Data Protection in the United States Part 1:
Understand what laws apply.
Data protection can be a minefield due to the vast number of regulations that apply and it is important to understand the context and situations that you use personal data for.
You need to consider what the laws of your state are. For example, if you are based in California or if you deal with users based in California, then you will need to comply with the California Consumer Privacy Act. Whereas if you are in Arkansas, then you will instead need to comply with the Arkansas Personal Information Act. Bear in mind these different laws will have different requirements, for example – if you suffer a data breach in Alabama, Maryland, New Mexico, Ohio, Oregon, Rhode Island, Vermont, Washington and Wisconsin then you must notify the affected users within 45 days, whereas in South Dakota it must be within 60 days.
You will need to comply with federal laws, which apply to all states. For example, the CAN-SPAM Act requires you to include physical postal addresses in all commercial emails you send, along with many other requirements and restrictions on sending commercial and marketing emails.
You should consider what industry you are in, as there may be additional state and federal laws that apply. For example, if you are in the finance industry then you must comply with the Gramm-Leach-Bliley Act, which includes requirements for privacy notices and the Fair and Accurate Credit Transaction Act (FACTA), which requires you to ensure that data you hold is validated and up to date. Whereas if you are in the health industry, you will be required to comply with the Health Information Portability and Accountability Act (HIPAA), which outlines the rights that people have regarding their medical data.
You will need to consider whom the people are that you are dealing with, as other legislation and regulations may apply. For example, if you deal with any organisations based in Europe you will be required to register a representative in a European Country and report data breaches to the authorities within 72 hours. Another example is if you deal with children, then you must comply with the Children’s Online Privacy Protection Act (COPPA), which requires you to obtain verifiable parental consent to use the child’s data.
….To be continued in Part 2
If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.