Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed?
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Privacy laws in the United States typically do not restrict an organisation’s ability to retain personal information held by an organisation. However, thousands of records retention laws at federal and state level impose specific obligations on organisations with respect to the retention of certain types of records. Many of these records retention laws apply to records that contain individuals’ personal information.
Do individuals have a right to access personal information about them that is held by an organisation?
In general, individuals do not have a right to request access to personal information about them that is held by an organisation, subject to a few exceptions.
The Children’s Online Privacy Protection Act, for example, provides for certain data access rights, requiring entities to enable parents to review personal information collected online from children. Additionally, under the Health Insurance Portability and Accountability Act, a data subject has a right to request access to and the amendment of his or her protected health information held by a covered entity. The Fair Credit Reporting Act similarly provides a right of access for information about an individual that is held in the files of a consumer reporting agency. Another example at state level is California’s Shine the Light Law, which requires businesses that disclose consumer personal information to third parties for direct marketing purposes to, on request, provide consumers with information about the categories of personal information disclosed for such purposes and information about how to opt out of such disclosures at no cost to the consumer.
Do individuals have a right to request deletion of their data?
Under state and federal law, individuals generally do not have an express right to request the deletion of their personal information, with some exceptions. With respect to minors, for example, the Children’s Online Privacy Protection Act permits parents to request the deletion of data regarding their children under 13 years old. California also passed a law (Cal Bus and Prof Code 22580-81) that requires website operators to honour requests made by minors who are registered users to remove content that the minor posted on the site; however, this does not require the website operator to delete such data from its systems. Aside from the child privacy laws, the Fair Credit Reporting Act and similar state laws offer individuals a right to dispute inaccurate or incomplete information in the files of a consumer reporting agency.
Consent obligations Is consent required before processing personal data?
There is no general, broadly applicable requirement in the United States to obtain data subjects’ consent before processing personal data. However, certain federal laws do impose consent requirements for the disclosure of certain types of personal information. For example, the Children’s Online Privacy Protection Act requires operators of websites directed at children to obtain verifiable parental consent before collecting the personal information of children under 13. The Gramm-Leach-Bliley Act requires an annual notice of a financial institution’s information sharing practices and the ability for a customer to opt out of certain disclosures, as well as a reasonable means for the customer to opt out of those disclosures. The Health Insurance Portability and Accountability Act similarly requires a data subject’s authorisation for certain disclosures of protected health information.
In guidance documents and reports (eg, “Self-Regulatory Principles for Online Behavioral Advertising” and “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”), the FTC has stated that companies should obtain affirmative express consent before collecting and using certain sensitive personal information, including:
- children’s data;
- financial and health information;
- social security numbers; and
- geolocation data.
If consent is not provided, are there other circumstances in which data processing is permitted?
As mentioned above, there is no overarching requirement in the United States to obtain consent before the processing of personal information. Accordingly, the absence of consent typically does not restrict data processing activities, as long as such activities do not violate representations made to relevant data subjects (eg, in privacy policies).
What information must be provided to individuals when personal data is collected?
- the organisation’s practices for handling children’s personal data; and
- the information handling practices of any third parties which collect children’s personal data on the operator’s website or online service.
Health Insurance Portability and Accountability Act covered entities also must provide written notice of privacy practices pursuant to the Privacy Rule.
In general, if an organisation fails to collect or use personal data in a manner consistent with the representations in its privacy notice, the FTC may exercise its Section 5 enforcement authority to bring an action for unfair or deceptive practices.
Click here to view the full article.