Whether data privacy laws affect your business depends on a few factors, such as the country you are located, where your customers live, and your industry.
In the European Union (EU), the regulation that handles consumers’ personal information is the EU General Data Protection (GDPR). At least 17 countries have modeled their data privacy laws, including Canada, Japan, Australia, and Switzerland. In the US, there is no one legislation that protects data.
Does the GDPR apply to my US-based business?
If your business targets EU residents with your marketing, you are required to comply with the GDPR. For example, you may have a localized website dedicated for an EU member state market. Under the GDPR, individuals must explicitly consent to the collection of their data and have the right to request a company holding their personal information to delete their data. If your business has an EU presence and you don’t comply with the GDPR, the fines can be significant.
What are the privacy laws in the US?
While the US has no single law governing data privacy, it has a mix of laws enacted on federal and state levels. Whether these laws impact your business depends on the type of consumer data you hold onto. The following are some consumer data privacy laws you should be aware of:
HIPAA – Health Insurance Portability and Accountability Act of 1996. This federal law protects sensitive patient health information and ensures it is only disclosed with the patient’s consent and knowledge.
FCRA – federal Fair Credit Reporting Act. The Act regulates the way credit reporting agencies collect, use, and share consumer credit reports.
FERPA – Family Educational Rights and Privacy Act. This federal law protects the privacy of student education records by giving parents certain rights with respect to their child’s school-related records.
GLBA – Gramm-Leach-Bliley Act. The Act required financial institutions to explain their processes to their customers for how they safeguard sensitive data and share information.
ECPA – Electronic Communications Privacy Act. The purpose of this Act is to protect wire, oral, and electronic communications, such as email and phone conversations, along with the data stored while the communications are in transit.
COPPA – Children’s Online Privacy Protection Act. This Act specifically protects the privacy of children under the age of 13 by giving parents control over what data is collected from their children.
VPPA – Video Privacy Protection Act of 1988. This Act protects consumer privacy by preventing audiovisual service providers from wrongfully disclosing a customer’s personal information.
These are just a few of the major data privacy laws that protect personal data in the US. The hope is that the US will have its own federal data privacy legislation that will protect consumers and businesses alike.
What are your thoughts on the existing data privacy laws in the US and the lack of a federal framework? Do you think we should have one modeled after the GDPR?