A consumer data breach at a business can be a catastrophic event, both for the consumer whose personal data were stolen or exposed, as well as for the company that is legally liable for failing to safeguard the sensitive data of their clients, students, or medical patients.
This article talks about what constitutes consumers' "personal information" and what personal data privacy laws exist in the US, on the federal and state levels.
Get An Instant Free Course Preview
Try our best-in-class, interactive, and engaging courses for free!
How Is Consumer Privacy Violated?
Personal data of customers or employees collected and stored by companies can be breached in any number of ways.
A company database can get hacked, stealing personal contact data, banking info, passwords, etc. This information can be used by scammers, unscrupulous marketers or malicious individuals to steal the victim's identity, expose their private business, or in some other way disrupt their life. Such violations are breaches of "data security".
Sometimes private information is leaked by accident. For example, hospital personnel handling PI may be negligent with a patient's medical records, resulting in non-authorized persons seeing it. Or, a nurse may reveal a patient's medical information to a friend or family member without the patient/consumer consent. Such an act would constitute a violation of "data privacy."
What Counts As Consumers' Personal Data?
Personal information is any data that is used to identify an individual. Here are the main types of personally identifiable information collected and kept by various businesses.
- Private information. This includes general information associated with the individual (e.g. debit card pin, computer password, etc.)
- Sensitive personal data. This encompasses a wide array of delicate (i.e. potentially socially embarrassing or compromising) personal information (e.g. ethnic origin, biometric data, criminal record, political affiliation, religious views, sexual orientation, etc.)
- Health Information. Personal medical data is also quite sensitive (e.g. medical history, list of allergies, dental records, prescriptions, organ donation choice, every type of test result, etc.)
- Employee Data. Employees' personal information, such as date of birth, contact info, health history, religious views, political affiliation, sexual orientation, etc. must be protected as zealously as that of the customers.
- Tax Data. Tax information (such as financial records, pay slips, tax returns, tax ID, etc.) is considered personal information to be protected.
- Payment Card Information. Credit/debit card data hacks lead to identity theft and various types of fraud. This information includes everything from the cardholder's name to their primary account number to biometric data such as fingerprints.
US Laws Protecting Consumer Privacy And Cybersecurity
The US has a number of data protection laws enforced by the Federal Trade Commission.
Federal Laws Protecting Personal Data
The US federal government has overtime passed (and amended) multiple laws to cover the data collection, storage, and privacy practices of organizations -- and to keep up with the rapid advent of new technologies and trends in cyber-hacking.
Fair Credit Reporting Act (FCRA)
One of the first-passed federal privacy laws is the Fair Credit Reporting Act which regulates the collection, use, and sharing of credit information. It was later amended with the Fair and Accurate Credit Transactions Act which restricts the use of information that has bearing on an individual's credit worthiness/standing/capacity, reputation, employability, insurance-worthiness, etc.
US Privacy Act of 1974
The US Privacy Act of 1974 was passed to regulate/restrict data held by government agencies and to enhance individual privacy protection.
Under the Privacy Act, American citizens have the right to request access to their PI kept by government agencies and to correct data if they find any mistakes in it. Individuals also have a right to know how these agencies are using their PI
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is geared toward protecting individuals' medical information. It regulates how patients' "protected health information" (PHI) is collected and kept -- and under which circumstances and with whom it can be shared -- within the medical industry (hospitals, doctors, insurance companies), among any other HIPAA-covered entity (such as a medical bill processing facility), and restricted to confidential individuals expressly specified by the patient.
Under HIPAA, medical patients have other rights, such as being provided with a notice of privacy practices that explains how the provider intends to use their PHI -- and the privacy/security measures they have in place.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act was signed into law in 1999, designated to protect consumers' privacy in the realm of financial institutions which are, obviously, privy to quite a bit of personal and sensitive customer data.
Thanks to GLBA, financial institutions are now required to disclose and explain customer information-sharing practices and give them a choice to opt out of third-party PI sharing.
Children's Online Privacy Protection Act (COPPA)
The Children's Online Privacy Protection Act was enacted by Congress in 1998, to protect the internet privacy of minor children under the age of 13.
State Laws Protecting Consumer Privacy And Cybersecurity
Several US states have passed or are working on passing their own data privacy laws, enforced on the state level. For example:
- The California Consumer Privacy Act (CCPA) set the initial standards for how service providers handle the personal data of their customers. The California Privacy Rights Act (CPRA), an amendment to the CCPA, provides consumers with the right to know how and with whom their PI is shared.
- The New York Privacy Act may be the most comprehensive of state privacy laws, giving New Yorkers control over their PI.
- The Colorado Privacy Act is a new law going into effect in July 2023, letting consumers opt out of their PI being sold, and imposing strict enforcement actions and penalties against violations of consumer privacy rights.
- The Virginia Consumer Data Protection Act is another brand new law, effective on the first day of 2023, aimed to safeguard consumer data integrity.
- The Connecticut Personal Data Privacy and Online Monitoring Act provides data privacy regulations for data controllers and processors in the state.
Companies that fail to protect consumers' personal information can face financial repercussions in the form of civil penalties.
Let EasyLlama Take Care Of Your Data Privacy & Cybersecurity Training!
Data privacy and security are a grave responsibility never to be taken lightly by any institution.
Put your consumer data privacy worries in the capable hands of EasyLlama!
Our Data Privacy & Cybersecurity e-training will get your personnel up to standard as they learn about the importance of complying with federal and state privacy laws.
Relieve your clients of the risk -- and your HR department of the headache: request your free preview now!
Written by: Maria Malyk