Big Data is a huge phenomenon in the United States.  Companies from a vast variety of industries are benefitting from the collection, analysis, and manipulation of massive amounts of data from a wide variety of sources.  Many analysts predict explosive growth for the future of Big Data.  In a 2011 report, for instance, the McKinsey Global Institute predicted an astonishing 40 percent global growth in the amount of data being generated each year.

Given its importance and potential, as well as the potential privacy concerns that it can raise, Big Data has been the recipient of a tremendous amount of attention from industry groups and policymakers alike. For example, last year, the Obama Administration announced the Big Data Research and Development Initiative.  As part of this program six federal departments and agencies announced more than US$200 million in commitments intended to improve the tools and techniques needed to access, organise, and glean discoveries from Big Data.

Current regulation of Big Data

In the United States, there are no laws that currently regulate Big Data specifically.  Rather, companies seeking to participate in Big Data operations must ensure that their proposed activities comply with privacy laws that are applicable to the data involved in their operations, as well as the companies' own privacy policies and all applicable contractual requirements. For example, financial institutions that wish to use non-public personal information (NPI) in connection with data processing operations will need to ensure that they are in compliance with the Gramm-Leach-Bliley Act (GLBA). As another example, entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA) will need to ensure that their use of Protected Heath Information (PHI) complies with the requirements of HIPAA or that any PHI is effectively anonymised in accordance with the requirements of HIPAA.  Companies will, of course, also need to comply with all other applicable privacy and data security laws, including laws regarding privacy policy disclosures, such as the California Online Privacy Protection Act, laws concerning data breaches and regulations mandating data security requirements, such as the Massachusetts Data Security regulations.

In order to minimise some of the risks that may be associated with the use of Big Data, companies often elect to anonymise or de-identify the data prior to conducting analyses or sharing the information with third parties. Anonymisation of data can be a very effective mechanism for allowing a company to manipulate, analyse, and study data without needing to be concerned about privacy considerations. Applicable law recognises the ability of companies to use de-identified data outside of the confines of legislatively established privacy-related limitations.  For instance, under regulations issued pursuant to the Fair Credit Reporting Act, the definition of "consumer information" specifically excludes "information that does not identify individuals, such as aggregate information or blind data." Similarly, under the GLBA, the definition of "personally identifiable financial information" specifically excludes: "information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses." Exceptions to privacy requirements for de-identified data also exist under HIPAA. Companies using data that is strictly anonymised will still need to ensure that their conduct complies with their own privacy policies and contractual obligations, and, of course, will need to ensure that the data at issue is truly anonymous.

Future regulatory issues

The Federal Trade Commission (FTC) has also been paying attention to the issue of Big Data and in June 2013, one FTC Commissioner proposed an initiative that would give individuals greater awareness and control over the data that is held about them by data brokers and others involved in Big Data initiatives. The proposal, "Reclaim Your Name," would create an online portal where data brokers would describe their data collection practices and their consumer access policies.  Individuals would also have the right to opt out of the sale of their information for marketing purposes and have the right to correct errors in data used for important purposes such as credit approval, employment, and purchasing insurance.  Although the suggested initiative was merely an idea presented at a conference, companies involved in Big Data operations are advised to remain vigilant about possible initiatives, such as this proposed program, that would place greater burdens on those that compile, acquire, or use Big Data.

More recently, in May 2014, the White House released a report examining how Big Data impacts individual privacy.  The report recommended that Congress pass national data breach legislation, extend privacy protections to non-U.S. citizens, and update the Electronic Communications Privacy Act and provide greater protections for student privacy, but did not call for specific legislation to regulate Big Data.

At the time of writing, there has not been any significant progress at either the state or federal level on legislative efforts to regulate Big Data.  As recognition of both its promises and pitfalls continue to grow, it appears likely that legislators will continue to analyse whether additional legislative measures are necessary or advisable to respond to the current explosion of Big Data.