""

 

US Federal Privacy

US Federal Privacy

Congress, industry, civil society and the White House have all taken steps toward the creation of a U.S. federal privacy law. What this law will look like — and when and if it will happen — are still very much in question, but day-by-day it’s looking more likely that a federal law is in the United States’ future.

The IAPP has been keeping track of the goings-on regarding a federal privacy law, and we’ve collected our news and resources here. The IAPP Resource Center also includes a “US State Privacy” topic page.

Subscribe to the IAPP United States Privacy Digest e-newsletter!
Be in-the-know on US privacy news (federal privacy watch, state privacy news, government actions regarding privacy, enforcement, etc.) by subscribing to the US Privacy Digest e-newsletter.

Featured Resources

US Federal Privacy Legislation Tracker

This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Read More

American Data Privacy and Protection Act unveiled

The prospects of U.S. Congress passing a comprehensive federal privacy bill this year have dramatically increased in the blink of an eye. This article has a collection of reactions to what Congress has drawn up.
Read More

Negotiating privacy: Bipartisan agreement on US privacy rights

This white paper examines the progress made in Congress toward bipartisan agreement on privacy rights over the current legislative session, analyzing the 18 bipartisan federal privacy bills introduced in the 117th Congress.
Read More


""

Latest News and Resources

House subcommittee advances American Data Privacy and Protection Act

It's becoming increasingly clear the U.S. House of Representatives knows what it wants to do in regards to federal privacy legislation — the only certainty that's shown up in this fast-moving legislative process is the House's willingness to work across the aisle and press forward. This unity and desire mostly showed through again Thursday as the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce unanimously voted to move the American Data Privacy and Protec... Read More

A view from DC — A look at the updated American Data Protection and Privacy Act

There is a clear desire among the co-sponsors of the American Data Protection and Privacy Act to demonstrate substantive progress on the text based on stakeholder feedback, including last week’s hearing. This desire is apparent in the most recent version, which has now been introduced as a bill in the House of Representatives as H.R. 8152. As the IAPP covered, yesterday the bill was reported favorably to the full Energy and Commerce Committee after a markup session in the subcommittee on Consume... Read More

US House committee showcases federal privacy momentum, opportunity

Tuesday's much-anticipated federal privacy law hearing hosted by the U.S. House Energy and Commerce Committee's Subcommittee on Consumer Protection and Commerce had a different vibe than what onlookers have become accustomed to when Congress discusses privacy matters. Past hearings — they've come in waves at the same time of year over the last three-or-so years — brought clear divides, separate agendas and no consensus among lawmakers on how to arrive at a solution. The proposed American Data P... Read More

What does the newest U.S. privacy bill mean for cybersecurity?

On Tuesday, June 14, the U.S. House Committee on Energy and Commerce held a hearing on the American Data Privacy and Protection Act discussion draft — a leading contender for a comprehensive federal privacy framework. The famed sticking points of individual redress mechanisms, preemption of state laws and the role of the U.S. Federal Trade Commission — the law’s likely federal enforcer — were among the slew of debated aspects. However, the cybersecurity provisions and data security requirements ... Read More

Understanding the scope of the draft American Data Privacy and Protection Act

As the policy community takes time to absorb and reflect on the substantive provisions of the draft American Data Privacy and Protection Act, it is worth exploring the basic scope of application of the bill. What organizations would be expected to comply? How do obligations differ based on size or function in the data economy? The ADPPA presents a somewhat complex array of organizational roles, with different names than privacy professionals may be used to. For example, what’s the difference bet... Read More

Infographic: FTC Privacy Rulemaking – The Steps to Get There
(IAPP)
A viable US privacy bill: Could this be the one?
(IAPP, June 2022)
Distilling the essence of the American Data Privacy and Protection Act discussion draft
(IAPP, June 2022)
We’re so close to getting data loyalty right
(IAPP, June 2022)
US lawmakers closing in on bipartisan privacy framework
(IAPP, June 2022)
A View From DC: If Federal Privacy Passed, What Would It Look Like?
(IAPP, May 2022)
The Constitutional Right To Privacy
(IAPP, May 2022)
Leaked Roe v. Wade opinion sparks right-to-privacy concerns
(IAPP, May 2022)
What Judge Ketanji Brown Jackson’s US Supreme Court appointment could mean for privacy
(IAPP, April 2022)
US cybersecurity director on how government can form new social contract with tech industry
(IAPP, April 2022)
Microsoft’s Smith implores US to keep pace in global privacy conversation
(IAPP, April 2022)
FTC Chair Lina Khan anticipated to share privacy vision
(IAPP, March 2022)
Biden’s State of the Union remarks put children’s privacy front and center
(IAPP, March 2022)
Key data security insights from FTC CafePress settlement
(IAPP, March 2022)
US House subcommittee talks proposed surveillance ad ban, Big Tech accountability
(IAPP, March 2022)
US House committee re-opens dialogue on federal privacy legislation
(IAPP, February 2022)
US senators propose Kids Online Safety Act
(IAPP, February 2022)
White House releases public responses on AI uses
(IAPP, February 2022)
Biden re-nominates Bedoya for FTC commissioner
(IAPP, January 2022)
FTC takes steps toward privacy, AI rulemaking
(IAPP, December 2021)
Australia, US reach crime data sharing agreement
(IAPP, December 2021)
Latest Senate hearing casts wide net on US data brokerage
(IAPP, December 2021)
Senators introduce Protecting Sensitive Personal Data Act
(IAPP, November 2021)
PSR21 keynote stage: Federal privacy law holds the keys
(IAPP, October 2021)
Facebook whistleblower’s revelations boost federal privacy law chatter
(IAPP, October 2021)
Senate committee talks need for FTC resources, federal privacy law
(IAPP, September 2021)
2021 Proposed Comprehensive US Privacy Legislation
(IAPP, September 2021)
Study: Americans want government to prioritize data security, privacy
(IAPP, September 2021)
Privacy bills in the 117th Congress
(IAPP, August 2021)
Standing issues in U.S. privacy class actions
(IAPP, August 2021)
Federal privacy law important to long-term future of data flows
(IAPP, July 2021)
GOP lawmakers unveil more details on draft privacy law
(IAPP, July 2021)
Sen. Wicker introduces federal US privacy bill
(IAPP, July 2021)
FPF analyzes data protection implications of Biden executive order
(IAPP, July 2021)
Why a US privacy law is needed for vaccine passports
(IAPP, June 2021)
Rep. DelBene on what it will take to pass US privacy legislation
(IAPP, June 2021)
Sen. Scott introduces the DATA Act
(IAPP, May 2021)
Web Conference: Finding Sweet Spots for Successful Compromise on a Federal Privacy Law
(IAPP, May 2021)
From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974
(World Privacy Forum, May 2021)
The Great Privacy Patchwork: Is a US Privacy Law Essential for 2021?
(IAPP, April 2021)
6 things to watch for in the US privacy law debate
(IAPP, April 2021)
April Doss on US surveillance, global data flows and Big Tech after the Russia investigation
(IAPP, April 2021)
DelBene talks need for US privacy legislation, lawmakers’ tech knowledge
(IAPP, April 2021)
Wyden unveils privacy bill banning data sales to ‘unfriendly’ foreign entities
(IAPP, April 2021)
How state laws, FTC can help define ‘data brokers’ in a US privacy law
(IAPP, April 2021)
Will expectations for US privacy legislation overwhelm the process?
(IAPP, March 2021)
The first but not last comprehensive US privacy bill of 2021
(IAPP, March 2021)
How the lack of a federal privacy law is resulting in a problematic application of the CFAA
(IAPP, February 2021)
US lawmakers introduce contact tracing privacy bill
(Name, Date)
Federal data privacy regulation is on the way — That’s a good thing
(IAPP, January 2021)
Big Tech privacy pros express optimism for federal US privacy law
(IAPP, January 2021)
2021 ‘best chance’ for US privacy legislation
(IAPP, December 2020)
Rep. DelBene: Congress needs ‘urgency’ with US privacy law
(IAPP, November 2020)
CIPL Concept Proposal: Why We Need Interstate Privacy Rules for the US
(CIPL, September 2020)
US Senate hearing covers COVID-19, the need for a federal privacy law and familiar roadblocks
(IAPP, September 2020)
CIPL: Data Protection in the New Decade – Lessons from COVID-19 for a US Privacy Framework
(CIPL, August 2020)
Protect consumer privacy: Repeal GLBA’s privacy provisions
(IAPP, July 2020)
Keeping the fires burning for federal privacy legislation
(IAPP, June 2020)
US lawmakers propose bipartisan contact tracing bill
(IAPP, June 2020)
The Privacy Advisor Podcast: How can we overcome gridlock on a U.S. privacy bill?
(IAPP, June 2020)
Stakeholders: Despite setbacks, federal privacy legislation still essential
(IAPP, June 2020)
Republican senators to introduce the COVID-19 Consumer Data Protection Act
(IAPP, May 2020)
Democrats propose Public Health Emergency Privacy Act
(IAPP, May 2020)
FTC’s Wilson: US privacy law needed as contact tracing moves forward
(IAPP, May 2020)
Op-ed: Whistleblower protection needed in federal data privacy law
(IAPP, April 2020)
Survey: Americans want laws protecting online data
(IAPP, April 2020)
Web Conference: Privacy Regulation Update: New and Evolving State and Federal Laws
(IAPP, March 2020)
How Americans see digital privacy issues amid the COVID-19 outbreak
(Pew Research Center, March 2020)
White Paper – COPRA and CDPA: Similarities, Gray Areas and Differences
(IAPP, February 2020)
Tracking the politics of US privacy legislation
(IAPP, December 2019)
Former US privacy officials say ‘not so fast’ on federal law
(IAPP, October 2019)
What is a robocall, anyway?
(IAPP, September 2019)
More Companies Must Comply with the Gramm-Leach-Bliley Act, But Don’t Know It. Are You One of Them?
(IAPP, July 2019)
What is GLBA Compliance? Understanding the Data Protection Requirements of the Gramm-Leach-Bliley Act in 2019
(IAPP, July 2019)
10 Principles for a Revised US Privacy Framework
(Centre for Information Policy Leadership, July 2019)
U.S. Consumer Privacy Bill Blueprint
(Mozilla, July 2019)
US Senate grapples with how to regulate AI
(IAPP, June 2019)
The importance of a mandatory arbitration carve-out in a US privacy law
(IAPP, May 2019)
The Privacy Advisor Podcast: Did this US Senate hearing on federal privacy push the ball forward?
(IAPP, May 2019)
White Paper – Consensus and Controversy in the Debate Over US Federal Data Privacy Legislation
(IAPP, January 2019)
Guide to the Gramm–Leach–Bliley Act
(IAPP, February 2018)
View More Resources

Federal Trade Commission Developments

The United States’ primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer.

FTC signals expanded breach notice obligations

On May 20, 2022, the U.S. Federal Trade Commission staff made a remarkable statement on an agency blog: “In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” The blog, signed by the agency’s Team CTO and its Division of Privacy and Identity Protection, is both momentous and frustrating. Momentous because it purports to recognize a breach notification requ... Read More

FTC fines Twitter $150M for deceptive data collection

The U.S. Federal Trade Commission fined Twitter $150 million for using account security data for targeted advertising, in violation of a 2011 order. The FTC said Twitter asked for user phone numbers and email addresses to protect accounts, then allowed advertisers to use the data, affecting 140 million users. In addition to the fine, Twitter is banned from profiting from deceptively collected data, must notify users the data was misused, and implement and maintain a privacy and information secur... Read More

FTC's edtech vote brings consensus, dispute among commissioners

There has been curiosity about how long it would take the U.S. Federal Trade Commission to delve into privacy matters once it had a full bench of commissioners and a Democratic majority. The answer took only three days as the agenda for the first public session following the swearing in of Alvaro Bedoya as the fifth and final FTC commissioner led off with a privacy vote. Surprisingly, FTC Chair Lina Khan did not see a party line vote on this first action with the full bench as commissioners vot... Read More

US Senate confirms Alvaro Bedoya to FTC as fifth and final commissioner

After of a series of delays during the confirmation process, the U.S. Senate approved the nomination of Georgetown University law professor Alvaro Bedoya to fill the remaining commissioner vacancy on the Federal Trade Commission. Bedoya’s confirmation now gives Democratic appointees a 3-2 majority on the FTC’s Board of Commissioners.  In a statement released by Georgetown University Law Center on Privacy and Technology, Bedoya said he is excited to work with his fellow commissioners and "truly ... Read More

Keynote: Lina Khan, Chair of the Federal Trade Commission (IAPP Global Privacy Summit 2022)
(IAPP, April 2022)
FTC chair touts ‘interdisciplinary approach’ to data privacy, security
(IAPP, April 2022)
Key data security insights from FTC CafePress settlement
(IAPP, March 2022)
Hidden privacy lessons in the FTC’s CafePress security enforcement
(IAPP, March 2022)
FTC Consumer Sentinel Network Databook 2021
(FTC, February 2022)
FTC Chair Lina Khan opens up on tech enforcement
(IAPP, January 2022)
Web Conference: Grappling with the FTC’s Safeguards Rule: New Requirements and How to Comply
(IAPP, December 2021)
FTC takes steps toward privacy, AI rulemaking
(IAPP, December 2021)
Why FTC’s GLB Safeguards Rule update is noteworthy
(IAPP, February 2021)
On the horizon: FTC’s Slaughter maps data regulation’s potential future
(IAPP, November 2021)
Connecting the dots: Making sense of recent FTC developments
(IAPP, October 2021)
FTC Staff Report: Examining the Privacy Practices of Six Major Internet Service Providers
(FTC, October 2021)
Important FTC Rules for Health Apps Outside of HIPAA
(Holland & Knight, September 2021)
Democrats urge FTC to begin privacy rulemaking
(IAPP, September 2021)
FTC Report on Privacy and Security
(FTC, September 2021)
FTC Commissioner explores potential AI harms, how FTC can help
(IAPP, August 2021)
FTC’s Khan talks digital platforms’ role in fraud, consumer privacy
(IAPP, July 2021)
Web Conference: FTC Rulemaking: A Solution for Federal Privacy Regulation?
(IAPP, June 2021)
What the FTC could be doing (but isn’t) to protect privacy: The FTC’s Unused Authorites
(Electronic Privacy Information Center, June 2021)
Federal Trade Commission 2020 Privacy and Data Security Update
(FTC, May 2021)
FTC reaches $20M settlement with Vivint Smart Homes over FCRA allegations
(IAPP, April 2021)
Tainted fruit: Disgorgement of data from the FTC and beyond
(IAPP, April 2021)
Lawmakers urge FTC to investigate Google’s marketing of children’s apps
(IAPP, April 2021)
FTC publishes recommendations on AI
(IAPP, April 2021)
FTC Zoom agreement highlights security, dissents foreshadow the importance of privacy in the future
(IAPP, November 2020)
FTC orders Zoom to tighten data security practices
(IAPP, November 2020)
Lawmakers ask FTC to investigate mobile industry’s digital ad-tracking practices
(IAPP, August 2020)
Keeping your shield up: Unpacking the FTC’s Privacy Shield enforcement action
(IAPP, July 2020)
FTC: COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus
(FTC, February 2020)
LinkedIn Live: Discussing the 3 things to know about the FTC-Facebook settlement
(IAPP, July 2019)
LinkedIn Live: Reacting to the FTC-Facebook settlement
(IAPP, July 2019)
The Privacy Advisor Podcast: Is the FTC’s COPPA settlement with Google and YouTube a ‘game-changer’?
(IAPP, September 2019)
What about the kids? FTC begins process of potential COPPA amendments
(IAPP, August 2019)
FTC chair suggests record fines are coming
(IAPP, May 2019)
FTC Model Financial Privacy Forms
(FTC, April 2018)
White Paper – Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices
(IAPP, October 2014)
View More Resources

Other U.S. Government Agency Developments

US Department of Defense – Responsible AI Guidelines

The U.S. Department of Defense’s Defense Innovation Unit released “responsible artificial intelligence” guidelines, required to be used by third-party developers building AI systems for the military. The guidelines cover planning, development and deployment, and include procedures for identifying users of the technology and those who could be harmed by it, as well as potential harms and how to avoid them. Read More

Report shows ICE uses data brokers to access Americans’ personal data

A report from researchers at the Georgetown Law Center on Privacy and Technology claims U.S. Immigration and Customs Enforcement has used private data brokers to access hundreds of millions of Americans’ personal information, The Verge reports. Through public records and collected data, the report says ICE has built a surveillance system with limited oversight. Georgetown Law Policy Associate Nina Wang said ICE has “built up a sweeping surveillance infrastructure that’s capable of tracking almos... Read More

DOJ rolls out cyberfraud enforcement program
(IAPP, October 2021)
Survey: 36% in government sector plan to increase AI investments
(IAPP, October 2021)
Op-ed: IRS surveillance of bank accounts would threaten taxpayer privacy
(IAPP, October 2021)
Senate confirms Rohit Chopra as director of Consumer Financial Protection Bureau
(IAPP, October 2021)
US Census Bureau, USAID urged to improve privacy practices
(IAPP, August 2021)
GAO issues report on government facial recognition use
(IAPP, August 2021)
DOD Inspector General publishes advisory on removing data from Afghanistan
(IAPP, August 2021)
DOJ to study use of AI in analyzing prison phone calls
(IAPP, August 2021)
DHS releases strategic plan on AI, machine learning
(IAPP, August 2021)
U.S. Census Bureau releases differential privacy guidelines
(IAPP, June 2021)
CBP’s asylum seekers app brings privacy concerns
(IAPP, June 2021)
Biden issues EO to boost US cybersecurity
(IAPP, May 2021)
Sens. propose bipartisan bill to update COPPA
(IAPP, May 2021)
DOJ launches task force to address ransomware threats
(IAPP, April 2021)
NIST issues report on IoT home device workshop
(IAPP, April 2021)
Education department probing Florida school’s data sharing
(IAPP, April 2021)
Public should know FISC opinions
(IAPP, April 2021)
FBI accessed computers to delete Microsoft Exchange hacks
(IAPP, April 2021)
For DHS’ Lynn Parker Dupree, CPO role is a homecoming
(IAPP, March 2021)
Credit washing is dirty business
(IAPP, March 2021)
Why the Biden administration should ‘go big’ on global data transfers solution
(IAPP, February 2021)
Kamala Harris to prioritize cybersecurity in US foreign policy
(IAPP, February 2021)
Homeland Security Privacy Office Annual Reports
(US Department of Homeland Security, February 2021)
Biden appoints Christopher Hoff to oversee Privacy Shield talks
(IAPP, January 2021)
Protecting privacy during turbulent times
(IAPP, January 2021)
White House enacts IoT cybersecurity law for federal agencies
(IAPP, December 2020)
How might the 117th Congress approach privacy and cybersecurity?
(IAPP, December 2020)
United States Government Accountability Office — Artificial Intelligence in Health Care
(U.S. GAO, December 2020)
How US, EU approach regulating ‘dark patterns’
(IAPP, December 2020)
What could a Biden administration mean for privacy, cybersecurity?
(IAPP, November 2020)
Senate passes Internet of Things Cybersecurity Improvement Act
(IAPP, November 2020)
Closing in on the US election with voter privacy and election security
(IAPP, October 2020)
U.S. Government white paper: Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II
(U.S. Government, September 2020)
The Privacy Advisor Podcast: The US SAFE DATA Act and this week’s Senate hearing
(IAPP, September 2020)
What a time to be the CPO of the CDC
(IAPP, August 2020)
The evolution of the ‘reasonable security’ standard in the US context
(IAPP, June 2020)
Judge finds FBI, NSA violated surveillance laws
(IAPP, September 2020)
DHS seeks increased CBP biometric collection
(IAPP, September 2020)
Schiff, lawmakers accused of protecting unlawful surveillance practices
(IAPP, August 2020)
Contract indicates Secret Service purchased phone location data
(IAPP, August 2020)
Social Media Monitoring: How the Department of Homeland Security Uses Digital Data in the Name of National Security
(Brennan Center for Justice, March 2020)
Senate approves privacy-focused FISA amendment
(IAPP, May 2020)
Republican senators to introduce the COVID-19 Consumer Data Protection Act
(IAPP, May 2020)
The Guide to U.S. Government Practice on Global Sharing of Personal Information, Third Edition
(IAPP, March 2020)
Senate holds ‘paper hearing’ on tracking consumers to fight pandemic
(IAPP, April 2020)
US senators advised to stop using Zoom
(IAPP, April 2020)
Synthetic data offers advanced privacy for the Census Bureau, business
(IAPP, April 2020)
HHS notice on telehealth penalties raises privacy concerns
(IAPP, March 2020)
Takeaways from new White House annual report on AI
(IAPP, February 2020)
LinkedIn Live: Discussing the 3 things to know about the FTC-Facebook settlement
(IAPP, July 2019)
LinkedIn Live: Reacting to the FTC-Facebook settlement
(IAPP, July 2019)
US lawmakers consider whether your data should be a ‘property right’
(IAPP, October 2019)
At US House hearing, lawmakers examine data privacy’s role in competition
(IAPP, October 2019)
Online Trust Audit – 2020 U.S. Presidential Campaigns
(Online Trust Alliance, October 2019)
So the fine is $5B: Does that change anything?
(IAPP, July 2019)
US lawmakers respond to Facebook’s $5B FTC settlement
(IAPP, July 2019)
US Senate hearing puts AI regulation under the microscope
(IAPP, June 2019)
US Senate report criticizes federal agencies’ data protection track record
(IAPP, June 2019)
US Senate grapples with how to regulate AI
(IAPP, June 2019)
At hearing, US sens. incredulous data broker industry didn’t show up
(IAPP, June 2019)
Senate committee imagines future financial privacy rules
(IAPP, May 2019)
How to get ready for potential amendments to US children’s privacy law
(IAPP, March 2019)
How should we regulate facial-recognition technology?
(IAPP, January 2019)
US Supreme Court case may have far-reaching privacy implications
(IAPP, January 2019)
The shutdown’s impact on government privacy work
(IAPP, January 2019)
Toolkit for Recruiting, Hiring, and Retaining Privacy Professionals in the Federal Government
(U.S. Federal Privacy Council, January 2017)
A Sober Look at National Security Agency Access to Data in the Cloud
(Chris Wolf and Winston Maxwell, July 2014)
View More Resources

Laws and Definitions

Bank Secrecy Act, The

A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities. Link to text of law: The Bank Secrecy Act (B... Read More

Children’s Online Privacy Protection Act (COPPA) of 1998

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consen... Read More

CIO Council

The CIO Council is the principal interagency forum on Federal agency practices for IT management. Originally established by Executive Order 13011 (Federal Information Technology) and later codified by the E-Government Act of 2002, the CIO Council’s mission is to improve practices related to the design, acquisition, development, modernization, use, sharing and performance of Federal Government information resources.... Read More

Controlled Unclassified Information

A system that standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.  The program emphasizes the openness and uniformity of government-wide practices.  Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination polic... Read More