Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

US privacy laws generally do not limit the retention of PII to certain specified grounds. There are, however, laws that may indirectly affect an organisation’s ability to retain PII. For example, organisations that are collecting personal information online from California residents must comply with the California Online Privacy Protection Act. Pursuant to this law, and general consumer expectations in the United States, the organisation must provide a privacy notice detailing the PII the company collects and how it is used. If the organisation uses the PII in materially different ways than those outlined in the privacy notice without providing notice and obtaining consent for such uses from the relevant consumers, these uses would likely be considered a deceptive trade practice under federal and state unfair competition laws. Similar laws are in place in Delaware and Nevada.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Since the United States does not have a dedicated data protection law, there is no singular concept of ‘sensitive data’ that is subject to heightened standards. There are, however, certain types of information that generally are subject to more stringent rules, which are described below.


Sensitive data in the security breach notification context

To the extent an organisation maintains individuals’ names plus their social security numbers, driver’s licence numbers or financial account numbers, notification generally is required under state and federal breach notification laws to the extent the information has been acquired or accessed by an unauthorised third party. Some states include additional data elements that could trigger breach notification. These include medical information, insurance information, biometrics, email addresses, and passwords to online accounts.


Consumer report information

The Fair Credit Reporting Act (FCRA) seeks to protect the confidentiality of information bearing on the creditworthiness and standing of consumers. The FCRA limits the permissible purposes for which reports that contain such information (known as consumer reports) may be disseminated, and consumer reporting agencies must verify that anyone requesting a consumer report has a permissible purpose for receiving the report.


Background screening information

Many sources of information used in background checks are considered public records in the United States, including criminal, civil court, bankruptcy, tax lien, professional licensing, workers’ compensation and driving records. The FCRA imposes restrictions on the inclusion of certain public records in background screening reports when performed by consumer reporting agencies. Employers also can investigate job applicants and employees using internet search engines, but they must comply with their legal obligations under various labour and employment laws to the extent such laws restrict the use of the information. For instance, consideration of factors such as age, race, religion, disability, or political or union affiliation in making employment decisions can be the basis for a claim of unlawful discrimination under federal or state law.


Health information

Health Insurance Portability and Accountability Act of 1996 (HIPAA) specifies permissible uses and disclosures of protected health information (PHI), mandates that HIPAA-covered entities provide individuals with a privacy notice and other rights, regulates covered entities’ use of service providers (known as business associates), and sets forth extensive information security safeguards relevant to electronic PHI.


Children’s information

Children’s Online Privacy Protection Act (COPPA) imposes extensive obligations on organisations that collect personal information from children under 13 years of age online. COPPA’s purpose is to provide parents and legal guardians greater control over the online collection, retention and disclosure of information about their children.

Under the Privacy Rights for California Minors in the Digital World law, California minors who are registered users of a website, online service or mobile application may seek the removal of content and information that the minors have posted. A ‘minor’ is defined as a California resident under the age of 18.

The California Consumer Privacy Act of 2018 prohibits a business from selling a minor’s personal information unless:

  • the consumer is between 13 and 16 years of age and has affirmatively authorised the sale (ie, they opt-in); or
  • the consumer is less than 13 years of age and the consumer’s parent or guardian has affirmatively authorised the sale.


Biometric information

Illinois, Texas and Washington have enacted biometric privacy laws that set forth requirements for businesses that collect and use biometric information for commercial purposes. These laws generally require that companies must provide notice to individuals and obtain their affirmative consent before using their biometric identifiers for commercial purposes. The laws also require companies to implement security measures to protect the biometric information they maintain and to retain the biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity, security threats or liability, or to provide the service for which the biometric identifier was collected.


State social security number laws

Numerous state laws impose obligations concerning the processing of state social security numbers (SSNs). These laws generally prohibit:

  • intentionally communicating SSNs to the general public;
  • using SSNs on identity cards required for individuals to receive goods or services;
  • requiring that SSNs be used in internet transactions unless the transaction is secure or the SSN is encrypted or redacted;
  • requiring an individual to use an SSN to access a website unless another authentication device is also used; and
  • mailing materials with SSNs (subject to certain exceptions).


Several state laws also impose restrictions targeting specific SSN uses.

Data handling responsibilities of owners of PII


Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

For organisations not otherwise subject to specific regulation, the primary law requiring them to provide a privacy notice to consumers is California Online Privacy Protection Act. This law requires a notice when an organisation collects personal information from individuals in the online and mobile contexts. The law requires organisations to specify in the notice:

  • the categories of PII collected through the website;
  • the categories of third-party persons or entities with whom the operator may share the PII;
  • the process an individual must follow to review and request changes to any of his or her PII collected online, to the extent such a process exists;
  • how the operator responds to web browser ‘do-not-track’ signals or similar mechanisms that permit individuals to exercise choice regarding the collection of their PII online over time and across third-party websites or online services, if the operator engages in such collection;
  • whether third parties collect PII about individuals’ online activities over time and across different websites when an individual uses the operator’s website or online service;
  • the process by which consumers who visit the website or online service are notified of material changes to the privacy notice for that website; and
  • the privacy notice’s effective date.


Delaware and Nevada have also enacted laws that require operators of commercial internet services to provide similar information to their users when collecting PII online.

The California Consumer Privacy Act (CCPA) also imposes specific privacy notice disclosure requirements, which apply to personal information collected both online and offline. For example, businesses must provide notice to consumers of their rights under the CCPA (eg, the right to opt-out of the sale of personal information) and how to exercise those rights. The CCPA also requires a business to include the following in its privacy notice:

  • a list of the categories of personal information collected about consumers in the preceding 12 months;
  • the categories of sources from which the personal information was collected;
  • the business or commercial purpose for collecting or selling the information;
  • the categories of third parties with whom the personal information is shared; and
  • lists of the categories of personal information sold and disclosed about consumers if the business sells consumers’ personal information or discloses it to third parties for a business purpose.


If the business sells personal information, it must provide a clear and conspicuous link on their website that says ‘Do not sell my personal information’ and provide consumers with a mechanism to opt-out of the sale of their personal information, a decision the business must respect. Companies must update their notices at least once every 12 months. The CCPA also imposes a limited notice obligation in the employment context.

In addition to the California, Delaware and Nevada laws, other federal laws require a privacy notice to be provided in certain circumstances, such as the following.


Children’s Online Privacy Protection Act

Under the Children’s Online Privacy Protection Rule of the Federal Trade Commission (FTC), implemented under the Children’s Online Privacy Protection Act (COPPA), operators of websites or online services that are directed to children under 13 years old, or who knowingly collect information from children online, must provide a conspicuous privacy notice on their site. The notice must include statutorily prescribed information, such as the types of personal information collected, how the operator will use the personal information, how the operator may disclose the personal information to third parties, and details regarding a parent’s ability to review the information collected about a child and opt-out of further information collection and use. In most cases, an operator that collects information from children online also must send a direct notice to parents that contains the information set forth above along with a statement that informs parents the operator intends to collect the personal information from their child. The operator also must obtain verifiable parental consent before collecting, using or disclosing personal information from children.


Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act

The Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), imposes several requirements on consumer reporting agencies to provide consumers with notices, including in the context of written disclosures made to consumers by a consumer reporting agency, identity theft, employment screening, pre-screened offers of credit or insurance, information sharing with affiliates, and adverse actions taken based on a consumer report.


Gramm-Leach-Bliley Act

Financial institutions must provide an initial privacy notice to customers by the time the customer relationship is established. If the financial institution shares non-public personal information with non-affiliated third parties outside of an enumerated exception, the entity must provide each relevant customer with an opportunity to opt-out of the information sharing. Following this initial notice, financial institutions subject to the Gramm-Leach-Bliley Act (GLB) must provide customers with an annual notice. The annual notice is a copy of the full privacy notice and must be provided to customers each year for as long as the customer relationship persists. For ‘consumers’ (individuals that have obtained a financial product or service for personal, family or household purposes but do not have an ongoing, continuing relationship with the financial institution), a notice generally must be provided before the financial institution shares the individual’s non-public personal information with third parties outside of an enumerated exception. A GLB privacy notice must explain what non-public personal information is collected, the types of entities with whom the information is shared, how the information is used, and how it is protected. The notice also must indicate the consumer’s right to opt-out of certain information sharing with non-affiliated parties. In 2009, the federal financial regulators responsible for enforcing privacy regulations implemented pursuant to GLB released model forms for financial institutions to use when developing their privacy notices. Financial institutions that use the model form in a manner consistent with the regulators’ published instructions are deemed compliant with the regulation’s notice requirements. In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act transferred the GLB privacy notice rule-making authority from the financial regulatory agencies to the Consumer Financial Protection Bureau (CFPB). The CFPB then restated the GLB implementing regulations, including those pertaining to the model form, in Regulation P.


Health Insurance Portability and Accountability Act

The Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to provide individuals with a notice of privacy practices. The Rule imposes several content requirements, including:

  • the covered entities’ permissible uses and disclosures of protected health information (PHI);
  • the individual’s rights concerning the PHI and how those rights may be exercised;
  • a list of the covered entity’s statutorily prescribed duties concerning the PHI; and
  • contact information for the individual at the covered entity responsible for addressing complaints regarding the handling of PHI.


Exemption from notification

When is notice not required?

Notice would not be required if a business is subject to specifically regulated scenarios.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

In the regulated contexts discussed above, individuals are provided with limited choices regarding the use of their information. The choices are dependent upon the underlying law. Under the GLB, for example, customers and consumers have a legal right to opt out of having their non-public personal information shared by a financial institution with third parties (outside an enumerated exception). Similarly, under the FCRA, as amended by FACTA, individuals have a right to opt-out of having certain consumer report information shared by a consumer reporting agency with an affiliate, in addition to another opt-out opportunity before any use of a broader set of consumer report information by an affiliate for marketing reasons. Federal telemarketing laws and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 Act give individuals the right to opt-out of receiving certain types of communications, as do similar state laws.

Also, California’s Shine the Light Law requires companies that collect personal information from residents of California generally to either provide such individuals with an opportunity to know which third parties the organisation shared California consumers’ personal information with for such third parties’ direct marketing purposes during the preceding calendar year or, alternatively, to give the individuals the right to opt-out of such third-party sharing. This right is expanded in the CCPA, which provides that, upon request from a California consumer, an organisation must disclose:

  • the categories and specific pieces of personal information the business has collected about the consumer;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purposes for collecting or selling personal information;
  • the categories of third parties with whom the business shares personal information;
  • if applicable, the categories of personal information about the consumer the business has disclosed for a business purpose and the categories of third parties to whom each category of personal information was disclosed; and
  • if applicable, the categories of personal information about the consumer the business has sold and the categories of third parties to whom each category of personal information was sold.


Under the CCPA, a consumer also has the right to request that a business delete any personal information about the consumer, which the business has collected from the consumer. The CCPA also provides consumers with the right to opt-out of the sale of their personal information.

As the primary regulator of privacy issues in the United States, the FTC periodically issues guidance on pressing issues. In the FTC’s 2012 report titled ‘Protecting Consumer Privacy in an Era of Rapid Change’, the FTC set forth guidance indicating that organisations should provide consumers with choices concerning uses of personal information that are inconsistent with the context of the interaction through which the organisation obtained the personal information. In circumstances where the use of the information is consistent with the context of the transaction, the FTC indicated that offering such choices is not necessary.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

There is no existing law of general application in the United States that imposes standards related to the quality, currency and accuracy of PII. There are laws, however, in specific contexts that contain standards intended to ensure the integrity of personal information maintained by an organisation. The FCRA, for example, requires users of consumer reports to provide consumers with notices if the user will be taking an adverse action against the consumer based on information contained in a consumer report. These adverse action notices must provide the consumer with information about the consumer’s right to obtain a copy of the consumer report used in making the adverse decision and to dispute the accuracy or completeness of the underlying consumer report. Similarly, under the HIPAA Security Rule, covered entities must ensure, among other things, the integrity of electronic PHI.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Existing US privacy laws generally do not impose direct restrictions on an organisation’s retention of personal information. There are, however, thousands of records retention laws at the federal and state level that impose specific obligations on how long an organisation may (or must) retain records, many of which cover records that contain personal information.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

US privacy laws have not specifically adopted the finality principle. As a practical matter, organisations typically describe their uses of personal information collected from consumers in their privacy notices. To the extent an organisation uses the personal information it collects subject to such a privacy notice for materially different purposes than those outlined in the notice, such a practice would likely be considered a deceptive trade practice under federal and state consumer protection laws.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

In the United States, organisations must use the personal information they collect in a manner that is consistent with any privacy representations it has made in their privacy notices or otherwise. To the extent an organisation would like to use previously collected personal information for a materially different purpose, the FTC and state attorneys general would expect the organisation to first obtain opt-in consent from the consumer for such use. Where the privacy notice is required by a statute (eg, a notice to parents under COPPA), failure to handle the PII as described pursuant to such notice also may constitute a violation of the statute.

Law stated date

Correct on

Give the date on which the information above is accurate.

4 June 2021.