The ELA is proud to welcome our newest member firm: LOGOS  in Iceland!
The ELA is proud to welcome our newest member firm: LOGOS  in Iceland!


U.S. Privacy Laws – An Overview for Non-U.S. Companies

By: Jacqueline W. Cooney and Kevin L. Coy

Submitted by Firm:
Arnall Golden Gregory LLP
Firm Contacts:
Edward Cadagin, Henry M. Perlowski, Teri A. Simmons

After years of criticism regarding its data protection practices, many U.S. states and federal agencies have taken aggressive steps toward greater (and more complex) consumer privacy statutes and regulations. Of particular note are the more than a dozen states that have enacted comprehensive privacy statutes, as well as two that have enacted laws specifically to protect health data in recent years.

Until a few years ago with the passage of the California Consumer Privacy Act (CCPA), privacy laws in the U.S. were largely the province of the federal government. Federal sectoral laws such as the Health Insurance Portability and Accountability Act (HIPAA), which protects certain types of health data, the Fair Credit Reporting Act (FCRA), which protects credit report and other background check information, the Childrens’ Online Privacy Protection Act (COPPA), which protects personal information collected online from children under 13, and Gramm-Leach-Bliley, which protects consumer financial data, were among the primary privacy statutes and regulations in the U.S.

Now, the new state laws and other federal agencies, such as the Federal Trade Commission and the Securities and Exchange Commission, are bellwethers for more strident steps that will continue to be taken in the U.S. to protect personal data.

For companies outside of the U.S. who want to do business here, what does that mean for their privacy compliance programs?

Depending on the types of personal data that you collect and process in the U.S. and where in the U.S. your organization is doing business, it’s important to keep in mind the following:

GDPR Compliance Is Not the Only Consideration

Many U.S. states have adopted provisions similar to the EU General Data Protection Regulation (GDPR), including providing consumers with specific rights related to their data. It is no longer possible for companies to simply comply with GDPR for their global programs – they will need to take a deeper look at how U.S. laws apply to them. While there are many similarities between the new state laws, for example, and GDPR, there are also important differences, including issues such as notice content requirements, mechanisms for data subjects to exercise choices, contracting requirements, and restrictions on the sale and sharing of personal data.

U.S. State Laws May Apply to You

There are some similarities among the U.S. state laws but each has nuances making it difficult for any company to take a “one-size fits all” approach to compliance. For instance, some states have opt-in requirements for the collection of sensitive data, while others have an opt-out, and some only regulate the processing of health-related data. We anticipate more states to follow suit in the years ahead, creating an even more complex patchwork of requirements for privacy notices, third-party contracts, consents, restrictions on sensitive data, consumer rights requests, cookie practices, privacy assessments, and other privacy program requirements.

It is important to note that many states have had other more targeted and sectoral privacy-related laws on their books for many years, including those that govern the collection and use of biometric data, such as those in Illinois, Texas, and Washington. Many other states (and the federal government) have wiretap laws that have long-reaching effects on how video and teleconference calls can be recorded. Additional state laws in various states regulate other types of data and practices, for example: website privacy policies, data security and data breach notification requirements, children’s data, employee data, telephone numbers, text messaging, driver’s license numbers, and social security numbers.

Federal Privacy Laws May Apply to You

As noted, HIPAA, the FCRA, COPPA, and Gramm-Leach-Bliley are key federal laws that regulate how certain data can be processed in the U.S. The Federal Trade Commission (FTC) likewise has a long history of regulating and enforcing consumer privacy laws under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices. The FTC is also tasked with regulation and enforcement of privacy-related laws such as the Telephone Consumer Protection Act (which governs how companies may communicate via phone and text messages (along with the Federal Communications Commission), and commercial email marketing.

U.S. State Data Breach Laws Are Not Uniform

In addition to the myriad sectoral and comprehensive privacy laws, all 50 U.S. states plus the District of Columbia and Puerto Rico, have their own data breach notification laws. Many of those laws have similar triggers for notifying consumers and attorneys general. However, there are enough differences between each of the states that an analysis of the individual state’s laws must be undertaken when a breach occurs. Companies may be liable in different ways and have to comply with different notification standards per state if there is a breach that affects individuals in multiple jurisdictions.

How AGG Can Help

Foreign companies that do business in the U.S. and collect or process personal data of U.S. consumers must ensure that they have a full understanding of the jurisdictional laws that may apply to them. AGG’s Privacy and Cybersecurity Practice Group works with clients across all industries to support their compliance in the U.S. Our approach is always to keep our clients’ business goals in mind while providing practical, operationally sound, and actionable guidance regarding how to navigate the patchwork of U.S. laws.