All questions

Data protection

The United States has no centralised data protection agency. There are federal laws regarding the protection of financial and medical data. Some states have their own data protection laws, which vary from state to state.

i Requirements for registration

There are no data processing registration requirements under United States law. For multinational companies operating in the United States, the EU–US Privacy Shield (which replaced the Safe Harbour scheme, which was invalidated in October 2015) provides a means by which companies can lawfully export data from the European Union to the United States, under certain conditions. The Privacy Shield allows a company that wants to transfer personal data from the European Union to the United States to do so by having its US counterpart notify the Department of Commerce that it has adopted the Privacy Shield Principles agreement. The Privacy Shield is a self-certification registry that must be confirmed annually to the US Department of Commerce.

ii Cross-border data transfers

Cross-border data transfers are not regulated under US law. The Privacy Shield (discussed in subsection i) provides a mechanism by which multinational companies can transfer data from the European Union to the United States in compliance with EU data protection laws.

iii Sensitive data

There is some protection of sensitive data in the United States. For example, the Health Insurance Portability and Accountability Act (HIPAA) seeks to protect the privacy of employees' health information in the health insurance context. HIPAA also encourages healthcare providers and insurers to store and transfer health information electronically. The Americans with Disabilities Act also requires employers to maintain employees' health information securely and confidentially, and to store such information separately from an employee's general personnel or employment records.

The Fair Credit Reporting Act (FCRA) seeks to protect the privacy of consumers' financial (and especially credit) information. To this end, the FCRA imposes obligations on consumer credit reporters to investigate and verify the accuracy of consumers' credit information, at their request.

iv Background checks

The permissibility (or mandatory nature) of criminal and credit-related background checks generally varies by state and occupation. At the federal level, the FCRA creates procedural requirements for background checks performed on applicants or employees by third-party providers, which regulate both criminal history and credit-related background checks. Many states require a criminal background check for employees in certain occupations such as those working in childcare, primary education, nursing, law enforcement and prison security. Some states authorise background checks either expressly or implicitly, but do not require employers to request them.

Increasingly, as noted above, states and localities are placing limits on an employer's ability to use criminal records uncovered in a background check to disqualify an applicant, particularly where the job raises few concerns regarding security, safety or confidentiality, and on the timing for an employer to conduct a background check during the hiring process (ban-the-box laws). New York City passed such a law, dubbed the New York City Fair Chance Act, which took effect on 27 October 2015. As discussed in Section II.iii, Kansas, Michigan and Washington all passed or had ban-the-box laws take effect in 2018. Numerous other states and cities, including but not limited to Illinois, Massachusetts, New Jersey and the District of Columbia, and the cities of Chicago (Illinois), Philadelphia (Pennsylvania), Portland (Oregon), San Francisco (California) and Seattle (Washington), also have laws restricting the timing of criminal background checks in the hiring process or the use of criminal records in employment.

Additionally, a number of states and cities strictly limit or prohibit in most contexts an employer's use of credit history to disqualify an applicant for employment, including California, Connecticut, Illinois, Maryland, the District of Columbia, and the cities of New York City and Philadelphia.