Consumer Data Privacy Laws

Everything you need to know about consumer data privacy laws so you can mitigate risk and stay compliant

Just one. That’s all it takes. One enforcement action, one breach, one lawsuit. Privacy and data security law is fast-moving with enormous downside risk, requiring constant vigilance to protect your organizations and your clients. Map your strategy with Bloomberg Law’s essential news, expert analysis, and practice tools.

Request a Demo

Data privacy law topics

GDPR
California Consumer Privacy Laws
Virginia Consumer Data Protection Act (VCDPA)

Stay ahead of complex requirements and comply with confidence

From risk mitigation and compliance challenges to legislative initiatives impacting how companies do business, Bloomberg Law closely tracks today’s shifting policy landscape to deliver actionable intelligence for law firms and corporate counsel.

State Chart Builders

Save hours of research time. Automatically generate state-by-state comparisons of data breach notice requirements for more than 20 subtopics across all 50 states.

Practical Guidance

Precise answers for what you need to know. Rely on our FAQs about recently enacted consumer privacy legislation in the EU, Calif., Colo., and Va. with data collection and management Practical Guidance.

In Focus resources

Save valuable time with In Focus: Virginia Privacy, our all-in-one resource on the VCDPA, including the latest news, analysis, Practical Guidance, and additional resources interpreting the impact of the new law.

Why are data privacy laws important?

Today’s tech-driven world has opened the floodgates to unprecedented flows of information and communication. However, with increased connectivity and a lack of regulation, data security risks loom over businesses and consumers. As data breaches and cyberattacks become more common, there is a growing concern about how personal information is being used, processed, and stored by businesses and organizations.

Consumers provide companies with a great deal of personal information, including sensitive data about their finances, health, and other records that can expose them to identity theft and fraud. Oftentimes, consumers don’t fully understand how companies will use their information or if they’ll share it with others. Consumers may be unaware that they have certain rights regarding the use of their information.

Legislators around the world are trying to keep pace with new and emerging cyber threats and vulnerabilities to ensure privacy rights are safeguarded. Europe and the U.S. are paving the way toward stronger data regulation and oversight. In 2018, the EU passed the General Data Protection Regulation (GDPR), which is a key piece of legislation that regulates the collection and management of data. The U.S., on the other hand, has a handful of federal laws that protect privacy in certain contexts, such as the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), among a few others. But unlike the EU, currently there is no comprehensive federal law that protects data and privacy in the U.S. Instead, a patchwork of state laws has provided varying degrees of protection to consumer data and privacy information.

Privacy professionals are facing heavier workloads and an expanding list of responsibilities to keep up with this increased scrutiny and complicated compliance requirements.

How privacy laws protect consumer data

Consumer data privacy laws create standards about how businesses collect, use, and store sensitive consumer data. These laws are critical given the abundance of data breaches. Privacy laws typically fall into two categories, vertical and horizontal:

  • Vertical privacy laws protect medical records and financial data (such as an individual’s health and financial status).
  • Horizontal privacy laws focus on how organizations use sensitive consumer information (such as biometric data and fingerprints) or other personally identifiable information (such as names and addresses).

Both types of laws are important tools in legislative efforts to protect privacy rights. Vertical privacy policies can be an effective way to target risks to specific types of consumer data, while horizontal privacy regulations apply more generally to the processing of all personal data across technologies and industries.

What personal information is protected by data privacy laws?

Personally identifiable information (PII)

Personally identifiable information (PII) refers to information that can be used directly or indirectly to identify an individual. PII is the most accessible and unregulated type of data, which can include both sensitive and nonsensitive information, including:

  • Name
  • Address
  • Birthday
  • Driver’s license number
  • Biometric records
  • Personal information (PI)

Personal information (PI) includes any information that could be linked to a person, such as:

  • IP address
  • Contact information
  • Employment history
  • Voting records
  • Religious affiliation
  • Sexual orientation

Not all PI is PII. However, all PII is PI, since PI is considered a broad category of personal identity.

Sensitive personal information (SPI)

A term first covered under the California Privacy Rights Act (CPRA), sensitive personal information (SPI) is personal information that has the potential to cause harm if released to the public. Examples of SPI include:

  • Social Security number
  • Passport number
  • Medical records
  • Financial statements
  • Password credentials

Data privacy policy

Data privacy policies are an important tool that can help businesses stay compliant. A data privacy policy informs consumers how a business will collect, use, store, share, and transfer personal information. These policies also allow companies to garner goodwill and trust from consumers by emphasizing the companies’ respect for consumer privacy and transparency about their practices.

Federal data privacy laws

The U.S. does not yet have a comprehensive federal consumer data protection law that covers all varieties of private data. But it does have several federal laws that protect specific data sets, such as the U.S. Privacy Act of 1974, HIPAA, COPPA, and the Gramm-Leach-Bliley Act. As processing and storing data becomes even more essential to businesses, consumers can anticipate more states – and potentially the federal government – will pass comprehensive data privacy laws.

U.S. Privacy Act of 1974

The Privacy Act of 1974 establishes rules for collecting, maintaining, using, and disseminating personal information by all federal agencies. Individuals have the right to know what information is being collected, how that data is being utilized, and the ability to request corrections.

HIPAA

HIPAA protects a person’s medical records by setting national standards for privacy, confidentiality, and consent.

COPPA

COPPA regulates how personal information is collected from children under the age of 13. Online operators must get parental consent, disclose how the information is handled, and allow a child’s guardian to access or delete the information under COPPA.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act, enacted in 1999, allows commercial and investment banks, securities firms, and insurance companies to consolidate, in addition to protecting the privacy of consumers’ financial information.

Which states have consumer data privacy laws?

More than a dozen states have enacted comprehensive consumer data privacy laws. And with several privacy bills currently on statehouse dockets, that list is growing.

  • California
  • Colorado
  • Connecticut
  • Delaware
  • Indiana
  • Iowa
  • Montana
  • Oregon
  • Tennessee
  • Texas
  • Utah
  • Virginia

Which states have enacted tailored privacy legislation?

  • Nevada
  • Maine
  • Michigan
  • Minnesota
  • Vermont

How are other countries handling consumer data protection?

Across the globe, 137 out of 194 countries have enacted legislation to protect data and privacy. Bloomberg’s State and International Chart Builders – which simplify compliance by providing quick reference comparisons of statutory and regulatory requirements across jurisdictions – give subscribers a snapshot of these varying rules and regulations.

EU’s GDPR

The EU’s General Data Protection Regulation (GDPR) is considered the most comprehensive data protection legislation passed to date. The GDPR establishes seven main principles of data privacy:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

The GDPR establishes a single EU-wide data protection law that is intended to strengthen consumer data protection rights and the obligations of those who process and determine the processing of personal data. The GDPR provides EU citizens with specific rights regarding the use and storage of their personal data and applies to any entity in the EU that processes such data.

China’s PIPL

China’s Personal Information Protection Law (PIPL), which went into effect on Nov. 1, 2021, is a crucial international privacy and data security law. PIPL is the first national law to comprehensively regulate personal information (PI) protection problems. PIPL governs the processing of PI within the People’s Republic of China. However, like the GDPR, the law has extraterritorial reach to organizations outside the country, and allows individuals the right to decide, limit, or object to the use of their PI.

Track the latest consumer data privacy laws and developments with Bloomberg Law

The rapidly changing landscape of consumer data privacy laws and regulations across the globe can make it difficult for organizations to stay up to date with the requirements that apply to them. Bloomberg Law provides comprehensive resources to handle multifaceted regulatory and compliance initiatives. Our expert analysis and practice tools help you stay current with the latest developments and navigate the complex patchwork of legal and regulatory requirements at the state, federal, and international levels.

Want to learn more? Download a complimentary copy of our 30-page Privacy and Data Security Special Report, which details a new wave of security vulnerabilities that in-house teams face and guidance on how to minimize risks.

Ready to get started? Request a demo to take a tour of Bloomberg Law and see our consumer data privacy resources in action.

Recommended for you

See Bloomberg Law in action

From live events to in-depth reports, discover singular thought leadership from Bloomberg Law. Our network of expert analysts is always on the case – so you can make yours. Request a demo to see it for yourself.