Understanding PII Laws and Regulations Worldwide
The number of US PII laws is numerous - and confusing. Here's how to make sense of them.
The number of US PII laws is numerous - and confusing. Here's how to make sense of them.
You have a business to run. But your business must also comply with all local and federal regulations wherever it has a presence. When it comes to personally identifiable information (PII), such US PII laws are numerous - and confusing.
In this post, I'll explain the worldwide laws governing PII. Plus, I'll share an easy way to put your company on the path to compliance - no matter where you do business.
Personally Identifiable Information (PII) is any information that someone could use to uniquely identify an individual.
PII can be an individual data point, such as a national ID number (e.g., US social security number) or driver's license number. Such identifiers, by their nature, are uniquely identifying.
But PII may also be a combination of information that, when taken together, establishes an individual's identity. For example, a date of birth, racial characteristics, address, medical information, or other characteristics can quickly narrow a field of candidates down to a single person.
Thus, PII encompasses a broad category of data, including but not necessarily limited to:
Many individuals at a company have legitimate reasons to access PII. For example, medical professionals at a hospital or a doctor's office need access to PII for billing or identity verification purposes. Individuals at a company may need the authority to run transactions against a user's stored credit card data.
But not everyone at a company is authorized to handle certain data. And some employees may retain access even when they shouldn't. Such insider threats can cost up to USD $15 million for a single incident (!).
Then there's the threat of large-scale data breaches. Take JP Morgan, where a data breach led to the loss of PII of some 83 million customers. The incident cost JP Morgan USD $300 million.
Such leaks can be used to target and harm the victims. For example, a hacker in the United States recently pleaded guilty to selling information he gathered from a data breach for use in US Medicare claims fraud.
Mass leaks of customer data can also spell financial ruin for a company. Did you know that 60 percent of small companies close within six months of a data breach? For small- and medium-sized companies, litigation and regulatory fines may prove too much to bear.
Because of its sensitive nature, numerous laws worldwide strictly regulate how companies store and process PII. Many countries and states/provinces have additional regulations for subsets of PII, such as Protected Health Information (PHI).
Following is a summary of the most pertinent laws that may impact your business. If you're a global company (as more companies are these days), chances are some - and maybe all - of these laws apply to you!
Note: This post does not constitute legal advice. The laws cited below are not meant to represent the complete list of laws applicable to your business in every federal or local jurisdiction.
There is no single federal law governing PII in the United States. Instead, there's a patchwork of federal laws that have implications for how companies handle someone's personal data.
The most expansive of these is the Federal Trade Commission Act (FTCA), which regulates trade in the United States. The FTCA levies fines - and sometimes jail time - for using deceptive marketing practices to collect and store PII.
Perhaps the most well-known of the US PII regulations is the Health Insurance Portability and Protection Act (HIPAA). HIPAA regulates PHI; specifically, it dictates how companies handle 18 PHI data elements. There are four tiers of HIPAA violations; companies can rack up an annual USD $2 million in fines for non-compliance.
Additional regulations include:
Besides federal regulations, individual states in the United States have laws that impose requirements on how companies handle PII. Since nearly all companies in the US do business in these states, these laws essentially bind all US businesses.
Note that this isn't a comprehensive list of all state laws. Iapp's US State Privacy Legislation Tracker is a great resource for a more expansive view.
The broad California Consumer Privacy Act (CCPA) implements several consumer protections similar to those in the European Union (see below). These include the customer's right to:
California passed the original CCPA in 2018. A voter-approved amendment added additional protections effective January 2023. These include the right to correct inaccurate information and limit the use and disclosure of certain personal information.
The CCPA applies to all for-profit businesses that have profits of more than $25 million annually, handle the personal data of more than 100,000 California residents, or derive 50% or more of their revenue from the sale of personal data.
Like CCPA, the Virginia Consumer Data Protection Act applies to businesses that do business in the state and meet a certain data handling threshold. Virginia's law implements the provisions of the CCPA along with a right to data portability and the ability to opt out of targeted advertising.
Colorado's Privacy Act of 2021 is the 3rd state privacy law to pass in the US. There is no revenue threshold; any business that handles the personal data of 100,000 or more people or processes data for 25,000 or more people and profits from its sale must comply. The law is similar to the Virginia law and provides roughly the same protections.
As of this writing, Utah's Consumer Privacy Act is the newest law in the US. Its provisions don't affect existing businesses until December 31st, 2023. Like Colorado, the Utah law has no revenue threshold.
The Utah law is more limited than other state laws. For example, consumers can only request the right to delete data they themselves provide to a data controller. Additionally, consumers cannot appeal denials of requests to opt out of profiling or correct personal data.
The European Union's General Data Protection Regulation (GDPR) is the original PII protection law. It's the law that many other laws (including US state laws) use as a model.
Passed in 2016 and made effective on May 25th, 2018, the GDPR sought to end deceptive practices in data collection on the Web. Website visitors must explicitly opt-in to data collection under most circumstances.
The key exception is the "legitimate interest" basis. If a company believes it has a legitimate interest in overriding a user's right to consent and that processing is purposeful and necessary, it can bypass explicit consent. For example, an insurance company may use legitimate interest to process data as part of a fraud detection initiative.
GDPR also strictly regulates PII. It states that any PII collected must be either anonymized or pseudonymized.
GDPR also implemented other key rights reflected in the current US state laws, including the right to be forgotten.
Australia's 1988 Privacy Act is one of the world's oldest. However, it imposes fewer stringent requirements than laws such as GDPR and CCPA.
The Privacy Act limits what information companies can collect from consumers, for what purposes, and with whom they may share it. Companies may only collect information for a specific purpose and then must delete it when that purpose has been fulfilled. The Act also obligates companies to provide timely notices of data breaches.
India's Digital Personal Data Protection Bill of 2022 is a proposed revision to its 2018 law. The law would pertain only to online data and requires consent to collect data unless doing so is deemed "in the public interest."
Consumers have a right to know what data a company collects on them and to correct that data. Companies must also take "reasonable" precautions to prevent data breaches and inform consumers when they occur.
Fines under the India law aren't defined explicitly for specific infractions. However, they can total up to USD $60 million in the event of a severe data breach.
Brazil's General Data Protection Law (LGDP) is closely modeled after the EU's GDPR. Enforcement took effect in August 2021.
The LGDP generally provides the same rights to know about, collect, and delete data that the GDPR affords. It also defines 10 legal bases for companies to process data, the first of which is consent. Businesses may also process data in certain other circumstances, including to comply with the law or to protect the life and safety of an individual.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) is an older law dating back to 2000.
PIPEDA requires "meaningful consent" to process PII and affords users the right to access their data. Unlike GDPR, it does not provide a right to deletion. However, companies are bound to delete any PII once the purpose for collecting it has been fulfilled.
PIPEDA applies to any business that markets its service to Canadians or has a "meaningful" connection to Canada.
China's Personal Information Protection Law (PIPL) applies to any company that processes Chinese citizens' data inside or outside China.
Like other laws I've discussed here, the PIPL implements many of the protections of the GDPR. However, it differs in key points.
The most significant departure is that there is no "legitimate interest" basis on which companies may process someone's data. Companies may bypass consent if they meet one of six exception criteria. However, some experts say these criteria are vague and open to interpretation.
Additionally, the PIPL states that data of "certain quantities" may only be processed in China. The law itself isn't clear what this threshold is.
How does a business comply with such a wide array of laws? The answer: automation. Your company must define automatic procedures and processes to protect and secure customers' data. Additionally, you need tools to respond to users' requests to view and even delete their data from your systems. US PII laws are also important to consider for businesses operating globally.
Data Loss Prevention (DLP) tools like Strac can help. Strac prevents sensitive information from leaking into your business productivity tools such as Microsoft 365, Slack, and ZenDesk. Such loss makes adhering to PII laws like GDPR nearly impossible. With Strac, you can prevent these losses from ever happening in an automated, scalable fashion.
Contact us today for a demo to learn more!