Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

The standards for data collection, storage and processing vary between the many privacy and data protection laws. That said, a common theme is that personal data can be collected, stored and processed as long as the data subject has adequate notice of the collection, storage and processing, as appropriate to the sensitivity of the data.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Although record retention obligations arise from other sources of law, no general limitations or restrictions on data retention from US privacy or data protection laws exist. However, guidance on fair information practices provides that the retention should be appropriate to the purposes for which the data was collected or otherwise harmonious with the notice provided to data subjects. At a minimum, if retention would violate privacy commitments made to data subjects (eg, from a privacy policy) that would be a deceptive business practice and thus prohibited. 

Do individuals have a right to access personal information about them that is held by an organisation?

Generally, the right to access and correct personal information is encouraged as a fair information principle, but there is no general legal obligation to provide a right of access. However, a number of sector-specific data protection laws (eg, the Fair Credit Reporting Act, the Children's Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA)) include such a right. The rights of access in the Fair Credit Reporting Act are particularly robust and likely inspired other international access rights.

Do individuals have a right to request deletion of their data?

The Fair Credit Reporting Act and certain state laws that are similar to the act provide a right to dispute inaccurate or out of date information, and certain types of information (eg, late payments) must be removed from consumer credit reports after specified periods. COPPA permits parents to request the deletion of data regarding their children under 13 years old, and a California state law for minor’s online data (Cal Bus and Prof Code 22580-81) provides a right to request the removal of content or information posted online by a minor. Outside these limited contexts, no general right to request deletion or to be forgotten exists for accurate data in the United States. Indeed, a general governmental obligation to require someone to delete accurate records would likely raise First Amendment free speech issues under the federal and state constitutions. 

Consent obligations
Is consent required before processing personal data?

Depending on the sensitivity of the data, or prior data protection commitments made to data subjects, consent may be required before processing personal data. For example, in its March 2012 report Protecting Consumer Privacy in an Era of Rapid Change, the Federal Trade Commission (FTC) stated that “Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes”. In this report, the FTC provided examples of sensitive data such as:

  • children’s data;
  • financial and health information;
  • social security numbers; and
  • certain geolocation data.

In addition, sector-specific privacy and data protection laws may have specific consent requirements. For instance, under HIPAA, patient authorisation is required to process protected health information except as specifically permitted or required by HIPAA. For example, only with consent can covered healthcare providers use and disclose protected health information to treat an individual or seek payment for the provision of healthcare services. Other exceptions that further important public policy objectives (eg, public health activities) allow the processing of protected health information in the absence of consent only if certain safeguards are present or requirements are met. Consent may be required to share certain non-public personal financial information with unaffiliated third parties under the Gramm-Leach-Bliley Act. Parental consent is required before collecting and processing personal information online from children under COPPA. Consent is also required for some uses of customer data under the Communications Act. That said, no general requirement to obtain consent exists.

If consent is not provided, are there other circumstances in which data processing is permitted?

No general statute requires data subjects’ consent before processing personal data, and so data processing is permitted whenever it is not restricted. The FTC has recognised that even where explicit consent is unnecessary, it might still be required under the circumstances. In general, privacy policies are used in the United States as a form of implied consent, particularly in the online context, as policies frequently make access and use of a website or online service constitute acceptance of an online privacy policy. Certain data processing may also be performed even without the data subject’s consent – for example, in order to comply with legal requirements or processes such as a subpoena, court order or regulatory reporting process. 

What information must be provided to individuals when personal data is collected?

When notice is required, content may be specified under certain sector-specific privacy and data protection laws. For example, HIPAA regulates the content of privacy practices notices in the healthcare context. The Gramm-Leach-Bliley Act requires regular notice of privacy practices, and certain regulators have issued model form notices. State laws may also specify the content of privacy policies, in particular for online or mobile privacy policies such as under the California Online Privacy Protection Act (Cal Bus and Prof Code § 22575 and following) or the more recent Delaware Online Privacy and Protection Act at Title 6 of the Delaware Code. 

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Consistent with the national commitment to free and fair trade, no specific rules govern the transfer of data outside of the United States, beyond the basic fair information principles for notice and prohibitions on deceptive or unfair business practices that may apply to any processing or disclosures of data inside or outside of the country. 

Are there restrictions on the geographic transfer of data?

Generally, no.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

On a practical level, written agreements with third-party vendors are either required or highly recommended. Depending on the context and nature of the data, data owners may be required to execute agreements (eg, a business associate agreement under the Health Insurance Portability and Accountability Act) or otherwise exercise oversight for third parties to which they transfer personal data for processing. For example, under the Massachusetts information security regulations (201 Mass Code Regs § 17.02), requirements must be passed to third-party vendors engaging in business with entities subject to the regulation (id § 17.03(2)(f)). Similarly, banking institutions regulated under the Gramm-Leach-Bliley Act must impose contractual data security obligations on their vendors and service providers. Moreover, companies must take reasonable steps to select and retain third-party service providers capable of maintaining appropriate security measures, and must contractually require that the third-party service providers implement and maintain appropriate security measures for any personal information or data. Further, companies are often held responsible for the information practices and, in particular, the information security practices of the service providers or vendors which they select to process personal information. 

Click here to view the full article.