There is no single unified federal law in the United States that governs all types of data privacy and protection. Instead, business owners and entrepreneurs are left to understand their legal obligations by navigating a confusing patchwork of industry-specific federal and state privacy laws.
Below, we answer the top ten privacy law questions you should be asking, giving you the insight you need to improve your company's privacy practices and policy, so you can rest easy knowing you are protecting personal information to the extent possible, as required by law.
Top Ten Privacy Law Questions Answered
1) What Are the Current Federal and State Privacy Laws?
The current federal privacy laws in the United States are sector-specific, regulating health information, credit information, telecommunications, financial institutions and marketing. However, discussions on comprehensive, non-sector specific federal privacy legislation are ongoing in Washington.
The laws listed below aim to regulate how information is collected, how data subjects are informed, and what control a data subject has over this information once it is transferred.
Industry-specific federal privacy laws include:
- The Federal Trade Commission ACT (FTC) — Has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." If your company makes privacy promises, you are obligated to follow those claims.
- Healthcare Institutions: The Health Insurance Portability and Accounting Act (HIPAA), together with the Health Information Technology for Economic and Clinical Health Act — Governs the collection, privacy and security of health information.
- Financial Institutions: The Gramm Leach Bliley Act (GLBA) — Governs personal information collected by banks and financial institutions. The Bank Secrecy Act requires financial institutions in the United States to assist U.S. government agencies in detecting and preventing money laundering, terrorist financing and other criminal acts, and the misuse of our nation's financial institutions. The Right to Financial Privacy Act establishes specific procedures that federal government authorities must follow to obtain information from a financial institution about a customer's financial records.
- Children’s Information: The Children's Online Privacy Protection Act (COPPA) — Governs the collection of information about minors.
- Consumer Credit Information: The Fair Credit Reporting Act (FCRA) — Governs the collection and use of credit information.
- The Family Educational Rights and Privacy Act (FERPA) — A Federal law that protects the privacy of student education records. The law applies to all schools that receive funds from an applicable program of the U.S. Department of Education.
- Federal Information Security Management Act of 2002 — A United States federal law which strengthens Federal Government information security, including requirements to develop mandatory information security risk management standards.
Due to the lack of a single federal privacy law, more states are pushing to pass privacy laws at the state level that oversee the collection, storage, safeguarding, disposal and use of personal data collected from their residents.
California set the standard with its California Consumer Privacy Act (CCPA), which requires companies and institutions to notify and inform people of when and how their data is being collected and give people the ability and right to access, correct, and delete this information.
Colorado, Connecticut, Utah, Virginia, and New York have followed California's lead, and many more US states are expected to do the same in the coming years. In fact, Tennessee, Texas, Oregon, Montana, Delaware, Iowa, and Indiana all passed privacy bills in 2023, which will come into effect in 2024-2026. To see all of the states with recently implemented or pending privacy laws, read our overview blog now: U.S. State Privacy Acts: Which Apply To Your Organization?
2) What Is the GDPR and Is It Important to My Business?
In 2018, the European Union (EU) established the General Data Protection Regulation (GDPR), an overarching, comprehensive law that governs all aspects of handling the data of EU citizens.
Generally speaking, any organization, regardless of sector, size and location, that processes and holds the personal data of EU citizens must follow the GDPR. Therefore, if you have a US-based business that caters to and collects any personal data from EU citizens, you must adhere to these regulations.
According to the European Commission, the GDPR has been an overall success, prompting more pressure for the US to pass its own version, so it’s important to be prepared. Educate yourself and see how your business privacy policy holds up alongside these regulations.
Do You Need to Worry About Laws in Other Countries?
Yes and no. More and more countries have passed privacy regulations that apply to certain groups of entities. According to the United Nations Conference on Trade and Development (UNCTAD), approximately 70% of countries have legislation in place to protect personal information. If you are unsure of which laws apply to your organization, contact your cybersecurity and privacy lawyer.
3) Why Is It Important to Follow Privacy Laws and Regulations Even if I Am Not Legally Required to Do So?
You want to build a business on trust, and it's good business hygiene to be transparent and honest with your customers. Even if you are not legally required to disclose how your company collects, uses, shares and protects customer data, it is still best practice to be completely upfront with customers. Let them know why certain data is being collected and how you plan on using their personal information.
By adhering to privacy law regulations from the start, you are also mitigating privacy risks as your company grows while establishing a solid privacy framework for when your company does become subject to privacy laws.
4) How Can I Start Building Trust With My Customers?
Your customers must feel secure handing over their data and trust that it will not be compromised or sold to a third party for marketing or advertising purposes.
The sure way of building this trust is to fully disclose what information is being collected and why it’s being collected. Again, being open and transparent with your customers and giving them control to opt-in or out is a good practice.
Drafting and implementing a privacy notice on your website is a great place to start. It not only gives your customers the power to choose whether or not to release certain information but also shows them you care about their privacy and safety.
Stay ahead of the curve and ensure your business's trust and credibility by keeping up with the latest privacy laws! Dive into our informative blog for a detailed look at the latest privacy laws that could impact your operations.
5) Should I Follow One Set Template When Creating a Privacy Policy for My Business?
Templates are often too broad, leading you to think your privacy policy meets legal requirements and that your privacy program is protecting your customer sufficiently. Rather than basing your company's privacy policy and program on a single template, law or regulation, we recommend combining several templates and resources to create a personalized privacy policy and program unique to your company. This way, you can be confident that you are protecting your customers because all aspects of your business practices are covered and the policy and program will actually work for your organization specifically.
There is no legal requirement that a lawyer is involved in creating your privacy policy. Nevertheless, depending on the complexity of your business practices, you may find it beneficial to seek legal assistance to ensure you've created the best policy to keep your customer data safe.
6) How I Can Protect My Customer Data and Privacy?
The following are some best practices you can follow to protect your customer data and privacy:
- Only collect the information you need from customers and ensure all data is deleted when it’s no longer needed. Determining when something is no longer needed is not a trivial task!
- Utilize password management tools and enforce security methods, such as two-factor authentication.
- Know at all times who has access to your data.
- Fully understand all applications being used in your organization and develop a process to ensure you will be aware of and can fix software vulnerabilities.
- If you collect and process payment cards, determine which parts of PCI DSS apply to you based on your role in the payment lifecycle and build your security and privacy program in line with the requirements that apply to you.
- Avoid data silos and keep all of your data in one (or a few defined) place(s), allowing you to keep track of where it is and how it is being handled, block access to it or investigate pieces of it.
- Inform and train your employees about cyber threats such as email phishing, scams and social engineering. Training is an ongoing process.
7) How Do I Get Started Implementing my program to comply with Cyber and Privacy Laws and Regulations and Should I Invest in Security Products?
The best way to get started implementing programs to comply with cyber laws and privacy laws is to educate yourself. Take the time to read and understand the current federal and state privacy laws and reach out to a privacy and cybersecurity law firm if you have any questions.
If you’re finding all the information overwhelming, take a step back and ask yourself the following questions to start a basic framework:
- What data do I have now?
- What data do other people in my organization have?
- How will I collect the data?
- How will I use the data?
- How will I secure the data?
- How will I share the data?
Investing in the right cyber security products for your organization as early as possible is also a good idea. You don’t have to allocate a large percentage of your already tight budget to cyber security, but taking small steps can protect your business against data breaches now and ensure a solid security foundation as your business grows. Most importantly – configure and implement a security product before buying more! Many companies have several good security products that, left as they were out of the box, are not improving security.
Navigating through the sea of privacy laws can be complex, but we've got you covered! Check out our blog for insights into the current state laws and how they might affect your organization.
8) Am I Responsible for Protecting My Customers’ Payment Card Information if a Third-Party Handles Collecting and Processing for Transactions?
Payment information processors such as Square, PayPal, Toast, Stripe, and Stax are becoming increasingly popular. If you use one of these third-party providers and the organization suffers a data breach, depending on the nature of the security incident, you may or may not be liable for certain consumer claims, but it is still best practice to notify and inform your customers to the extent you have sufficient information to do so. Unfortunately, with payment card breaches it can be difficult to identify the individuals whose cards were compromised. If you have a list of card numbers but no names associated with them, it is extremely difficult - if not impossible - to determine the identity of the card owners...
Your customer trusted you with their personal information, and even if the fault is not yours, you risk breaching that trust and potentially damaging your reputation. The last thing you want is a public relations disaster caused by something beyond your control. Working with a cyber security attorney can provide invaluable insight into handling this situation.
9) Should I Handle Data Security and Privacy Differently Than Other Businesses if I’m a Tech Entrepreneur Creating an App?
Cyber law and privacy law should be at the top of your priority list if you are a tech-focused entrepreneur creating an app. Your app needs to comply with various mobile app legal requirements. Therefore, you need to be aware of laws from all over the world that impact your app.
The best practice is to inform your development team that the app should be built following a cyber security industry standard, such as the NIST cybersecurity framework (CSF). Important note: The NIST will release the Cybersecurity Framework 2.0 in the coming months; you can view the most recent drafts here.
While the NIST CSF and other information security standards are helpful, they are not sufficient to guide the actual coding of an app. Incorporating the NIST CSF into your development lifecycle (and app while it's in development) is one important way to build an app that complies with privacy law regulations.
10) My Business Experienced a Breach, Now What?
If your business has experienced a breach, you must secure your systems, determine what data could have been exposed, identify and comply with relevant legal obligations to notify individuals, identify and comply with contractual obligations to notify third parties, and begin work to remedy the system vulnerabilities that may have led to the attack.
In most cases you should inform employees and customers about a breach. Consult cybersecurity legal counsel to ensure any written notifications comply with relevant laws in all 50 states, US territories and relevant countries, while also refraining from divulging more information than necessary, which could paint the company in an unfavorable light. Working with a public relations team and cybersecurity lawyer can help you understand if you are liable and develop a PR message that notifies your customer while not taking on any unnecessary responsibility for the breach.
11) What is the EU-U.S. Data Privacy Framework, and what are its implications for cross-border data transfers?
The E.U.-U.S. Data Privacy Framework is a regulatory framework that aims to establish enhanced protections for cross-border data transfers between the European Union (E.U.) and the United States (U.S.). It was developed in response to concerns raised by the European Court of Justice regarding the Privacy Shield agreement, which was invalidated.
The framework provides a mechanism for companies to demonstrate compliance with data protection principles when transferring personal data between the EU and the U.S.
The E.U.-U.S. Data Privacy Framework enables eligible U.S. companies to self-certify their adherence to the framework's requirements, allowing them to receive personal data from the E.U. lawfully. The framework requires U.S. companies to align their privacy policies and practices with the EU's data protection standards.
ZeroDay Law is a cybersecurity law firm that focuses on cybersecurity and privacy issues, with a specialization in incident response planning.
All too often we see companies who have incident response plans but have not had the time to work through the process that would need to be followed in a crisis. A crisis is never a good time to improvise. ZeroDayLaw specializes in making sure your organization is ready to respond quickly and act in the best interests of the company based on decisions made thoughtfully in advance, not during the throes of an attack.
The incident response plan is the formal documented process for your team to follow during an attack. It is important but the real work—the real benefit to your organization—comes from all of the discovery and decision-making that go into determining what the incident response process should include (and exclude!). To learn more about incident response planning and how ZeroDayLaw can help, view our IR Planning Guide.
Our team has extensive experience handling important cyber and privacy legal matters and data breaches. We also devote significant efforts to clients’ incident response planning and preparation for the non-technical aspects of incident response.
We will take the time to educate you in privacy law and guide you towards developing the best incident response management plan for your business, allowing you to feel confident in knowing your customer data is safe. Contact ZeroDay Law today!
Don't get lost in the legal labyrinth of privacy laws. Take a deep dive into an array of privacy laws across the U.S. by reading U.S. State Privacy Acts: Which Apply To Your Organization (2023, 2024, 2025 And 2026). You'll find clear explanations that can help you navigate this complex landscape. Keep your privacy law knowledge sharp and your business safe, with ZeroDay Law.