Last review date: 31 December 2024
Given the patchwork of federal and state privacy and cybersecurity laws, companies are exposed to enforcement from various state and federal sources. Data privacy laws are enforced at the state level by the Attorney General in each state, and at the federal level by consumer protection agencies and regulators, including:
- Federal Trade Commission (FTC)
- Federal Communications Commission (FCC)
- Federal Consumer Financial Protection Bureau (CFPB)
- Department of Health and Human Services (HHS) Office of Civil Rights (OCR)
- Department of Justice (DOJ)
- Office of Foreign Assets Control (OFAC) of the US Department of the Treasury
- Securities and Exchange Commission (SEC)
- California Privacy Protection Agency (CPPA), which has enforced the CCPA in cooperation with the California Attorney General since 1 July 2023.
- NY Department of Financial Services
Last review date: 31 December 2024
Under the incoming administration, federal enforcement activity will likely decrease, and certain state enforcement activity will likely increase.
The Federal Trade Commission (FTC) and the US Department of Health and Human Services (HHS) report on privacy and cybersecurity enforcement actions. Most of the FTC's enforcement actions charge defendants with unfair and deceptive acts and practices, and/or for violations of COPPA. The FTC issued a policy statement in September 2021, warning health apps and connected device companies to comply with the Health Breach Notification Rule's (HBNR) notification requirements to consumers, the FTC, and, in some cases, the media when personal health records are disclosed or acquired without the consumers' authorization. Following this statement, in 2022, the FTC published a new interactive tool for mobile health application developers to help them understand which federal regulations might apply to their products. The agency has since pursued two enforcement actions under its HBNR authority.
The California Office of the Attorney General and California Privacy Protection Agency are expected to continue and strengthen their enforcement of the amended CCPA, focusing on lack of privacy notice to consumers, insufficient "do not sell my personal information" opt-out tools, inaccurate disclosures of data collection and use practices, and insufficient processes for accepting and responding to rights requests. California privacy authorities have also released announcements of investigative sweeps, including with respect to connected cars, employers' processing of personnel data, and mobile apps in the retail, travel, and food service sectors. Attorneys General in Colorado and Connecticut have similarly begun pursuing privacy enforcement actions, with the Texas Attorney General taking a firm stance against unlawful biometric data collection.
The Washington Attorney General's office is expected to enforce violations of the Washington My Health My Data Act under the Washington Consumer Protection Act.
Last review date: 31 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Common
If applicable, they are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Common
Most state privacy legislation precludes private rights of action, but the Children’s Internet Protection Act (CIPA) and the Illinois Biometric Information Privacy Act (BIPA) attract a significant number of class action claims.
If applicable, they are:
☒ Increasing
Last review date: 31 December 2024
There are:
☒ administrative remedies/civil penalties imposed by regulators and law enforcement
Many privacy laws at the federal and state levels establish administrative remedies/civil penalties for non-compliance. For example, HHS may impose a civil money penalty on any person who violates the HIPAA Privacy Standards ranging from USD 100 to USD 50,000 per violation, with a total of USD 25,000 to USD 1.5 million for all violations of a single requirement in a calendar year.
The FTC may bring civil actions for civil monetary penalties of up to USD 40,000 per violation of the FTC Act or COPPA. Each day that non-compliance continues is considered a separate "violation" for purposes of the law.
If an organization enters into a consent decree with the FTC, any subsequent violations of the consent decree are subject to penalties of up to approximately USD 42,000 (periodically adjusted for inflation) per violation.
The FTC and financial regulatory authorities also have the power to bring civil actions for damages related to GLBA. In the context of the FTC, potential consequences include: rescission or reformation of contracts; monetary refunds or return of real property; restitution; disgorgement or compensation for unjust enrichment; monetary penalties; public notification of the violation; and limits on the violator's functions. Civil monetary penalties range from USD 5,000 to USD 1 million per day of violation if an individual knowingly violates the law.
States also impose consequences for non-compliance with state privacy laws. For example, the CCPA imposes civil penalties for data breaches that range from USD 2,500 to USD 7,500 per violation. The VCDPA imposes civil penalties of up to USD 7,500 per violation and injunctive relief. The CPA imposes civil penalties of up to USD 20,000 per violation and injunctive relief.
☒ criminal penalties from regulators and law enforcement
Violations of HIPAA can include criminal penalties, including up to ten years’ imprisonment in certain cases.
☒ private remedies
CCPA allows an individual to bring a private right of action against businesses and imposes statutory damages ranging from USD 100 to USD 750 per consumer, per incident, or actual damages, whichever is greater. Illinois' Biometric Information Privacy Act (BIPA) provides a private right of action for the unauthorized collection, use, or disclosure of biometric data, allowing individuals to seek statutory damages of USD 1000 per negligent violation.