All businesses have a legal responsibility to adhere to privacy rules and regulations that are in place. To make matters confusing, these laws are changing all of the time. 

From financial businesses to retail stores, it does not matter what sort of business you run, understanding privacy law is critical.

Below, we will take you through the main data and privacy laws and regulations you need to be aware of in 2022 so that you can get a better understanding.

Image source

Non-compliance is something no business can afford

We live in a day and age whereby the risks to data security are huge. It seems that a day does not go by without news of another data breach. As a business, you have a moral and legal right to ensure that personal information is protected. 

This is something that no business can afford to ignore or overlook. You cannot simply pick and choose when you are going to adhere to the data privacy laws that are in place. 

If you do not follow these regulations, not only will your business be met with large fines but you will suffer monumental reputational damage. This can be very difficult and very expensive for businesses to come back from. After all, trust can take a long time to build but it can be destroyed in one second, and regaining that trust is incredibly challenging. 

As a consequence, businesses must dedicate a significant amount of time and resources to making sure that they have a stringent privacy policy and that they have clear processes in place for handling data. 

You also need to make sure that you consider the consumer’s rights in terms of how their data is used, collected, and stored. 

Users are increasingly having more say over their data, and this is something businesses need to listen to. The industry is fluid and changing all of the time, so it is imperative to make sure that you continually assess and monitor regulations so that you can adapt accordingly. 

Is there a federal law in the US that governs data privacy in 2022?

Although there have been a number of proposals in recent years, there is no singular, comprehensive federal law that governs data privacy in the United States. 

Rather, there is a complicated patchwork of medium-specific and sector-specific laws, including regulations and laws that address marketing, financial institutions, credit information, health information, and telecommunications. 

The Federal Trade Commission Act (FTC Act)

The Federal Trade Commission Act is one of the important pieces of legislation that is in place at the moment. It is currently enforced by the Federal Trade Commission. 

The FTC has broad jurisdiction over business entities under its authority to make sure that deceptive or unfair trade practices are prevented.

It is vital to note that the Federal Trade Commission does not regulate what information should be incorporated into website privacy policies explicitly.  Instead, it uses its authority to take enforcement actions to protect consumers, enforce privacy laws, and issue regulations.

Some examples of circumstances that may cause the Federal Trade Commission to take action are as follows:

  • If a business has engaged in misleading advertising practices
  • If a company has violated consumer data privacy rights by sharing, processing, or collecting customer information
  • If a business has not provided sufficient security for personal data
  • If an organization has made inaccurate security and privacy representations to customers and in their privacy policies
  • If a company has transferred personal data in a way that they have not disclosed on their privacy policy
  • If an organization has not followed the very privacy policy that they have published
  • If a business has failed to abide by any of the applicable self-regulatory principles in that said business’s industry
  • If the company in question has not implemented and maintained reasonable data security measures 

The Fair Credit Reporting Act (FCRA)

This act regulates the collection and use of credit information. It is a federal law that regulates the use, dissemination, and collection of consumer information. 

In terms of employment, the FCRA limits the way an employer uses applicant and employee information that is provided by consumer reporting agencies. 

The Gramm-Leach-Bliley Act (GLBA)

This act governs personal information that is collected by financial institutions and banks. One of the main rules as per the GLBA is that financial institutions need to give their customers a conspicuous and clear written note, which describes their privacy practices and privacy policies. 

When this notice needs to be provided and what you say will depend on what you do with this information. 

The GLBA also covers matters such as what types of notices to give, opt-out notices, and other general obligations, for example, the prohibition of disclosing private account numbers.

The Health Insurance Portability and Accounting Act (HIPAA)

This act regulates the collection and use of health information. As per HIPAA, you will need to ensure the availability, integrity, and confidentiality of all electronic protected health data and information.

You have a legal responsibility to detect any and safeguard against anticipated threats to the security of information. You also need to protect against anticipated impermissible disclosures or uses.  

The Children’s Online Privacy Protection Act (COPPA)

This act regulates the collection and use of information about minors. There are a number of different rules and regulations that need to be adhered to in accordance with COPPA

COPPA explains how to give notice if you are going to be collecting, using, or disclosing such information. 

You are also required to get verifiable consent from the parents of the child in question before you use, collect, or disclose children’s information, subject to some specific limited expectations. 

What about state data privacy laws?

There are hundreds of different data security laws that are applicable to various states or industries. California is one of the states that has been leading the way when it comes to data privacy.

On the 28th of June, 2018, the California Consumer Privacy Act, CCPA, was signed into law. It came into effect on the 1st of January in 2020. 

This is cross-sector legislation that brings about some vital definitions, as well as broad individual customer rights. It also puts substantial duties in place on persons or entities that collate personal data about or from a resident of California.

Such duties include giving data subjects the ability to delete, correct, and access information, as well as informing data subjects of how and when data is gathered. 

This notice needs to be disclosed in a privacy policy that is shown on the business’s website that collects the data.

Image source

As time has gone on, changes have been made. After all, this is a very fluid industry. This led to the introduction of the California Privacy Rights Act (CPRA). A lot of people have nicknamed this CCPA 2.0. 

The following was added to the CCPA:

  • Sensitive personally identifiable information – This was an update to the personal information definition. Certain kinds of information, for example, a consumer’s Social Security number, need to be treated with special protections. 
  • Right to restriction – This gives customers the right to limit the use and disclosure of their sensitive personal data.
  • Right to rectification – This updates and adds to a customer’s right to correct personal information that is not accurate. 

In addition to this, CPRA also does the following:

  • It requires businesses utilizing third-party vendors to contractually mandate that those third parties exercise the same level of privacy protection to data shared with them as a third party.
  • Limits the time period that a business is allowed to hold onto a customer’s data to only what is required and ‘proportionate’ to the reason for you collecting this information, to begin with. 
  • Expands brand liability beyond data breaches of unencrypted data to disclosures of credentials – such as passwords or email addresses – which could lead to being able to access a customer’s account. 

It is likely that we are only going to see a number of other states take a page out of California’s book.

Final words 

So there you have it: some of the main data privacy laws and regulations that you need to be aware of in 2022. They are often subject to change, so it’s best to check frequently (or have a software do it for you) and update your policies in accordance with the latest changes.

Of course, when it comes to the law, one thing you can never do is cut corners. Adhering to data privacy laws is not optional; it is a necessity.