Overall US Privacy Approach
The overall approach to privacy in the US consists of a large (and growing) number of laws and regulations, at state, federal, and international levels. These laws have (to date) been (1) specific by industry segment (e.g., health care, banking); (2) specific by practice (e.g., telemarketing); or (3) specific to particular data categories (biometrics, genetic information, facial recognition).
Today, there is no generally applicable US privacy law at the federal level covering all industries and all data (although that may be changing), but there is increasing complexity in the regulatory environment.
We are starting to see state-level laws (such as the California Consumer Privacy Act) that apply across industries. We also are seeing a new set of “specialty” privacy laws that deal with emerging technologies such as facial recognition and location data.
US law at both the state and federal level also includes data security obligations for any company that collects personal information. These requirements generally create compliance obligations for “reasonable and appropriate” security, with varying levels of additional detail depending on the specific law.
Outside the US
There are separate privacy and security rules related to data used in and coming from foreign countries. Where these laws exist (and they exist in a growing number of countries), the rules usually are tougher in other countries beyond the US, meaning that those countries are more protective of individual privacy.
Many of these laws apply to US companies, either because those companies have a presence in these countries of because of the “extra-territorial reach” of those laws (such as the European Union’s General Data Protection Regulation (GDPR)). Moreover, there are increasing pressures related to the transfer of persona data from these countries, particularly the transfer of data from the European Union to the US.
These issues are affecting a broad range of company operations, including core corporate strategy issues. For example, because US privacy law currently is primarily sectoral, determining where your company fits into these sectors is crucial. In the health care space, if your business model is direct to consumer, you typically have modest explicit legal obligations today (although regulators are watching you in any event). If you partner with health insurers or hospitals, in many cases you may become subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules as a service provider to these entities.
Thinking about where your business operates also matters (especially in evaluating if you are subject to laws in other countries or state-specific laws). These principles now matter for overall compliance, product design, customer and vendor relationships, marketing opportunities and, critically, mergers and acquisition activity, as purchasers now are drilling down into data assets, data rights and privacy and security compliance. For the foreseeable future, these issues will become increasingly important and complicated, across virtually all segments of corporate America.