USA Overview

The United States has about 20 sector specific or medium-specific national privacy or data security laws, and hundreds of such laws among its 50 states and its territories. (California alone has more than 25 state privacy and data security laws). These laws, which address particular issues or industries, are too diverse to summarize fully in this volume.

In addition, the large range of companies regulated by the Federal Trade Commission (‘FTC’) are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement reasonable minimal data security measures, fail to live up to promises in privacy policies, or frustrate consumer choices about processing or disclosure of personal data.

With the exception of entities regulated by HIPAA, there is no requirement to appoint a data protection officer, although appointment of a chief privacy officer and an IT security officer is a best practice among larger organisations and increasingly among mid sized ones. In addition, Massachusetts law requires an organization to appoint one or more employees to maintain its information security program. The law applies to organizations that own or license personal data on residents of Massachusetts, and thus reaches outside the state.

“(a) In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”