Global Data and Cyber Handbook

United States

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 31 December 2024

No. 

The following are potential legal bases for processing non-sensitive personal data:

☒   other

US laws generally allow processing of personal data by default, and companies do not have to show a "legal basis" as required by the privacy laws of other jurisdictions, with certain limited exceptions (e.g., COPPA generally requires a verifiable parental consent before collection of personal data online from children under 13 years of age and various state consumer privacy laws prohibit processing sensitive data without consent). The CCPA requires businesses to limit businesses' collection, use, retention, and sharing of personal information of California residents to what is "reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes," Cal. Civil Code §1798.100(c).

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 31 December 2024

Yes, under some circumstances under some state privacy laws.

Depending on the law and circumstances at issue, the following may be potential legal bases for processing special categories of personal data:

☒   the data subject has given consent to the processing, where consent is measured to the same standard as non-sensitive personal data

☒   the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

☒   processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

☒   processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

☒   processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions

☒   processing relates to personal data which are manifestly made public by the data subject

☒   processing is necessary for the establishment, exercise or defense of legal claims

☒   processing is necessary for reasons of substantial public interest

☒   processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

☒   processing is necessary for reasons of public interest in the area of public health

☒   processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

☒   other

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 31 December 2024

Yes. COPPA governs the collection and use of personal information from children under the age of 13. The CCPA applies additional requirements for children under the age of 16, while the California Age-Appropriate Design Code, which is subject to a constitutional challenge, applies additional requirements to children under the age of 18. A number of children's privacy and protection laws, including in Arkansas, Connecticut, Florida, Louisiana, Texas, and Utah may also impose privacy and other obligations on companies that process minors' personal information in certain circumstances.

In what circumstances do these special requirements apply?

Last review date: 31 December 2024

COPPA applies to online data collection of minors under 13 years of age and requires that consent must be obtained from a parent or guardian under certain circumstances (including if a website is directed at minors or the operator knowingly collects personal data from minors). The CCPA requires parental consent for minors under the age of 13 to sell personal data of such minors and the consent of minors between 13 and under the age of 16 to sell their personal data. The California Age-Appropriate Design Code Act, if it is found to be constitutional, applies to the online data collection of children under the age of 18 and requires companies to take a privacy by design approach to the design of new online products or services targeted to California minors. The Ninth Circuit recently issued a preliminary injunction against the law's enforcement in light of its data protection impact assessment (DPIA) requirement. Maryland's Age-Appropriate Design Code Act is expected to face similar scrutiny, Other state children's privacy laws apply in different circumstances.

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 31 December 2024

☒  consent must be given or authorized by the parent/ guardian of the minor

☒  additional data subject rights are granted to minors (e.g., deletion, access, transparency)

Under California law, minors must be able to revoke posts on social media about themselves.

☒  additional data security requirements may apply.

{{ $store.state.loadingScreen.message }} ...