United States data protection laws vary by state and by data type, and there is not one overarching act that governs all types of data privacy throughout the country. Without an Act in place, many US-based companies have to decide how to best navigate sensitive data discovery and protection on their own. Even though there isn’t a federally recognized universal data privacy regulation in place, many state laws and consumer trust requires all companies to take data protection very seriously.
In this article, we’ll look at the variety of data protection laws that cover US data and what best practices are for keeping your company’s structured and unstructured data secure in the changing landscape of the US legislature.
Does the United States Have Data Protection Laws?
Although there is no overarching, country-wide Act of Congress that governs data protection in the United States, there are a wide variety of state-level laws that have been proposed or passed. In fact, according to the National Conference of State Legislates, at least 38 states have introduced consumer privacy bills in 2021 alone.
The most common type of bill proposed is comprehensive privacy legislation which broadly regulates how businesses can collect, use, and share personal information. These regulations include a specific set of consumer rights, including the protection of consumers’ right to view, change, and delete any of their personal information that was collected by a business.
Three states already have some version of this comprehensive consumer data privacy laws in place: California, Virginia, and Colorado.
- California’s Consumer Privacy Act (CCPA): Gives California residents the ability to opt-out of the selling of personal information, and the ability to view, correct, and delete their data being stored by companies. This includes not only information in databases, but unstructured data like e-mail correspondence as well. Originally passed in 2018, changes and expansions to this act will take effect in 2023 that provide even more consumer protection, similar to laws that govern data security in Europe.
- Virginia’s Consumer Data Protection Act: Similar to the CCPA, but passed in 2021 and has different regulations about which organizations it applies to.
- Colorado’s Consumer Protection Act: Intended to penalize businesses that mismanage data protection or sell consumer data without disclosing.
You may be wondering, “Which US states have data protection laws in the process of being enacted?” Many additional states have passed various data protection bills in 2021, but they have not fully taken effect yet. These states include Arizona, Arkansas, Florida, Louisiana, Maryland, Montana, Nevada, Oregon, Rhode Island, South Carolina, South Dakota, Utah, and Virginia.
Does the US Have Data Protection Laws Like Europe?
The General Data Protection Regulation (GDPR) is the data protection legislation that governs all countries in the European Union (EU). It went into effect in 2018, and it applies to any companies that collect or process the personal data of EU residents or citizens, even if the company itself is not based in the EU. The GDPR enforces regulations by imposing significant fines for violations of consumer’s data privacy.
So does the US have a version of GDPR? Not yet. The USA currently does not have nation-wide or international regulations that govern data security. However, the American Data Privacy and Protection Act (ADPPA) includes many similar principles and was introduced to the House of Representatives in May 2022. As of September 2022, it had not yet been voted on in the House, and there isn’t currently a projected date for its enactment should it pass.
How Do You Comply With Internet Privacy Laws in the United States?
Because of the complex and sometimes unclear regulations for data protection in the US, it can be a challenge for companies to know how to make sure they are compliant with all requirements. The best practice for companies managing their data protection is to have a system in place to discover, migrate, and govern data that stays up-to-date as regulations change.
Data management for structured data stored in databases is often fairly straightforward, but this can be a much bigger challenge for unstructured data. This type of unstructured data can be anything that isn’t numeric and stored in a database, and includes things like e-mail correspondence, screenshots of sensitive information, resumes, and more.
DryvIQ is an unstructured data management platform that protects your sensitive data with renowned speed and accuracy. We use best-in-class AI and machine learning to help companies stay compliant with regulations as they change, and provide excellent security to build consumer trust in your brand. We can help with a wide range of unstructured data management, including:
- Data Discovery
- Data Risk Protection
- Sensitive Label Audit
- Intelligent File Migration
- Large-Scale File Migration
- File System Synchronization
- Mergers & Acquisitions
Contact us for a demo today to take the pain out of data protection compliance.