Why Is There No Federal Data Privacy Law?

The United States will enter the year 2021 without a general federal data protection law. Many states, most notably California (through the California Consumer Privacy Act), have data protection laws that restrict how companies can use personal information, which is any information about a person that can uniquely identify them. Such information includes health-related information, such as PHI, as well as non-health-related information, such as credit report information, credit account information, work history, and other data that is uniquely identifying. Other countries, such as Canada, and other combinations of countries, such as the European Union, have general data protection laws at the national level. This article covers why there is no U.S. federal data privacy law currently in place, as well as legislative proposals for such a law.

Why Is There No Federal Data Privacy Law: Attempts to Regulate Data on the Federal Level

In the United States, federal data privacy legal protections are limited to specific types of data. For example, HIPAA requires that covered entities and business associates adopt privacy and security measures to keep protected health information confidential, accessible, and secure.

The US Privacy Act of 1974 protects personal data held by U.S. government agencies. This law gives citizens the right to access and copy certain personal data held by government agencies; and to correct information errors. The scope of this law’s coverage is narrow. The Privacy Act only protects records about individuals that can be retrieved by personal identifiers. For purposes of the law, personal identifiers include name, Social Security number, or other identifying number or symbol.

Two other federal laws, the Gramm-Leach-Bliley Act (GLBA) and the Children’s Online Privacy Protection Act (COPPA), offer privacy protection on the federal level. The scope of these laws is narrow. The GLBA protects “nonpublic personal information” (NPI). NPI is defined as any “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.” Essentially, NPI is personally identifiable financial information that is not publicly available. Publicly available financial information includes property deeds and mortgage recordings. The COPPA regulates personal information collected from minors. The law specifically prohibits online companies from asking for personally identifiable information from children who are 12 and under, unless there is parental consent. 

Why Is There No Federal Data Privacy Law: Compliance Costs and Obstacles

Federal data privacy legislation has been introduced before, but has never passed Congress. Smaller companies and larger companies have objected to this legislation, for different reasons. Small businesses, which make up 99.9% of American businesses, have argued that they are unable to afford the compliance costs associated with implementing and following a federal data privacy law. These businesses have argued that if they were forced to comply with a federal data privacy law, consumers would be the ones to pay the price, in the form of higher costs for goods and services, and reduced access to new and innovative products and services.

Larger companies have historically been opposed to the concept of a federal data privacy law – until the passage of the California Consumer Privacy Act and other states’ data privacy laws. Ten years ago, state data privacy laws were at the drawing board stage. Now, a number of states have passed such laws. Since each state’s law is different, large companies that do business across the U.S., including Amazon, AT&T, Dell, Ford, IBM, and Walmart, are now in favor of a federal data privacy law. Having to comply with only one federal data privacy law, as opposed to a slew of different state laws, costs less. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

Why is There No Federal Data Privacy Law: Recent Developments

Several members of Congress and advocacy groups have already drafted versions of a federal data protection law. One version consists of existing federal data privacy and consumer protection laws, including COPAA, the GLBA, as well as the CAN-SPAM Act, the Do-Not-Call Implementation Act, the Fair Credit Reporting Act (FCRA), Subtitle D of the HITECH Act, the Telephone Consumer Protection Act of 1991, and the Identity Theft Assumption and Deterrence Act of 1998, all being rolled into one federal data privacy law, which would be known as the Personal Data Security and Privacy Protection Act. 

The proposed law would only cover companies that meet one or more of the following criteria:

• The company has an annual gross revenue that exceeds $25,000,000.
• The company annually buys, receives for its commercial purposes, sells, or discloses for commercial purposes, alone or in combination, the personal information of 50,000 or more individuals, households, or devices.
• The company derives 50 percent or more of its annual revenues from the sale of personal data.

Under these criteria, only entities that either have significant annual gross revenue, or that frequently engage in the sale or disclosure of data, would be regulated by the Personal Data Security and Privacy Protection Act. Small businesses not in the business of selling or disclosing personal data would be exempt from the law’s provisions.

The law also calls for the creation of a US Data Protection Agency. The Data Protection Agency would be responsible for enforcing the law, assessing civil monetary penalties for noncompliance. The Data Protection Agency would also serve an educational purpose. The law calls for the Data Protection Agency to provide leadership, guidance, education, and appropriate assistance to private sector businesses, and organizations regarding data privacy and data protection rights and standards.