Data privacy has long been a new wild west in the US, but as technology advances, so does the demand for stronger data privacy laws. That demand is being heard loud and clear and now the American Privacy Rights Act sits in Congress.
While there is still a journey ahead of the bill before its contents become law, data privacy laws will continue evolving in the US as users seek to protect their privacy from ever-hungry tech companies.
If passed, under the APRA “Individuals would have the right to access, correct, delete, and export their covered data.” The bill would be enforced by the Federal Trade Commission (FTC). The APRA strongly signals that data privacy laws are tightening in the US.
With data privacy facing increased scrutiny, advertisers must stay on top of upcoming regulations to get ahead of the curve. By adopting strong privacy practices now, advertisers can prevent backpedaling and rewriting policies down the road.
Current US data privacy laws
While the American Privacy Rights Act isn’t law just yet, there are still several laws outlining privacy regulations in the US. Companies looking to gather, store, buy, or sell data must understand all of these laws in detail before proceeding with their plans. These laws include:
Privacy and the Federal Trade Commission Act
The Federal Trade Commission (FTC) is the main enforcement agency in the US for regulating consumer protections. It operates under The Federal Trade Commission Act, which gives it jurisdiction over businesses and commercial entities to protect consumers against “deceptive trade practices.”
The FTC is also in charge of issuing commercial regulations and enforcing privacy laws. Under this umbrella, the FTC is tasked with protecting consumers from businesses with harmful practices. This may include:
- Organizations that fail to create and maintain reasonable data security measures
- Organizations that fail to follow published privacy policies
- Organizations that sell or transfer personal information without disclosing it via a privacy policy
- Organizations that misrepresent or lie about privacy policies
- Organizations that don’t provide appropriate personal data security
- Organizations that violate data privacy rights.
- Organizations that use misleading advertising
Other federal privacy laws in the US
In addition to the Federal Trade Commission Act, several other key laws protect consumers in the US. These include:
- Privacy Act Of 1974: This law determines how data can be collected and used by federal agencies. There are limited exceptions to this law, including for the Census Bureau.
- Health Insurance Portability and Accounting Act (HIPAA): HIPPA is one of the most well-known privacy laws in the US. This law governs the collection and use of personal health information.
- Children’s Online Privacy Protection Act (COPPA): This governs all collections and use of data regarding minors.
- Family Educational Rights and Privacy Act (FERPA): This act ensures the privacy of student’s education records
- Gramm Leach Bliley Act (GLBA): This act regulates how personal information can be collected by financial institutions like banks.
- Fair Credit Reporting Act (FCRA): this regulates how organizations can collect and use credit data.
Individual states have also acted, filing their privacy laws in addition to US-wide regulation. This nationwide patchwork of location and sector-specific regulations addresses everything from telecommunications to marketing. Organizations should be aware of all regulations that impact the locations and industries in which they operate.
State-level privacy laws in the US
There are dozens of privacy laws affecting individual states. Businesses must understand all of the privacy laws in the states where they operate.
From California to Connecticut, there are webs of privacy laws that impact businesses across the US. California was the first state to introduce its own privacy legislation in 2020, followed by Virginia the following year. Since then, similar laws have been passed in Colorado, Connecticut, and Utah.
While this isn’t an exhaustive list, these are the first five state-wide privacy laws in the US.
California Privacy Rights Act
The first state-wide privacy legislation to pass was the California Privacy Rights Act (CPRA) in 2020. It is also the most comprehensive legislation to date. Passed as a ballot initiative the legislation went into full effect on New Year’s Day, 2023.
Virginia Consumer Data Protection Act
Virginia passed its Consumer Data Protection Act (CDPA) on March 2, 2021. This bill granted customers in the state of Virginia a limited number of rights over their data. Additionally, the bill requires organizations to comply with certain rules regarding data collection, treatment, sharing, and protection.
Colorado Privacy Act
In July 2021, Colorado took third place, passing the Colorado Privacy Act. This act grants all residents of Colorado rights over their data. It also obliges data controllers and processors to protect this data. The CPA has many similarities to California’s CPRA and Virginia’s CDPA.
Utah Consumer Privacy Act
Utah was the fourth state to enact comprehensive privacy laws in March 2022. The Utah Consumer Privacy Act (UCPA) came into effect at the end of 2023 and takes inspiration from the three previous state privacy laws.
Connecticut Data Privacy Act
The fifth state to pass a comprehensive consumer privacy law was Connecticut. The state passed Senate Bill 6 on May 10, 2022. Also called the Connecticut Data Privacy Act (CTDPA), this bill is described as “An Act Concerning Personal Data Privacy and Online Monitoring.”
Data privacy is a hot topic, and with regulations popping up federally and in individual states, advertisers relying on consumer data need to brush up and get ahead of existing and potential legislation. The Wild West of data privacy is coming to a close and when the American Privacy Rights Act passes, advertisers will be forced to consider data privacy more seriously.
While it may take substantial time to enact the American Privacy Rights Act (or similar legislation), advertisers have the chance to take the lead and use this time as a head start. Adapting new processes can be difficult, but if adopting new data privacy policies is inevitable, then better to take the time afforded than to wait until the last moment.
Privacy is of the utmost importance to consumers, and the US government is listening – are you?
To see more from illumin, be sure to follow us on Twitter and LinkedIn where we share interesting news and insights from the worlds of ad tech and advertising.