connecticut Data Privacy Act, or CTDPA) in the summer of 2022.
When CTDPA goes into effect on July 1, 2023, it’ll protect all the most important rights we’ve read about so far: the right to view data, transfer it, correct it, delete it and opt out of having companies profit from it.
Connecticut’s law is a middleweight hitter: stronger than those in Virginia and Utah, but not as strong as California or Colorado. It exempts data made available through “widely distributed media,” and doesn’t include a right to dispute. Individuals can’t complain if their CDPA rights are violated — only the Attorney General can bring legal action.
CDPA does come with a universal opt-out mechanism, so you don’t have to demand that each individual owner respect your data. However, companies won’t be ordered to respect opt-out requests until January 2025.
The total number of states with comprehensive privacy laws now stands at five: California, Colorado, Connecticut, Utah and Virginia. Over 20 states have their own bills in various stages of the legislative process. Hopefully, as some experts have suggested, we’re on the verge of a sea change that might lead to federal action.
What’s the Future of Data Privacy Laws in the US?
These three laws, passed within a few years of each other, are a strong signal that there’s more on the way. Data protection laws have been at least introduced in 34 states. It’s not all the usual suspects, either — Washington and New York, sure, but also Oklahoma, Florida and Mississippi.
The path to data privacy is neither straight nor smooth. One federal law that covers all eventualities in all states would be the best step forward, and legislators in Washington, D.C., have proposed one.
It’s called the Setting an American Framework to Ensure Data Access, Transparency and Accountability Act (SAFE DATA).
SAFE DATA has bipartisan support in theory, but some issues remain. Some lawmakers want federal laws to supersede all state privacy laws and include an enforcement mechanism that lets citizens sue for violations. Other lawmakers want…not that. These conflicts will have to be resolved before the act can come up for a vote.
With all that said, I think there’s plenty of reason for optimism around online privacy laws in the U.S. Opinions tend to change very slowly in this country, until they suddenly change fast. I’m old enough to remember when marijuana legalization was a joke. Now even the president is talking about it, and Biden isn’t known for being especially hip.
I do love my country, but it has plenty of bad habits I can’t help but notice. One of them is a penchant for fighting the last war — the government is so often the last part of society to take action on an issue. We’ve seen this pattern in the Civil Rights Movement and the environmental movement, and online data privacy is no different.
It’s clear that the current state of affairs isn’t working, but there are glimmers of hope from California, Colorado and other sources. As always, we owe a lot to the activists who work tirelessly behind the scenes to turn fringe issues into national conversations. It’s an exciting time for data privacy, and I hope to have good news to share soon.
What are your thoughts on online privacy laws in the U.S.? Have you ever tried to get a major corporation to delete you from its database? I’d love to hear the story in the comments. Thanks for reading!
Does the U.S. Have a GDPR Law?The U.S. as a whole doesn’t have one single law that can compare to GDPR. Rather, it handles privacy through a combination of several laws. Since this approach can confuse citizens and leave loopholes, many Americans are pushing for a comprehensive privacy law.
What Is the Right to Privacy?The right to privacy is a concept enshrined in the U.S. Bill of Rights, among other places. It holds that no citizen can have information about them disclosed without their consent.