By: Jonathan B. Wilson , TAYLOR ENGLISH DUMA LLP AND FINCEN REPORT COMPANY This article discusses the New York LLC Transparency Act (New York Act), and provides guidance on which entities must file reports...
By: Christopher Campbell and Antonious Sadek , DLA PIPER This checklist provides guidance for protecting attorney-client privilege and work product in the environment of generative artificial intelligence...
LexisNexis Southeast Asia managing director Gaythri Raman discussed her unit’s initiatives leveraging AI-powered legal innovations to transform the legal business while supporting the advancement...
New secondary materials released between November 2023 through January 2024 are featured in this listing. Top Selections California Evidence Advocacy in the Age of Statutes (Lexis+ / Lexis) and in...
By: Laurie E. Leader , EDITOR-IN-CHIEF, BENDER’S LABOR AND EMPLOYMENT BULLETIN The U.S. Department of Labor (DOL) has published its Final Rule for determining employee or independent contractor...
Copyright © 2024 LexisNexis and/or its Licensors.
By: Kirk Nahra, Arianna Evers, Ali Jessani, Genesis Ruano, and Samuel Kane, WILMERHALE
This article is intended to give privacy officers and other privacy professionals an overview of how commercial privacy issues are regulated in the United States.
While this article is not intended to be exhaustive in terms of all potentially applicable U.S. privacy laws, it should provide privacy professionals with a general foundation on these issues and a starting point on how to evaluate data privacy compliance obligations for their organizations.
The United States generally regulates privacy through four main approaches: sector-specific laws, use case-specific laws, laws applicable to certain types of data (data-specific laws), and comprehensive privacy laws (at the state level). We have used this framework to summarize the laws, regulations, and issues that privacy professionals are most likely to come across in their work.
Recent trends in U.S. privacy law can help privacy professionals understand where the law may be going. While change in U.S. privacy law at the federal level continues to remain a possibility, state legislatures continue to be at the forefront of new privacy regulations. Iowa, Tennessee, Indiana, Texas, Oregon, Delaware, and Montana have joined early adopters of comprehensive privacy laws (California, Virginia, Colorado, Utah, and Connecticut) as of 2023. In addition to comprehensive state privacy laws, many states have also passed sector, industry, and data-specific laws as states race to replicate successful statutes and address data issues that have emerged in the wake of the COVID-19-driven shift towards remote work and school. As a result, there has been a strong recent focus on data brokers and more sensitive categories of data, such as health information and genetic data. Regulators have increased attention on issues relating to Adtech and targeted advertising more generally, and many of the laws and regulatory trends discussed in this article are driven by that focus.
While many of these statutes share similar principles—indeed, newer bills frequently draw inspiration from the text and implementation issues of prior statutes—they vary in definitions, scope, and enforcement rights. The complexity created by this web of statutes has been further magnified by the creation of nontraditional privacy obligations and the cross-industry digital transformation that occurred in the wake of COVID-19. In this developing privacy landscape, more companies risk failing to understand the scope of their privacy compliance obligations. Companies that handle sensitive information or engage in practices that would constitute a heightened risk, such as automated decision-making, should be particularly on guard as many state laws devote particular attention to those use cases and definitions can vary by state.
Notably, companies and privacy professionals must consider the abundance of laws that implicate privacy considerations, such as information security laws, laws that regulate government data use, additional data-specific laws like those governing health status, among others, which are not covered in this article. In addition, not all of these laws will be applicable to every company.
Privacy laws at the federal level have primarily focused on regulating privacy in specific sectors, such as healthcare, education, and financial institutions. While still important for practitioners to consider, federal privacy regulations have thus far remained largely unchanged by the recent wave of privacy and data regulation activity—although there are pending rulemaking changes that may lead to some change in these rules in 2024. The three major federal privacy laws that regulate specific types of entities—the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Family Educational Rights and Privacy Act (FERPA)—have remained stable since at least the last wave of amendments made between 2013 and 2015. All three of these statutes draw heavily on the Fair Information Practice Principles,1 a set of widely accepted guidelines surrounding the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of personal data. They include, in part:
These are not the only statutes that impose requirements on the processing of health, financial, and education data. Many statutes have privacy implications despite not explicitly imposing privacy obligations, such as confidentiality-based requirements. For example, depending on their business, companies should also be aware of the confidentiality requirements in Title I of the Americans with Disabilities Act, the FDA’s confidentiality rules during clinical trials, and the Individuals with Disabilities Education Act’s medical information confidentiality requirements (in addition to a wide range of state laws that impact the privacy and confidentiality of health data). While practitioners should remain vigilant for developments in the privacy implications of sector-specific statutes that do not directly regulate privacy, the below sections highlight the key considerations in the three most prominent sector-specific privacy laws.
Further, it is important to consider that although federal level legislation has primarily remained unchanged, federal regulators, specifically the Federal Trade Commission (FTC), have responded to evolving privacy and cybersecurity concerns. As such, the below includes a section on the FTC’s role in enforcing privacy and cybersecurity violations through its authority to bring actions for unfair or deceptive acts or practices under Section 5 of the FTC Act.2
Health Insurance Portability and Accountability Act
The HIPAA statute itself says little about privacy and security directly but instead creates privacy standards for “covered entities” through the rules developed by the Department of Health and Human Services (HHS). HIPAA establishes a framework of rules governing how specific “covered entities” secure, transmit, and protect “individually identifiable health information.” HIPAA requires that covered entities, originally healthcare providers, health insurance plans, and healthcare clearinghouses, comply with a series of rules and standards.
As a result of the HIPAA statute, there are three rules promulgated under HIPAA that practitioners should consider when advising on health information practices:
Under the Privacy Rule, protected health information (PHI) cannot be used or disclosed unless permitted by the rules or specifically authorized by the individual. Entities must respect patients’ right to access, amend, and restrict their data, and develop specific procedures to support compliance. There are also specific rules related to the sale of PHI or the use of PHI for marketing. The Privacy Rule is the most expansive in coverage, containing a mini-security rule, requiring contracts with business associates which govern their use of PHI, and setting out principles for de-identification of PHI.
The Security Rule builds upon the mini-security provisions in the Privacy Rule and sets forth detailed requirements for the protection of electronic PHI. Covered entities must implement reasonable administrative, physical, and technical safeguards to protect the PHI they process.
Lastly, under the Breach Notification Rule, covered entities must disclose data breaches to both HHS and individuals whose PHI has been compromised. The rule creates the opportunity for affected entities to conduct a risk assessment to determine whether there is a low probability of compromise of the impacted information to avoid these notification obligations.
Notably, the 2009 HITECH Act6 extended certain elements of the HIPAA rules to reach covered entities’ service providers and contractors (called business associates under the HIPAA rules). Under the HITECH Act, business associates can be directly liable under HIPAA for certain violations, including failing to comply with the Security Rule and failing to provide breach notification to a covered entity or another business associate.
HIPAA serves as a baseline for health information compliance, and explicitly does not preempt more protective state laws. Importantly, HIPAA does not cover many entities and types of data involved in the healthcare system, including health apps, fitness trackers, university student health clinics, or most pharmaceutical companies. States have increasingly looked to fill this gap in coverage under HIPAA by passing privacy laws that specifically regulate these categories of health information (as we further detail below).
Family Educational Rights and Privacy Act
FERPA protects the privacy of education records at all schools that receive applicable federal education funds. FERPA gives privacy rights related to education records to the parents of minors and then transfers these rights to the students once they turn 18. Schools must guarantee parents or students access to and the ability to correct errors within the student’s educational record and must obtain their consent to release information from that record, although directory information such as names or addresses may be disclosed without consent after notifying the student or parent. As under HIPAA, schools are required to include certain limiting contractual provisions in agreements with their service providers. That said, many non-school entities, such as emerging education technologies (EdTech), receive school data under the school official exception, which allows a platform to receive personally identifiable information from education records without parental consent if certain criteria are met.
FERPA similarly serves as a baseline, preempting state laws which would allow for disclosure of records not otherwise permissible under FERPA, such as state freedom of information laws. Further, states have passed a wide range of student privacy laws, most of which prescribe all or some of the following four requirements: notice and consent, use or collection limitation (particularly in the context of third-party applications or targeted advertising), data breach notification, and deletion. Many states also require that schools extend their privacy obligations via contract to third parties that process or handle student data on behalf of covered entities.
Gramm-Leach-Bliley Act
The GLBA7 governs financial institutions and other organizations that offer financial services and products such as financial advising, insurance, or investment. The relevant provisions concerning personal data are generally split into the GLBA Privacy Rule and the GLBA Safeguards Rule. The Privacy Rule requires regulated organizations to both provide detailed notice and explanation of their information sharing practices and to limit disclosure of nonpublic personal information (NPI). NPI includes information derived from financial transactions, as well as information provided in order to receive financial products or services.
The Privacy Rule requires that financial institutions provide a written privacy notice at the start of their relationship with a customer and annually thereafter. These privacy notices must include, among other requirements:
The Safeguards Rule, on the other hand, requires companies to develop, maintain, and implement a comprehensive information security program to keep personal information secure. These provisions require that the written information security program contain administrative, technical, and physical safeguards to protect customer information. For example, under the FTC’s Safeguards Rule, an entity must undertake comprehensive risk assessments, appoint a qualified individual to be responsible for the institution’s information security program, conduct annual penetration testing of information systems, protect consumer information through encryption, multifactor authentication, and proper storage, and much more.
The FTC recently approved significant modifications to its version of the Safeguards Rule. Among other changes, the new rule will require nonbanking financial institutions regulated by the FTC, including financial technology companies, mortgage brokers, credit counselors, financial planners, and tax preparers, and others, to report certain data breaches and other security events directly to the FTC. This is a meaningful new obligation for GLBA-covered entities regulated by the FTC, and it is possible that other regulators will follow the FTC’s lead in this regard.
The GLBA is enforced by various financial regulators that have jurisdiction as the primary regulator over the types of financial institutions they regulate. This can range from the Consumer Financial Protection Bureau (CFPB) to the Securities and Exchange Commission (SEC) to state insurance commissioners. These various regulators have released guidance and enforce sector-specific GLBA regulations for the industries they oversee. All other entities that otherwise meet the definition of a “financial institution” as defined under the GLBA but do not fall under the purview of a primary financial regulator fall under the regulatory umbrella of the FTC for GLBA purposes.
Federal Trade Commission and General Section 5 Authority
The FTC has jurisdiction over most for-profit organizations and individuals doing business in the United States, other than those in the telecommunications, financial, and transportation industries, which are primarily regulated by other federal agencies. (Note that nonprofits are generally excluded from the FTC’s jurisdiction.)8 The FTC Act was established to regulate questionable business practices and protect consumers. Specifically, Section 5 of the FTC Act prohibits unfair or deceptive acts and practices in commerce, which can include consumer privacy violations and engaging in improper data collection, use, and disclosure practices.9 Section 5 is also routinely applied to penalize organizations that do not have reasonable data security practices. As such, the FTC can bring enforcement actions for Section 5 violations. Notably, practices inconsistent with FTC guidance have the potential to result in corrective action by the Commission under Section 5 if the Commission finds those practices to be unfair or deceptive after an investigation.
Individuals or companies responsible for the collection, storage, use, disclosure, or other processing of personal information should ensure that those activities do not violate Section 5’s prohibition on unfair or deceptive acts or practices.
The FTC uses a three-part test to determine whether an act or practice is deceptive:
To avoid liability under a deception theory, companies should ensure that statements, including those regarding their practices, do not mislead a consumer in any material way. Further, companies should remain consistent with the promises made to consumers about the collection, use, storage, or dissemination of personal information. The FTC has consistently enforced the “deceptive” prong of Section 5 for privacy violations, including in 2023 with enforcement actions against companies such as GoodRx, BetterHelp, and Vitagene. All of these enforcement actions alleged that these companies failed to uphold the promises they made to consumers regarding how their data was being used or disclosed (in addition to other violations).
In determining whether an act or practice is unfair, the FTC requires that the act or practice “cause{} or {be} likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”11 In determining whether an act or practice is unfair, the FTC “may consider established public policies,” but “[s]uch public policy considerations may not serve as a primary basis for [a determination of unfairness].”12 The FTC has historically relied on the unfairness test in the context of enforcement actions involving companies’ misuse of consumer data and, in recent years, has adopted an increasingly broad view of what constitutes unfairness in this sphere, sweeping in such practices as inadequate cybersecurity controls and unnecessary retention of customer data, among others.
The FTC was particularly active in 2023 in using the “unfairness” prong of Section 5 to bring enforcement actions against companies for alleged privacy violations. For example, in the GoodRx and BetterHelp cases (referenced above), the FTC alleged that, not only was the sharing of sensitive consumer health information for targeted advertising purposes in violation of the promises made by these companies, it was also an unfair practice because these companies did not obtain consumers’ affirmative consent prior to disclosing their health information for this purpose. The implication of the FTC using the “unfairness” prong instead of the “deceptive” prong of Section 5 for privacy enforcement actions is that the FTC is essentially creating new substantive privacy compliance requirements for all companies, regardless of the disclosures they make in their privacy policies or other publicly available documents. The FTC has historically taken this approach with its data security enforcement cases (and continues to do so) but has now expanded this framework to its privacy cases.
The FTC also regularly issues guidance that can provide practitioners insight on how the FTC views certain issues. For example, in 2023, the FTC issued guidance13 on how companies can better protect health information, as well as how companies can avoid misusing biometric data.14 These guidance documents, inspired by recent FTC enforcement actions, indicate where the agency is likely to focus its attention in the future.
For practical guidance on use case-specific privacy laws, data specific privacy laws, and comprehensive state privacy laws, follow this link to read the complete article.
Not yet a Practical Guidance subscriber? Follow this link to sign up for a free trial to read the complete article.
Privacy professionals should remain aware of new legal developments that might affect their matters. Practitioners need to understand whether and how sector, industry, data-specific, and comprehensive privacy laws apply to a particular matter and how to reconcile different legal requirements. At the state level, privacy professionals should be aware of developments in state data-specific laws, as they represent a novel step in the privacy landscape and bring new compliance requirements. Although the recurring similarities among new comprehensive state privacy laws suggest that a consensus framework is beginning to emerge, practitioners should be aware of state-specific variations in the extent of rights, scope of coverage, and precise procedural requirements, such as in California and Colorado. Finally, practitioners should pay close attention to enforcement actions brought by the FTC and other regulators involving privacy compliance as those will provide insight into how regulators are approaching novel privacy issues.
Kirk Nahra is a partner at WilmerHale. He has been a leading authority on privacy and cybersecurity matters for more than two decades. He co-chairs the firm’s Cybersecurity and Privacy Practice as well as the Artificial Intelligence Practice.
Arianna Evers is special counsel at WilmerHale. She advises clients on their development and use of AI and other emerging technologies.
Ali Jessani, Genesis Ruano, and Samuel Kane are associates at WilmerHale.
To find this article in Practical Guidance, follow this research path:
RESEARCH PATH: Data Security & Privacy > Industry Compliance > Practice Notes
For an explanation of the compliance obligations in California regarding the collection, sale, sharing, use, and disclosure of consumers’ personal information, see
> CALIFORNIA CONSUMER PRIVACY RESOURCE KIT (CCPA AND CPRA)
For extensive coverage of what a new associate should know about data security and privacy-related tasks that the associate will encounter in a law firm environment, see
> FIRST-YEAR ASSOCIATE RESOURCE KIT: DATA SECURITY AND PRIVACY
For an overview of current practical guidance on generative artificial intelligence, ChatGPT, and similar tools, see
> GENERATIVE ARTIFICIAL INTELLIGENCE (AI) RESOURCE KIT
For resources to guide counsel on applying rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that impact employers and the group health plans they sponsor, see
> HIPAA RESOURCE KIT
For a legislation tracker that highlights key comprehensive privacy legislation introduced and/or actively pending at the state level governing the collection and use of consumer personal information by private entities, see
> PRIVACY LEGISLATION TRACKER: STATE COMPREHENSIVE CONSUMER PRIVACY BILLS (2024)
For an updated listing of state biometric privacy laws applicable to private entities that are comparable to the Illinois Biometric Information Privacy Act, see
> BIOMETRIC PRIVACY STATE LEGISLATION TRACKER (2023-2024)
For a weekly updated regulatory enforcement tracker that highlights the resolution of key recent enforcement actions undertaken by the Federal Trade Commission regarding the regulation and protection of consumer privacy in the United States, see
> FEDERAL TRADE COMMISSION (FTC) CONSUMER PRIVACY ENFORCEMENT TRACKER
For a review of prominent recent guidance and enforcement actions undertaken by the Office of Civil Rights at the U.S. Department of Health and Human Services regarding compliance with HIPAA, see
> HIPAA REGULATORY ENFORCEMENT TRACKER
To watch a video that highlights the fundamentals of the Family Educational Rights and Privacy Act, including whom and what it applies to, the key requirements, and enforcement, see
> FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) VIDEO
For an evaluation of the Gramm-Leach-Bliley Act’s privacy requirements and how to comply with them, see
> GRAMM-LEACH-BLILEY ACT (GLBA) PRIVACY REQUIREMENTS
For detailed information on how the states regulate unsolicited commercial telephonic solicitation of traditional and wireless subscribers, including autodialers and do-not-call registries, see
> TELEMARKETING PRIVACY STATE LAW SURVEY
For a discussion of what persons and entities are subject to the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), see
> CAN-SPAM ACT COMPLIANCE
For step-by-step guidance in employment situations for handling consumer reports and investigative consumer reports under the federal Fair Credit Reporting Act and related state and local laws, see
> FAIR CREDIT REPORTING ACT (FCRA) AND STATE MINI-FCRAS: STEP-BY-STEP GUIDANCE FOR COMPLIANCE
For an analysis of how organizations should plan for and manage a data breach, including notification requirements, see
> DATA BREACH PLANNING AND MANAGEMENT
For more information on the Children’s Online Privacy Protection Act, which places parents and legal guardians in control over the collection, use, and disclosure of their children’s personal information, see
> CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA) COMPLIANCE
1. U.S. Federal Privacy Council, Fair Information Practice Principles. 2. 15 U.S.C.S. § 45. 3. 45 C.F.R. §§ 164.500–164.534. 4. 45 C.F.R. §§ 164.302–164.318. 5. 45 C.F.R. §§ 164.400–164.414. 6. Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (Feb. 17, 2009). 7. Pub. L. No. 106-102, 113 Stat. 1338 (Nov. 12, 1999). 8. 15 U.S.C.S. § 45(a). 9. 15 U.S.C.S. § 45. 10. See Federal Trade Commission, Policy Statement on Deception (Oct. 14, 1983). 11. 15 U.S.C.S. § 45(n). 12. Id. 13. Elisa Jillson, Protecting the Privacy of Health Information: A Baker’s Dozen Takeaways from FTC Cases, Federal Trade Commission (July 25, 2023). 14. Federal Trade Commission, FTC Warns About Misuses of Biometric Information and Harm to Consumers (May 18, 2023).