July 24, 2019

The Patchwork of Federal Data Protection Laws


  • There is no comprehensive federal law governing data privacy and data security; we rely on a patchwork of federal laws enacted at different times that regulate certain industries and types of data.
  • Several Senate committees divide jurisdiction over these privacy statutes.

In contrast to the European Union, the United States has no comprehensive law governing data protection. Instead, there are a number of laws that regulate specific industries and categories of data. These include the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the FTC Act. Several Senate Committees divide jurisdiction over these statutes and others.

Data Privacy


The Health Insurance Portability and Accountability Act, enacted in 1996, regulates collection and disclosure of patient health information by health care providers and plans. It grants patients certain rights, including the right to review and obtain their health records and amend inaccurate or incomplete information. It also requires providers and health plans to have safeguards to protect health information from unauthorized use or access. The Health, Education, Labor, and Pensions Committee has jurisdiction over HIPAA.

Covered entities generally may use or disclose covered health information for the purposes of treatment, payment, and other routine health care operations. HIPAA also allows the use or disclosure of covered health information for specified activities not directly connected to treatment, including research and cooperating with law enforcement.

The Office for Civil Rights at the Department of Health and Human Services administers and enforces HIPAA privacy, data security, and breach notification rules. The law contains civil monetary penalties for violations of security standards as well as criminal penalties for cases involving the wrongful acquisition or disclosure of personally identifiable health information. In instances where criminal penalties may apply, HHS refers the case to the Justice Department.

The Health Information Technology for Economic and Clinical Health Act, enacted in 2009, updated HIPAA privacy and security standards. The act created a notification requirement for data breaches, increased the civil monetary penalties for violating HIPAA, and expanded and strengthened enforcement activities by the Office for Civil Rights.

Children’s online privacy protection act

COPPA, enacted in 1998, regulates the online collection and use of information of children under the age of 13. It requires websites to post complete privacy policies and obtain verified parental consent before collecting personal information from children. It also requires covered entities to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of any information collected. The Committee on Commerce, Science, and Transportation has jurisdiction over COPPA.

COPPA is enforced by the Federal Trade Commission, which has authority to enforce violations by seeking civil penalties or equitable relief. COPPA also authorizes state attorneys general to enforce violations that affect residents of their states. It does not contain criminal penalties.

In practice, few websites attempt to obtain parental consent to comply with the requirements of COPPA. Rather, most websites that collect personal information, including social media sites such as Facebook, simply require users to be 13 or older.

Gramm-leach-bLiley act

GLBA, enacted in 1999, regulates financial institutions and imposes obligations and responsibilities regarding the protection of customers’ nonpublic personal information and records. It requires financial institutions to implement safeguards and security measures to protect customers’ sensitive data.

GLBA prohibits the disclosure of personal information to third parties without notice and the ability to opt-out. Financial institutions are barred from sharing account numbers or credit card numbers with third parties for use in marketing. GLBA levies criminal penalties on those who intentionally obtain or disclose customer information through false or fraudulent statements.

Enforcement of GLBA is divided among the National Credit Union Administration, the Securities and Exchange Commission, the FTC, the Consumer Financial Protection Bureau, and state regulators. The Committee on Banking, Housing, and Urban Affairs has jurisdiction over the law.

Fair credit reporting act

FCRA, enacted in 1970, regulates consumer reporting agencies and consumer credit reports. It grants consumers rights including to access all information in credit reports, to know credit scores, and to dispute the accuracy of information contained in credit reports. It also outlines permissible uses of credit reports and imposes responsibilities on those who collect, furnish, and use the information in a consumer’s credit report. FCRA also limits the amount of time that negative information remains on a consumer’s credit report. There are no provisions in the act requiring entities to provide notice or to obtain consent before collecting data or disclosing data to third parties. The act authorizes a private right of action for consumers harmed by willful or negligent violations.  

Enforcement of FCRA is shared between the FTC and the CFPB. The Banking Committee has jurisdiction over the law.


In contrast to statutes that focus on specific industries or types of data, the FTC Act applies more generally. Enacted in 1914, it prohibits “unfair or deceptive acts or practices in or affecting commerce.” The Commerce Committee has jurisdiction over the law. 

The FTC has brought enforcement actions based on its position that companies act deceptively when they handle personal information in a way that contradicts their posted privacy policy or other statements, or when they fail to adequately protect personal information from unauthorized access despite promises to the contrary.


Issue Tag: Technology