1 / 14

SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS

Draft American Data Protection

tsaaro
Download Presentation

SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WHITEPAPER SECTOR SPECIFIC REGULATIONS AND A FEW HICCUPS MORE: U.S.A AND ITS PRIVACY LAWS Your Guide to U.S.A's Privacy Laws and its Shortcomings. © 2021 Tsaaro. All rights reserved.

  2. PROBLEM INTRODUCTION With the emergence of innovation on a daily basis, privacy becoming complex. Various regions in the world have understood pertaining to Data Privacy and have introduced certain safeguard the privacy of individuals' data. Virtually every country has laid down its privacy laws and ancillary regulations. is increasingly the risks regulations to The structural flaw with the privacy laws of the United States is the absence of a unified code that deals with particular subjects and a document that is exhaustive in nature. The European Union GDPR is exactly what the United States lacks, due to having different statutes (both federal and State) to regulate specific sectors that result in the entire structure is uneven. The legal framework of the United States regulating the emerging privacy concerns lack the ability to streamline the procedure and curb risks altogether by establishing a defined mechanism, in its entirety. The World Superpower a.k.a United States has introduced its system to keep up with the evolving technology. However, in the absence of a central federal level privacy law, there are a series of different vertically-focused privacy laws forming a complex patchwork regulations dealing in specific sectors and mediums. of laws and STRUCTURE This whitepaper would be covering the following aspects: Timeline of the American Privacy Landscape. The existing Federal and State Legislations, regulating matters pertaining to privacy. A graphical representation of the State-Wise privacy statutes. The problems that plague the current privacy scenario. The way forward with suggestions to curb the limitations of the existing framework. 08

  3. TIMELINE OF THE AMERICAN LANDSCAPE 1890 Brandeis "Right to Privacy" Law Review Article 1960 Privacy Torts 1974 Privacy Act of 1974 1996 Health Insurance Portability and Accountability Act of 1996 1998 COPPA Children's Online Privacy 1999 Gramm Leach Bliley Act 2018 General Data Protection Regulation (GDPR) went into effect 2020 California passes California Consumer Privacy Act (CCPA) 2021 Virginia and Colorado passes respective state laws

  4. FEDERAL STATUTES IN USA PRIVACY LANDSCAPE There is no single comprehensive data protection legislation in the United States. However, there are various statutes enacted on the Federal and State Levels which are sector- specific to protect the personal data of the people residing in the United States. PRIVACY ACT OF 1974 On account of the Watergate Scandal, this Act aimed at balancing the rights of the individuals. This Act laid down certain restrictions on the collection and retention of data by the Government Agencies. This legislation could be considered as one of the primary references of digital privacy in the American Legal Landscape, incorporating certain principles which are, commonly referred to as privacy by design, at present. These principles are: Right of U.S. Citizens to access/copy data. Right of Citizens to correct any informational errors. Government Agencies to adopt data minimization policies. Restriction of unnecessary access to data. No sharing of information between Government Agencies, unless necessary.

  5. FEDERAL STATUTES IN USA PRIVACY LANDSCAPE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA) The COPPA was America’s first step towards safeguarding the online privacy of children. The passing of this specific statute was with the objective to protect the digital privacy of minors. COPPA prohibits the collection of information pertaining to children below the age of 13, within and beyond the territory of the United States. The recent amendments to COPPA broadened the applicability of the statute by widening the types of Personal Information that must be protected. The provisions of COPPA are applicable to Third-Parties, as well, that use children’s data. The originating websites must ensure the safety of children by ensuring reasonable measures and safeguards and also only releasing such information to organizations that are capable of keeping the data secure. GRAMM-LEACH-BLILEY ACT (GLBA) Also referred to as the Financial Modernization Act of 1999, the Gramm- Leach-Bliley Act’s main focal point is: Expanding and tightening consumer data privacy safeguards and restrictions to protect the Non-public Personal Information (NPI). However, as per GLBA, any information collected regarding an individual to provide financial products or services is subject to the condition that the information was not already publicly accessible. The law states that financial institutions are required to explain how all the customer data is shared and provide the customers with an opportunity to opt-out. GLBA safeguards the collected personal data with a security plan created by the institution. However, there’s a loophole wherein the third parties affiliated with the financial institutions are not under any obligation to provide privacy controls to the customers for them to restrict the sharing of NPI.

  6. FEDERAL STATUTES IN USA PRIVACY LANDSCAPE FAIR CREDIT REPORTING ACT (FCRA) The Federal Statute of FCRA passed on 26th October 1970, promotes accuracy, transparency and privacy of the information in consumer credit bureau files: Privacy of information for the files of consumer reporting agencies, regulating the manner in which credit reporting agencies collect, access and use/share the data collected in consumer reports and, providing the customers access to their credit reports. FCRA provides for the secure destruction of Personal Information and regulates the use of certain types of information received from affiliated organisations for marketing purposes. The Statute is enforced by the Federal Trade Commission and the Consumer Financial Protection Bureau. The violations of FCRA carry fines including incurred damages (if any). HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) Known as the Kennedy-Kassebaum Act, the HIPAA was enacted on 21 August 1996, to regulate Health Insurance in the United States: Enacted to streamline the flow of Healthcare information, this complex framework includes data privacy and security sanctions as well. Lays down the concept of Data Confidentiality, essentially providing who would get access to the Protected Health Information (PHI). Provides groundwork for explicit consent, as using such data is subject to explicit consent if it is being used for marketing purposes. Limitations on how information related to patients is obtained, stored, accessed or released thereby safeguarding the same against theft or fraud.

  7. THE U.S. STATE-WISE REGULATIONS PRIVATE RIGHT OF ACTION RIGHT TO RECTIFICATION RIGHT TO DELETION RIGHT TO ACCESS RIGHT TO OPT-OUT ENACTMENT STATE California (CCPA) Colorado Virginia Maryland Hawaii New York Massuchusets North Dakota The above chart refers to CCPA and not the updated provisions of CPRA, as the same has not come into effect yet.

  8. STATE-WISE REGULATIONS Certain States introduced their statutes to regulate privacy in their legislation till there's no Federal Statute that protects the privacy of a resident. CALIFORNIA CONSUMER PRIVACY ACT (CCPA) & CALIFORNIA PRIVACY RIGHTS ACT (CPRA) Enacted on 28 June 2018, the state of California enacted CCPA to extend consumer privacy protection to the internet, becoming in itself the most comprehensive digital-focused privacy regulation in the United States: The most striking feature of the CCPA is the wider ambit of the definition of "personal information" to include information that can identify, relate to, describe or is capable of being associated with directly or indirectly with a particular individual or a household. CCPA provides for an exhaustive list of identifiers and provides the consumers with the right to access through DSAR also restricting businesses from selling customers’ personal information without informing, providing a web notice and giving them an opportunity to opt-out from the same. Similar to GDPR, CCPA incorporates the right to delete, providing the customers with a chance to sue on account of a data breach. CPRA often termed as an update to CCPA, builds on the existing framework adding to the consumer rights, business obligations along with a dedicated Data Privacy Protection Agency. The CPRA is would be completely operative since January 2023.

  9. STATE-WISE REGULATIONS VIRGINIA CONSUMER DATA PROTECTION ACT (VCDPA) Enacted on March 2 2021, the VCDPA became the second state after California to officially adopt and enact a comprehensive regulation that deals with consumer privacy. Providing the consumers with the right to access data and, data deletion; right to opt-out and entrusts the organizations with an obligation to conduct data protection assessments. VCDPA provides an extensive definition of Personal Data and who could be considered as consumers, within the purview of the Act. VCDPA does not incorporate the right to private action, unlike the CPRA, but imposes hefty penalties to curb the concerns of data privacy breaches. COLORADO PRIVACY ACT (COLOPA) Set to take effect on July 1 2023, Colorado became the third state to enact comprehensive privacy legislation. ColoPA vests the consumers with rights such as the right to access, correction, deletion, data portability, right to appeal and the right to Opt-Out. The scope of ColoPA is broader than CCPA when it comes to revenue thresholds. ColoPA explicitly omits individuals acting in a commercial capacity as under the statute; controllers are not required to consider the data of employees as PII when they collect and process the same. The scope of ColoPA is quite similar to CCPA, including the definitions of Personal Data, Sale of Personal Information. ColoPA also sets categories of exempt data, dividing them into two categories i.e. Entity-level exemptions and Data-level exemptions MASSACHUSETTS DATA PRIVACY LAW Formerly known as “Standards for The Personal Information of Residents of the Commonwealth”, this proposed law places an obligation on organisations to notify individuals in case of a security breach. This statute is largely similar to the CCPA, and a vital difference is that consumers are vested with the right to sue for any violation.

  10. STATE-WISE REGULATIONS NEW YORK PRIVACY ACT The proposed New York’s Act contains all the important principles of CCPA. Similar to Massachusetts and unlike CCPA, New York’s Act would vest the individual with the right to pursue action for any violation, making this statute stringent. Another key distinction is the addition of Data Fiduciary and emphasizing on all organisations to be legally responsible for every consumer data that they possess. The Act is also closely similar to EU GDPR due to its provision for the consumers with the ability to correct inaccurate information. HAWAII CONSUMER PRIVACY PROTECTION ACT Similar to the CCPA, the proposed Hawaii Act offers all of the rights and protections, inclusive of the clause wherein a website located out of anywhere, could be held liable if it doesn't operate with adequate protection. MARYLAND ONLINE CONSUMER PROTECTION ACT Another state proposed Bill, with the potential to expand on the scope of CCPA. Like other states, Maryland Bill also incorporates the concept of Probabilistic Identifiers and even goes beyond the scope of CCPA when it comes to disclosing third-party involvement going so far as to obligate the companies to disclose any information that is passed to such Third- parties. NORTH DAKOTA'S HB-1485 This Bill completely restricts any website from transmitting any information to third parties without obtaining the consent of its users. However, there is no right to rectification or deletion once consent is legally obtained by the Controller.

  11. SHORTCOMINGS OF U.S. PRIVACY SCENARIO UNEVEN APPROACH Data is not adequately protected, companies are riddled with contradictory and competing requirements. This needs a unified approach to make it easier to protect privacy. PATCHWWORK INCOMPATIBILITY Lacking uniform central legislation, the United States ensures that privacy is maintained within specific sectors through the pertinent specific laws. It is noteworthy that these laws sometimes have varying incompatible provisions with respect to what warrants as personal information and what constitutes a breach. COMPLICATED ENFORCEMENTS Federal Trade Commission (FTC) has an important role to play here, as it has the general power to prohibit certain trade practices under section 5 of the FTC Act. However, companies have begun testing FTC legal authority to review data security practices. Furthermore, FTC has limited jurisdiction over banks, insurance organizations, NPOs and ISPs. RESPONSE TO DATA BREACH Data breach notification and response is the most important aspect of data privacy. Ongoing vigilance should be adopted instead of a penal or, remedial approach to data theft and the same should be incentivised while eliminating the complexities for both consumers and the institution. UPDATING THE VALIDITY The existing laws are enacted to act as a response to a certain scenario and, there are certain changes that reduce the sectoral boundaries laid down by these privacy regulations. Therefore to reduce arbitrariness the definitions along with the legal provisions have to adapt to the changing needs of privacy to ensure protection.

  12. THE WAY FORWARD The United States should adopt from the European Union, their approach towards data privacy by bringing out a single comprehensive framework to regulate personal privacy. recommendations that would be an ideal way forward for the United States to overcome its current shortcomings: These are the SCOPE & APPLICABILTY The Future Legislation must bring within its ambit all the institutions, ranging from Government-run agencies to NPOs and every other narrow sector of the economy. Apart from the social responsibility of an organization, a data protection breach is also an institutional risk as well. HARMONISING INCONSISTENCIES The upcoming legislation should aim to replace the existing patchwork of statutes. A baseline should be established which lays down all the set criteria's and can remove the inconsistencies of different requirements or rights which are laid down by the current sector-wise approach towards individual privacy. PRIVATE RIGHT OF ACTION It is extremely essential for the individuals to be vested with the legal resort to sue a company over privacy violations. DATA MINIMIZATION, OPT-IN AND DISCRIMINATION IN PRIVACY RIGHTS A company should only collect the information it essentially requires to provide the service it is offering, and should mandatorily present the customer with the option of sharing the user data with a Third-party. Every organization must also provide its customers with Data Subject Rights (DSR) including deletion, the rectification of stored data. Companies cannot discriminate against people for exercising their privacy or cannot force them to pay for increased data security.

  13. CONCLUSION This ever-evolving regulatory environment would require companies to adapt to the changing times. The future of US privacy law will reflect some of the key ideas from the existing state regulations, Employee or Consumer privacy rights, access and removal requests, and ultimately fines and fine-related requirements, exceptions, mitigations would be marked down in single legislation curbing the current shortcomings and integrating the existing patchwork into an exhaustive framework. BIBLIOGRAPHY 1. https://www-nytimes- com.cdn.ampproject.org/c/s/www.nytimes.com/wirecutter/blog/state-of-privacy- laws-in-us/amp/ 2. https://www.varonis.com/blog/us-privacy-laws/ 3. https://www.jdsupra.com/legalnews/u-s-privacy-law-past-present-and-future- 4213418/ 4. https://www.lexology.com/library/detail.aspx?g=db4592e2-53c1-4cb6-91a9- 94da1ee14b26. 5. https://www.osano.com/articles/data-privacy-laws 6. https://9to5mac.com/2021/09/08/us-gdpr-style-federal-law/

  14. COMPANY PROFILE Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements maintaining a infrastructure. Our industry-standard privacy services include Privacy compliance, DPO- as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. while security Akarsh Singh (CEO & Co-Founder Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. robust Krishna Srivastava (Co-Founder & Head of Cyber Security Tsaaro) Krishna is an ex-KPMG data security consultant. He has vast experience in Information Security and Data Privacy Compliance. At Privado, we are building tools for compliance with Data Privacy Laws such as GDPR, CCPA. Companies now have to do a lot to comply with these laws like take consent, do vendor assessments, privacy assessments, etc. We simplify and automate these tasks so that companies can demonstrate privacy compliance. We want to bring visibility to the use of data to the privacy team. Vaibhav Antil (Co-Founder at Privado.ai) Vaibhav is an ex-IITian with experience of over 7 years. He's a Certified Information Privacy Manager (CIPM) from IAPP. CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Email us: info@tsaaro.com Addresses: Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer Ring Road, Bangalore- 560045 India P: +91-0522–3581306 Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719

More Related