Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management In what circumstances can personal data be collected, stored and processed?

Requirements for the collection, storage and processing of data vary across the different state and federal privacy laws.  As a general matter, data must be processed in accordance with the terms of representations the organisation has made to consumers (eg, in a privacy policy) in order to avoid a deceptive practice under Section 5 of the Federal Trade Commission (FTC) Act. Regarding healthcare, using individuals’ health information for marketing purposes under the Health Insurance Portability and Accountability Act generally requires authorisation from the individual.  

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Privacy laws in the United States typically do not restrict an organisation’s ability to retain personal information held by an organisation. However, thousands of records retention laws at federal and state level impose specific obligations on organisations with respect to the retention of certain types of records. Many of these records retention laws apply to records that contain individuals’ personal information.   

Do individuals have a right to access personal information about them that is held by an organisation?

In general, individuals do not have a right to request access to personal information about them that is held by an organisation, subject to a few exceptions. 

The Children’s Online Privacy Protection Act, for example, provides for certain data access rights, requiring entities to enable parents to review personal information collected online from children. Additionally, under the Health Insurance Portability and Accountability Act, a data subject has a right to request access to and the amendment of his or her protected health information held by a covered entity. The Fair Credit Reporting Act similarly provides a right of access for information about an individual that is held in the files of a consumer reporting agency. Another example at state level is California’s Shine the Light Law, which requires businesses that disclose consumer personal information to third parties for direct marketing purposes to, on request, provide consumers with information about the categories of personal information disclosed for such purposes and information about how to opt out of such disclosures at no cost to the consumer.

Do individuals have a right to request deletion of their data?

Under state and federal law, individuals generally do not have an express right to request the deletion of their personal information, with some exceptions. With respect to minors, for example, the Children’s Online Privacy Protection Act permits parents to request the deletion of data regarding their children under 13 years old. California also passed a law (Cal Bus and Prof Code 22580-81) that requires website operators to honour requests made by minors who are registered users to remove content that the minor posted on the site; however, this does not require the website operator to delete such data from its systems. Aside from the child privacy laws, the Fair Credit Reporting Act and similar state laws offer individuals a right to dispute inaccurate or incomplete information in the files of a consumer reporting agency.  

Consent obligations Is consent required before processing personal data?

There is no general, broadly applicable requirement in the United States to obtain data subjects’ consent before processing personal data. However, certain federal laws do impose consent requirements for the disclosure of certain types of personal information. For example, the Children’s Online Privacy Protection Act requires operators of websites directed at children to obtain verifiable parental consent before collecting the personal information of children under 13. The Gramm-Leach-Bliley Act requires an annual notice of a financial institution’s information sharing practices and the ability for a customer to opt out of certain disclosures, as well as a reasonable means for the customer to opt out of those disclosures. The Health Insurance Portability and Accountability Act similarly requires a data subject’s authorisation for certain disclosures of protected health information. 

In guidance documents and reports (eg, “Self-Regulatory Principles for Online Behavioral Advertising” and “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”), the FTC has stated that companies should obtain affirmative express consent before collecting and using certain sensitive personal information, including:

  • children’s data;
  • financial and health information;
  • social security numbers; and
  • geolocation data.  

If consent is not provided, are there other circumstances in which data processing is permitted?

As mentioned above, there is no overarching requirement in the United States to obtain consent before the processing of personal information. Accordingly, the absence of consent typically does not restrict data processing activities, as long as such activities do not violate representations made to relevant data subjects (eg, in privacy policies).

What information must be provided to individuals when personal data is collected?

Various federal and state laws require organisations that collect personal data to provide notice of their information privacy practices to relevant individuals. For example, at a federal level, financial institutions subject to the Gramm-Leach-Bliley Act must abide by the Privacy of Consumer Financial Information Rule (also known as the FTC’s Privacy Rule), which requires financial institutions to provide notice to customers about information sharing practices and how the customer may exercise his or her right to opt out of having personal information shared with non-affiliated third parties. The Children’s Online Privacy Protection Act similarly requires organisations that collect personal information online from children under 13 to post a privacy policy describing:

  • the organisation’s practices for handling children’s personal data; and
  • the information handling practices of any third parties which collect children’s personal data on the operator’s website or online service. 

Health Insurance Portability and Accountability Act covered entities also must provide written notice of privacy practices pursuant to the Privacy Rule. 

At state level, three states (California, Delaware and Nevada) have enacted legislation requiring website operators to post a public privacy notice. Organisations which collect personal information online from California residents must comply with the California Online Privacy Protection Act, which requires organisations to provide a privacy notice detailing, among other things, the types of personal data the organisation collects and how it is used. The Delaware Online and Privacy Protection Act also requires operators of commercial internet services to provide notice to users of personal data collection practices. In July 2017 Nevada became the third state to enact an online privacy policy law; however, the Nevada law is narrower than those of California and Delaware as it limits its jurisdictional application to entities that purposefully direct or conduct activities in Nevada, or consummate some transaction with the state or one of its residents. Nevada’s online privacy policy law is set to take effect on October 1 2017.

In general, if an organisation fails to collect or use personal data in a manner consistent with the representations in its privacy notice, the FTC may exercise its Section 5 enforcement authority to bring an action for unfair or deceptive practices.

Click here to view the full article.