An illustration of a person in front of a computer screen with an eye on the screen.
Illustration: Giacomo Bagnara

“There are shockingly few legal privacy protections in the United States,” says Maureen Mahoney, a policy analyst at Consumer Reports.

No federal law provides the kind of broad consumer rights granted in 2018 by the European Union’s General Data Protection Regulation. But scandals involving Facebook, Google, and other tech giants are helping to raise interest in such legislation.

For instance, 63 percent of Facebook users say the company shouldn’t be allowed to collect data on them when they’re not using Facebook, according to a January 2019 CR nationally representative survey of more than 2,000 U.S. adults.

“We still have a long way to go nationally,” Mahoney says. “But a number of state legislatures have stepped up and passed privacy laws of their own.” (See details, below.)

For now, the following national laws provide some protections for consumers.

Federal Trade Commission Act

This law prohibits “unfair or deceptive” business practices. That means companies are prohibited from making misleading statements about how they handle your data.

More on Privacy

But as long as they adhere to the terms in their privacy policies and user agreements, which can be vague and filled with jargon, the companies are mostly free to collect and use information as they see fit.

It wasn’t the voluminous data gathering or the way information was shared that led to Facebook’s recent $5 billion settlement with the FTC. It was the misleading statements the company made about the control that consumers had over that personal information.

Health Insurance Portability and Accountability Act

HIPAA limits what healthcare providers can do with your medical data, preventing doctors, insurance companies, and billing firms from disclosing that info without permission. But it doesn't necessarily protect info collected by a smartwatch, reproductive health app, or direct-to-consumer genetic testing service. Unless the info ends up in a healthcare provider’s files, it has the same limited protections as other data about you.

Children’s Online Privacy Protection Act

COPPA requires companies to get verifiable parental consent before collecting info from children younger than 13. Firms must also explain how the data might be used, properly secure the information, and provide parents with the means to delete it. Yet once consent is granted, such data is fair game, albeit generally off-limits to third parties. The problem is that digital toys and apps are often useless without a quick sign-off. Additionally, YouTube has been accused of violating COPPA. Despite its many child-oriented videos, YouTube says in its terms of service that the site is intended for teens and adults.

What's Next?

A number of states are pressing ahead with laws that could become models for national legislation. Here are a few examples:

California
The California Consumer Privacy Act is on track to become the country’s most sweeping privacy law when it takes effect Jan. 1. The law gives consumers the right to access, delete, and opt out of the sale of personal data.

Illinois
The Biometric Information Privacy Act, passed in 2008, governs companies that collect and use fingerprints and facial recognition data. Amazon, Facebook, Google, and Six Flags have been sued over alleged violations. Texas and Washington have similar laws, minus the individual’s right to sue.

Maine
The Act to Protect the Privacy of Online Customer Information, signed into law this year, places new restrictions on the state’s internet service providers. They generally can’t use or sell residents’ personal information unless the customer opts in. And they can’t charge people more for refusing.

Oregon
HB 2395 mandates “reasonable security features” for most products that connect to the web. That can include supplying unique passwords or requiring users to create one, practices that could help prevent malicious strangers from hijacking baby monitors and home security cameras.

Vermont
Act 171 of 2018 is the country’s only law to specifically regulate data brokers, those companies that stealthily collect and monetize people’s personal information. The firms are required to register with the state and provide annual updates on their business practices.

Editor's Note: This article also appeared in the October 2019 issue of Consumer Reports magazine.