Consumer Privacy Rights
by John Bandler
Privacy is important for every individual and every organization. This article focuses on consumer privacy rights, meaning your personal privacy rights.
As indicated at bottom, remember that this is not legal advice and I am not your lawyer, but just trying to provide solid information. Also consider that there are some large organizations and large law firms who devote considerable time and brainpower to compile summaries. Many of them are excellent and I am not trying to compete with them nor duplicate their work.
1. Privacy recap
My article on Privacy introduces some important principles.
Privacy threats include data breaches and companies who overshare, violating their privacy promises regarding customer information. Privacy is the subject of rapidly growing laws and regulations and is worth attention from every organization. For organizations, sound privacy practices can be good for business and avoid a legal problem. For individuals, privacy awareness is important for each of us and our families.
Personal privacy is a concept that has existed for hundreds, even thousands of years. We can think of four main areas of privacy:
- Information privacy (data privacy)
- Communications privacy
- Territorial privacy
- Bodily privacy
More recently, "data laws" and privacy laws create statutory obligations on many organizations, and create rights for many individuals.
You can read about them, and if you have ever taken the time to read a privacy notice (sometimes called a privacy policy) they may refer to certain privacy laws. With the rapid rise of many privacy laws and regulations, it becomes impractical for organization privacy notices to specify every single data law from the multitude of sources (federal, the various states, various regulators, etc.).
My articles on cybersecurity laws and regulations part 1 and part 2 list and summarize some of those data laws.
Here, we provide names and links to some of the more common ones.
2. Jurisdiction and reach
"Cyberlaw" can get complex because we interact through the internet across state and country borders. So we need to think what laws apply where, to protect which individuals, to impose requirements over which organizations.
It can get complicated if an organization (in New York for example) needs to research and comply with privacy laws of other states and even other countries.
When governments pass privacy laws, they generally seek to protect their residents and citizens. For example, a California privacy law seeks to protect all California residents, even when they do business with organizations outside of their state. A European privacy law seeks to protect all EU residents, even when they interact with business in the U.S.
For this reason, and because lawyers seek to protect, ensure ironclad documents, add provisions, or simply show their legal knowledge and worth, you see privacy notices that may specify laws for certain jurisdictions. On the one hand, this detail could be helpful in some respects for compliance and consumers from that particular jurisdiction. On the other hand, providing this detail can make these notices clunky, cumbersome, and unreadable.
For that reason, one alternative is to remind consumers to "Know the laws that apply to you" and a link to this page.
3. Know the laws that apply to you
Consumers should know the laws that apply to them. It is not realistic to expect that every organization you interact with will be able to advise you on the many intricacies of privacy.
For U.S. residents and citizens, get to know:
- Federal laws and regulations that might protect you
- Your state's laws that might protect you
If you are outside the U.S., get to know your country's laws.
More details below.
4. Research other experts on privacy laws and rights
There are organizations that have deep expertise in privacy laws and privacy rights. They have devoted more resources to the topic than I ever could, have more brainpower and knowledge than I could ever attain, and keep their sites more updated than mine.
So consider these resources:
- Government resources. The federal (U.S.) and state governments create laws and enforce them, and they sometimes put out excellent information about what consumer rights are, and what organization obligations are. So check those government websites, including:
- Federal (U.S.) Government
- Federal Trade Commission (FTC), https://www.ftc.gov/
- Health, https://www.hhs.gov/
- Financial, many regulators
- Education, https://studentprivacy.ed.gov/ferpa
- State laws and regulators
- Check the state attorney general website for your state
- Check the state consumer protection agency website for your state
- California now has a separate privacy protection agency
- Federal (U.S.) Government
- International Association of Privacy Professionals (IAPP), https://iapp.org/
- IAPP US State Privacy Topic Page, https://iapp.org/resources/topics/us-state-privacy/
- IAPP US State Comprehensive Privacy Laws Report – Overview, https://iapp.org/resources/article/us-state-privacy-laws-overview/
- IAPP US State Privacy Legislation Tracker, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
- Daniel Solove, Privacy & Security, https://teachprivacy.com/
- (Book) Daniel J. Solove and Paul M. Schwartz. Privacy Law Fundamentals, 7th Edition. Portsmouth: IAPP Publications, 2024 https://store.iapp.org/privacy-law-fundamentals-seventh-edition-print/
- (Book) Peter Swire and DeBrae Kennedy-Mayo, U.S. Private-Sector Privacy, Fourth Edition, IAPP, 2024, https://iapp.org/resources/article/us-private-sector-privacy-textbook/
- Check resources from large, reputable law firms
- Check resources from reputable non-profits focused on consumer privacy rights
5. Privacy laws and regulations in general
Today, consumers have varying privacy statutory legal rights depending upon applicable jurisdictions and sectors.
We can categorize privacy laws helpfully by asking:
- Is it federal or state?
- Is it a law (duly enacted through the legislative process) or a regulation (put forth by a regulatory body), or both?
- Does it apply generally (regardless of sector) or only to certain sectors (e.g. health, finance)
Here's a few thoughts to keep in mind as we navigate this area:
- "Privacy laws" and "cybersecurity laws" overlap. Indeed, almost every privacy law has a cybersecurity and data breach reporting component. I depict this in my diagram on cybersecurity and privacy law.
- The U.S. legal framework for privacy laws and regulations is a "patchwork".
- Meaning a patchwork of laws and regulations, state vs. federal, and overlapping regulators and laws.
6. Typical privacy legal requirements
Each law is different, with different organization, terminology, and requirements. But there are some similarities and generalities. Privacy laws generally create rights for consumers regarding information about them held by a business. This consumer rights mean legal obligations for the business. Privacy rights include:
- Notice about privacy practices; how the company collects, stores, uses, and shares information about the consumer.
- Ability to access data about the consumer, correct it, ask it be deleted or limit processing, or transfer data to another service provider.
A business privacy program should generally follow these principles:
- Be lawful, fair, and transparent
- Limit collection, use, and processing of personal data
- Keep personal data only as long as needed (then purge)
- Keep personal data accurately
- Keep personal data secure with good cybersecurity
- Be accountable for the above.
7. Details and links on specific data privacy laws
7.1 US Federal
7.1.1 Federal Trade Commission (FTC)
The Federal Trade Commission (FTC) enforces certain privacy rights under Section 5(a) of the FTC Act and other statutes.
- FTC, https://www.ftc.gov/
- FTC Consumer Privacy, https://www.ftc.gov/business-guidance/privacy-security/consumer-privacy
- FTC Privacy and Security Enforcement, https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement
- FTC Children's Privacy, https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy
- FTC COPPA Rule, https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
- FTC Act (my article)
7.1.2 Children - COPPA (federal)
The Children’s Online Privacy Protection Act (COPPA) is a federal law enforced by the FTC that has privacy protections for children under 13 years old.
- FTC, Children's Privacy, https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy
- The Children’s Online Privacy Protection Act of 1998 (COPPA)
- COPPA Act, 15 U.S.C. § 6501-6506, https://www.law.cornell.edu/uscode/text/15/chapter-91
- COPPA regulations 16 C.F.R. § 312, https://www.law.cornell.edu/cfr/text/16/part-312
7.1.3 Financial (federal)
There are a number of federal laws and regulators for the finance sector.
The primary laws are The Gramm-Leach-Bliley Act (GLBA) (also known as the Financial Services Modernization Act of 1999) and accompanying regulation (Privacy Rule) which imposes privacy requirements.
For more see:
- Financial sector cyber laws and regulations (my article)
7.1.4 Health - HIPAA - HHS (federal)
The government resources for health related privacy rules are not as good as they could be, some seem to be quite dated.
- HHS on HIPAA, https://www.hhs.gov/hipaa/index.html
- Health sector laws and regulations (my article summarizing it)
7.1.5 Education - FERPA - U.S. ED (federal)
The Family Educational Rights and Privacy Act of 1974 (FERPA) is the primary law here.
- The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) https://www.law.cornell.edu/uscode/text/20/1232g
- 20 US Code § 1232g - Family Educational and Privacy Rights https://www.law.cornell.edu/uscode/text/20/1232g
- 34 CFR Part 99 - Family Educational Rights and Privacy https://www.law.cornell.edu/cfr/text/34/part-99
U.S. Department of Education has these FERPA resources:
- Protecting Student Privacy https://studentprivacy.ed.gov/node/548/
- Data Breach https://studentprivacy.ed.gov/topic/data-breach
7.2 U.S. States
In the absence of an overarching federal privacy law, states have started to enact their own privacy statutes, starting with California then followed by others. The reach of these state laws may extend beyond the state borders.
7.2.1 California
California law imposes many complex requirements for cybersecurity, privacy, and data breach reporting. Consider:
- California Consumer Privacy Act of 2018 effective 2020 (CCPA)
- as amended by the California Privacy Rights Act of 2020 effective 2023 (CPRA)
State agencies include the California Office of the Attorney General (also known as the California Department of Justice) and the newer California Privacy Protection Agency (CPPA). CPPA now has primary privacy authority.
- Privacy and Data Security https://oag.ca.gov/privacy
- California Attorney General information on CCPA https://oag.ca.gov/privacy/ccpa
- CCPA regulations https://oag.ca.gov/privacy/ccpa/regs
- Submit Data Security Breach (report a breach) https://oag.ca.gov/privacy/databreach/report-a-breach
- CA Business Privacy Resources https://oag.ca.gov/privacy/business-privacy
- Privacy laws https://oag.ca.gov/privacy/privacy-laws
- California Civ. Code s. 1798.82(a) (data breach reporting statute) link
- CPPA Regulations page https://cppa.ca.gov/regulations/
- CA Submit Data Security Breach https://oag.ca.gov/privacy/databreach/report-a-breach
- CA Attorney General CCPA link https://oag.ca.gov/privacy/ccpa/regs
- California Privacy Protection Agency (CPPA) https://cppa.ca.gov/
- CPPA regulations https://cppa.ca.gov/regulations/
7.2.2 Colorado
Colorado Privacy Act (effective 1 July 2023)
- https://leg.colorado.gov/bills/sb21-190
- CO AG, https://coag.gov/
- CO AG, privacy, data breach, https://coag.gov/file-a-complaint/data-privacy-data-breach/
- CO AG, Privacy Act Resources, https://coag.gov/resources/colorado-privacy-act/
7.2.3 Connecticut
Connecticut Personal Data Privacy and Online Monitoring Act (effective 1 July 2023)
- CT AG, https://portal.ct.gov/ag
- CT AG Privacy and Data Security Department, https://portal.ct.gov/ag/sections/privacy/the-privacy-and-data-security-department
- CT AG, Privacy Act text, https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF
- CT Chapter 743jj Consumer Data Privacy and Online Monitoring, https://www.cga.ct.gov/current/pub/chap_743jj.htm
- Bill tracker site, https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&bill_num=SB00006&which_year=2022
7.2.4 Virginia
Virginia Consumer Data Protection Act (effective 1 Jan., 2023)
- VA AG, https://www.oag.state.va.us/
- VA AG Privacy Act Summary, https://www.oag.state.va.us/consumer-protection/files/tips-and-info/Virginia-Consumer-Data-Protection-Act-Summary-2-2-23.pdf
- https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
7.2.5 Utah
Utah Consumer Privacy Act (effective 31 Dec., 2023)
- UT AG, https://attorneygeneral.utah.gov/
- UT AG Data Privacy, https://attorneygeneral.utah.gov/data-privacy/
- https://le.utah.gov/~2022/bills/static/SB0227.html
7.2.6 Oregon
Oregon Consumer Privacy Act (effective 1 July 2024)
- OR AG/DOJ, https://www.doj.state.or.us/
- OR AG/DOJ, Consumer Protection, https://www.doj.state.or.us/consumer-protection/
- OR Consumer Protection, Consumer Privacy, https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/privacy/
- OR AG, Privacy, https://www.doj.state.or.us/oregon-department-of-justice/office-of-the-attorney-general/spotlight-privacy/
- https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/SB619/Enrolled
7.2.7 Texas
Texas Data Privacy and Security Act (effective 1 July 2024)
7.2.8 Montana
Montana Consumer Data Privacy Act (effective 1 Oct. 2024)
7.2.9 Delaware
Delaware Personal Data Privacy Act (effective 1 Jan. 2025)
7.2.10 Iowa
Iowa Consumer Data Protection Act (effective 1 Jan. 2025)
7.2.11 Nebraska
Nebraska Data Privacy Act (effective 1 Jan. 2025)
7.2.12 New Hampshire
New Hampshire SB 255 (effective 1 Jan. 2025)
7.2.13 New Jersey
New Jersey SB 332 (effective 15 Jan. 2025)
https://www.njleg.state.nj.us/bill-search/2022/S332
7.2.14 Tennessee
Tennessee Information Protection Act (effective 1 July 2025)
7.2.15 Indiana
Indiana Consumer Data Protection Act (effective 1 Jan. 2026)
7.2.16 Kentucky
Kentucky Consumer Data Protection Act (effective 1 Jan. 2026)
7.2.17 Other?
By the time you read this, maybe there are other new laws.
7.3 EU: General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 and applies to many U.S. organizations who collect personal information of EU citizens.
European Union GDPR general information
- https://ec.europa.eu/info/index_en
- https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
- https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en
- https://gdpr.eu/what-is-gdpr/
Each country in the EU has a supervisory authority, also known as data protection authority (DPA), or data protection commissioner. IAPP has helpful resources
8. For organizations, privacy is a component of information governance and compliance requirement
Organizations should think of cybersecurity, privacy, and business needs holistically and under the umbrella of information governance. This means managing the information technology, systems and data of a company well. Companies should manage themselves well in all areas, including information systems.
Organizations also have compliance requirements, including relating to all of the above laws. If a law imposes rights for consumers, it probably imposes duties on organizations. So all the above is your starting place.
More on this elsewhere on my site, starting with my article on Information governance, and my resources on policy work.
9. Conclusion
Knowledge of privacy is important for individuals and organizations. Individuals should strive to improve their awareness of privacy threats and choices they face. Organizations should develop privacy policies, comply with applicable legal requirements and protect consumer privacy.
10. Disclaimer
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
I am a lawyer, but not your lawyer. Often, I represent organizations and work on their policies. Maybe I even wrote the policy you just read.
Information here may become outdated. I summarize and generalize significantly.
Thank you to those who have done excellent research which this article benefitted from, including IAPP.
Additional reading
- Consumer privacy rights (this article)
- Privacy
- Law
- Cyberlaw
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (more details, arguably painfully detailed)
- About the CIPP/US Privacy Certification and How to Study for It
- Introduction to Law (an outline)
- Cybersecurity, Privacy, You, and Your Organization
- Cyberlaw Book
- Online courses
This article is hosted at https://johnbandler.com/consumer-privacy-rights, copyright John Bandler, all rights reserved.
Also accessible via https://tinyurl.com/yc8k7k4r
Originally posted 9/4/2024, updated 10/23/2024.