Data Privacy Regulations

Every industry is laden with acronyms, but if you work in finance or healthcare, you’ve probably noticed a new flood of acronym-filled privacy regulations in recent years!

To help you navigate the “alphabet soup” of privacy acts, we’ve created this list of data privacy regulation acronyms with brief explanations of what they mean for you.

Since the US does not currently have an all-encompassing law to handle data privacy for all situations, there’s a patchwork of different laws and standards depending on sectors and circumstances. These are usually represented as an acronym, and can get confusing rather quickly. In addition, we have regulations like the GDPR that aren’t actually US laws, but rather for the EU – adding international considerations to the mix.

A growing number of states (such as California and Colorado) have passed state laws to protect their own residents. Since it’s difficult for a typical organization to accurately determine whether a consumer (or website visitor) is a resident of one of these states, most organizations find it’s in their best interest to err on the side of caution and treat all consumers with the same protections. This way, as federal laws catch up with state and international laws, you have a significant head start to stay compliant.

To understand what this looks like, let’s start our acronym definitions with California’s privacy laws:

CCPA — California Consumer Privacy Act

The CCPA gives California residents data privacy rights and protections, including (1) knowledge of the personal information collected about them and how it’s shared, (2) the right to delete such information, (3) the right to opt out of the sale of such information, and (4) the right to non-discrimination as a result of exercising these rights. California’s privacy regulations are considered some of the strongest in the US, as they give residents some ability to sue a company for certain types of data breaches.

The California Consumer Privacy Act (CCPA) becomes fully operational on Jan. 1, 2023. For a more detailed explanation, see our CCPA compliance guide.

CPRA (or “CCPA 2.0”) — California Privacy Rights Act

The CPRA significantly amends and expands the CCPA, so it is sometimes referred to as “CCPA 2.0.” It adds two additional consumer rights to the CCPA, which are the right to correct inaccurate personal information, and the right to limit the usage and disclosure of sensitive personal information (SPI). This privacy protection includes everything from social security numbers and ethnicity to genetic data and geolocation.

The CPRA took effect in December 2020, with some provisions not becoming fully active until Jan. 1, 2023.

CPA / ColoPA — Colorado Privacy Act

Going into effect in January 2023, the CPA gives Colorado residents increased privacy rights, such as the right to access, correct, and delete their personal data. It also lets people opt out of things like the processing of their data for targeted advertising, the sale of their personal data, and profiling. It has a lot in common with California’s CCPA and Virginia’s VCDPA, but in some ways it is stricter because it requires companies to obtain prior, affirmative consent from the consumer in order to process sensitive data.

COPPA — The Children’s Online Privacy Protection Act

COPPA is a 2013 Federal law that gives parents control over what information websites can collect from children under the age of 13, and sets rules for commercial websites and online services directed to such children, such as mobile apps. This act carries many of the same protections you see with state laws, but puts those data controls in the hands of parents.

ECPA — Electronic Communications Privacy Act

The ECPA is a 1986 law that updated the Federal Wiretap Act of 1968, which had addressed interception of telephone conversations, but did not apply to computers and other electronic/digital communications. It now protects wire, oral, and electronic communications while those communications (1) are being made, (2) are in transit, and (3) when they are stored on computers.

FCRA — Fair Credit Reporting Act

The FCRA is a 1970 act for financial data regulation. It protects information collected by consumer reporting agencies such as credit bureaus, medical information companies and tenant screening services. The FCRA also limits who is allowed to see a credit report, what the credit bureaus are allowed to collect, and how that information is obtained. Information in a consumer report cannot be provided to anyone who does not have a purpose specified within the regulation.

FERPA — Family Educational Rights and Privacy Act

FERPA is a Federal law that protects the privacy of student education data and records. It only applies to schools who receive funds under certain programs of the US Department of Education.

FTC Act — The Federal Trade Commission Act (FTC Act)

The FTC Act has a wide jurisdiction over commercial entities to prevent unfair or “deceptive trade practices.” For instance, it empowers the FTC to go after an app or website that violates its own privacy policy. They can also investigate violations of marketing language when it relates to privacy (for instance, selling user data despite claiming you don’t). There is also a growing effort to get the FTC to expand this power to better address abusive data practices.

GDPR — General European Data Protection Regulation

Despite its widespread impact on US businesses and consumers, the GDPR is not American regulation, but European. It is one of the most comprehensive data protection regulations in the world, covering personal data protections, data usage restrictions, privacy standards, and much more.

With applications for nations inside and outside of the EU, any organization seeking to work with European companies or users must comply with requirements set forth by the GDPR. To ensure your organization is up to this standard, you can review our GDPR compliance guide.

GLBA — Gramm-Leach-Bliley Act

The GLBA requires consumer financial products (e.g. loan services or investment-advice services), to explain how they share data. The GLBA also enables customers to opt out of this. The law doesn’t restrict how companies use the data they collect however, as long as they disclose such usage beforehand. The GLBA also takes some steps to encourage the security of personal data as well.

HITECH — Health Information Technology for Economic and Clinical Health Act

The HITECH Act of 2009 provides financial incentives for organizations to adopt electronic health records (EHRs) and aims to improve privacy and security protections for healthcare data. Part of this regulation seeks to address the privacy and security concerns associated with the transmission of such health data. As a result, there are several provisions to strengthen the enforcement of the HIPAA rules (see HIPAA below), such as increased penalties for HIPAA violations. Check out our HIPAA & HITECH compliance guide for more information.

HIPAA — Health Information Portability & Accountability Act

HIPAA is a healthcare data privacy law from 1996. As a Federal law, it created national standards to protect sensitive patient health information from being disclosed without a patient’s consent or knowledge. It includes a Privacy Rule to give patients control over who can see their medical records (and how providers can use the data), and a Security Rule to maximize safeguards for transmitting patient health information. Additionally, HIPAA includes a Breach Notification Rule to improve transparency when there is a breach.

To make sure your organization is complying with HIPAA standards, you can read our HIPAA & HITECH compliance guide.

NY SHIELD Act — Stop Hacks and Improve Electronic Data Security Act

The SHIELD Act is a 2019 law that created more data security requirements for companies that collect information on New York residents. While smaller in scope than other state privacy laws, SHIELD protects New York residents’ private information by requiring organizations to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”

UCPA — Utah Consumer Privacy Act

Drawing heavily from California, Virginia, and Colorado, UCPA applies to a smaller subsection of businesses (those making over $25 million in annual revenue) and offers broader exceptions. It gives consumers rights such as deleting their data, getting a copy of their data, opting out of having their personal data processed (or used for advertising), In contrast to the VCDPA and CPA, the UCPA does not include the right to opt out of profiling.

Financial institutions governed by the Gramm-Leach-Bliley Act and information in the Fair Credit Reporting Act aren’t subject to the UCPA, which goes into effect at the end of 2023.

VCDPA (or simply CDPA)— Virginia Consumer Data Protection Act

Similar to California and Colorado regulations and the GDPR, the VCDPA gives Virginia consumers certain rights over their data and sets rules for certain companies on the data they collect, including what they collect, how it’s treated, how it’s protected, and whom they can share it with. The CDPA requires companies to help consumers exercise these rights, such as by obtaining opt-in consent before processing sensitive data, and providing a clear privacy notice that gives consumers a means to opt out of targeted advertising.

The VCDPA goes into effect Jan. 1, 2023.

Note: at the time of this writing, other bills are being introduced around the country, in states such as Connecticut, Hawaii, Massachusetts, Minnesota, Oklahoma, and Wisconsin. Most state laws seem to be following California’s standards.

As regulations increase on new technologies, industry hype takes a dive. This trend is no different for healthcare data, analytics, or AI. Learn how to strategically navigate talent and governance barriers in healthcare in our #1 most popular whitepaper from Gartner.