There is no single unified federal law in the United States that governs all types of data privacy and protection. Instead, business owners and entrepreneurs are left to understand their legal obligations by navigating a confusing patchwork of industry-specific federal and state privacy laws.
Below, we answer the top ten privacy law questions you should be asking, giving you the insight you need to improve your company's privacy practices and policy, so you can rest easy knowing you are protecting personal information to the extent possible, as required by law.
The current federal privacy laws in the United States are sector-specific, regulating health information, credit information, telecommunications, financial institutions and marketing. However, discussions on comprehensive, non-sector specific federal privacy legislation are ongoing in Washington.
The laws listed below aim to regulate how information is collected, how data subjects are informed, and what control a data subject has over this information once it is transferred.
Industry-specific federal privacy laws include:
Due to the lack of a single federal privacy law, more states are pushing to pass privacy laws at the state level that oversee the collection, storage, safeguarding, disposal and use of personal data collected from their residents.
California set the standard with its California Consumer Privacy Act (CCPA), which requires companies and institutions to notify and inform people of when and how their data is being collected and give people the ability and right to access, correct, and delete this information.
Colorado, Connecticut, Utah, Virginia, and New York have followed California's lead, and many more US states are expected to do the same in the coming years. In fact, Tennessee, Texas, Oregon, Montana, Delaware, Iowa, and Indiana all passed privacy bills in 2023, which will come into effect in 2024-2026. To see all of the states with recently implemented or pending privacy laws, read our overview blog now: U.S. State Privacy Acts: Which Apply To Your Organization?
In 2018, the European Union (EU) established the General Data Protection Regulation (GDPR), an overarching, comprehensive law that governs all aspects of handling the data of EU citizens.
Generally speaking, any organization, regardless of sector, size and location, that processes and holds the personal data of EU citizens must follow the GDPR. Therefore, if you have a US-based business that caters to and collects any personal data from EU citizens, you must adhere to these regulations.
According to the European Commission, the GDPR has been an overall success, prompting more pressure for the US to pass its own version, so it’s important to be prepared. Educate yourself and see how your business privacy policy holds up alongside these regulations.
Yes and no. More and more countries have passed privacy regulations that apply to certain groups of entities. According to the United Nations Conference on Trade and Development (UNCTAD), approximately 70% of countries have legislation in place to protect personal information. If you are unsure of which laws apply to your organization, contact your cybersecurity and privacy lawyer.
You want to build a business on trust, and it's good business hygiene to be transparent and honest with your customers. Even if you are not legally required to disclose how your company collects, uses, shares and protects customer data, it is still best practice to be completely upfront with customers. Let them know why certain data is being collected and how you plan on using their personal information.
By adhering to privacy law regulations from the start, you are also mitigating privacy risks as your company grows while establishing a solid privacy framework for when your company does become subject to privacy laws.
Your customers must feel secure handing over their data and trust that it will not be compromised or sold to a third party for marketing or advertising purposes.
The sure way of building this trust is to fully disclose what information is being collected and why it’s being collected. Again, being open and transparent with your customers and giving them control to opt-in or out is a good practice.
Drafting and implementing a privacy notice on your website is a great place to start. It not only gives your customers the power to choose whether or not to release certain information but also shows them you care about their privacy and safety.
Stay ahead of the curve and ensure your business's trust and credibility by keeping up with the latest privacy laws! Dive into our informative blog for a detailed look at the latest privacy laws that could impact your operations.
Templates are often too broad, leading you to think your privacy policy meets legal requirements and that your privacy program is protecting your customer sufficiently. Rather than basing your company's privacy policy and program on a single template, law or regulation, we recommend combining several templates and resources to create a personalized privacy policy and program unique to your company. This way, you can be confident that you are protecting your customers because all aspects of your business practices are covered and the policy and program will actually work for your organization specifically.
There is no legal requirement that a lawyer is involved in creating your privacy policy. Nevertheless, depending on the complexity of your business practices, you may find it beneficial to seek legal assistance to ensure you've created the best policy to keep your customer data safe.
The following are some best practices you can follow to protect your customer data and privacy:
The best way to get started implementing programs to comply with cyber laws and privacy laws is to educate yourself. Take the time to read and understand the current federal and state privacy laws and reach out to a privacy and cybersecurity law firm if you have any questions.
If you’re finding all the information overwhelming, take a step back and ask yourself the following questions to start a basic framework:
Investing in the right cyber security products for your organization as early as possible is also a good idea. You don’t have to allocate a large percentage of your already tight budget to cyber security, but taking small steps can protect your business against data breaches now and ensure a solid security foundation as your business grows. Most importantly – configure and implement a security product before buying more! Many companies have several good security products that, left as they were out of the box, are not improving security.
Navigating through the sea of privacy laws can be complex, but we've got you covered! Check out our blog for insights into the current state laws and how they might affect your organization.
Payment information processors such as Square, PayPal, Toast, Stripe, and Stax are becoming increasingly popular. If you use one of these third-party providers and the organization suffers a data breach, depending on the nature of the security incident, you may or may not be liable for certain consumer claims, but it is still best practice to notify and inform your customers to the extent you have sufficient information to do so. Unfortunately, with payment card breaches it can be difficult to identify the individuals whose cards were compromised. If you have a list of card numbers but no names associated with them, it is extremely difficult - if not impossible - to determine the identity of the card owners...
Your customer trusted you with their personal information, and even if the fault is not yours, you risk breaching that trust and potentially damaging your reputation. The last thing you want is a public relations disaster caused by something beyond your control. Working with a cyber security attorney can provide invaluable insight into handling this situation.
Cyber law and privacy law should be at the top of your priority list if you are a tech-focused entrepreneur creating an app. Your app needs to comply with various mobile app legal requirements. Therefore, you need to be aware of laws from all over the world that impact your app.
The best practice is to inform your development team that the app should be built following a cyber security industry standard, such as the NIST cybersecurity framework (CSF). Important note: The NIST will release the Cybersecurity Framework 2.0 in the coming months; you can view the most recent drafts here.
While the NIST CSF and other information security standards are helpful, they are not sufficient to guide the actual coding of an app. Incorporating the NIST CSF into your development lifecycle (and app while it's in development) is one important way to build an app that complies with privacy law regulations.
If your business has experienced a breach, you must secure your systems, determine what data could have been exposed, identify and comply with relevant legal obligations to notify individuals, identify and comply with contractual obligations to notify third parties, and begin work to remedy the system vulnerabilities that may have led to the attack.
In most cases you should inform employees and customers about a breach. Consult cybersecurity legal counsel to ensure any written notifications comply with relevant laws in all 50 states, US territories and relevant countries, while also refraining from divulging more information than necessary, which could paint the company in an unfavorable light. Working with a public relations team and cybersecurity lawyer can help you understand if you are liable and develop a PR message that notifies your customer while not taking on any unnecessary responsibility for the breach.
The E.U.-U.S. Data Privacy Framework is a regulatory framework that aims to establish enhanced protections for cross-border data transfers between the European Union (E.U.) and the United States (U.S.). It was developed in response to concerns raised by the European Court of Justice regarding the Privacy Shield agreement, which was invalidated.
The framework provides a mechanism for companies to demonstrate compliance with data protection principles when transferring personal data between the EU and the U.S.
The E.U.-U.S. Data Privacy Framework enables eligible U.S. companies to self-certify their adherence to the framework's requirements, allowing them to receive personal data from the E.U. lawfully. The framework requires U.S. companies to align their privacy policies and practices with the EU's data protection standards.
All too often we see companies who have incident response plans but have not had the time to work through the process that would need to be followed in a crisis. A crisis is never a good time to improvise. ZeroDayLaw specializes in making sure your organization is ready to respond quickly and act in the best interests of the company based on decisions made thoughtfully in advance, not during the throes of an attack.
The incident response plan is the formal documented process for your team to follow during an attack. It is important but the real work—the real benefit to your organization—comes from all of the discovery and decision-making that go into determining what the incident response process should include (and exclude!). To learn more about incident response planning and how ZeroDayLaw can help, view our IR Planning Guide.
Our team has extensive experience handling important cyber and privacy legal matters and data breaches. We also devote significant efforts to clients’ incident response planning and preparation for the non-technical aspects of incident response.
We will take the time to educate you in privacy law and guide you towards developing the best incident response management plan for your business, allowing you to feel confident in knowing your customer data is safe. Contact ZeroDay Law today!
Don't get lost in the legal labyrinth of privacy laws. Take a deep dive into an array of privacy laws across the U.S. by reading U.S. State Privacy Acts: Which Apply To Your Organization (2023, 2024, 2025 And 2026). You'll find clear explanations that can help you navigate this complex landscape. Keep your privacy law knowledge sharp and your business safe, with ZeroDay Law.