US Data Protection & Privacy: Understanding Compliance

Why US data protection matters: Without proper training, your company could run afoul of complex data protection and privacy laws, leading to employee lawsuits and government fines.

The State of Data Privacy in the US

Here’s the scary part: data collected across the US by the vast majority of products people use every day has no regulation or oversight. Why? The US doesn’t have a General Data Protection Regulation (GDPR) law like Europe—although California has a similar law, the California Consumer Privacy Act (CCPA). 

Instead, we have a confusing mix of federal and state laws, making an acronym soup:

• US Privacy Act: The only one here without an acronym, this law went into effect in 1974 and aims to enhance individual privacy protections. US citizens may request access to their data and correct it if needed. This law also gives people the right to know how businesses are using their data.

• HIPAA: The Health Insurance Portability and Accountability Act safeguards personal medical information. This applies to the healthcare industry but also to any business gathering or collecting healthcare information, like hospitals and insurance companies. 

• FCRA: The Fair Credit Reporting Act covers information in a person’s credit report. You may run a credit check on certain employees if they deal with sensitive data or if you operate in the finance industry. The FCRA protects who can see the credit report and how to disclose the information to the employee.

• FERPA: The Family Educational Rights and Privacy Act restricts access to student educational records. This gives parents, students, and other schools the right to inspect educational records kept by an educational institution.

• GLBA: The Gramm-Leach-Bliley Act applies to financial institutions that collect, use, or disclose personal information. Companies must disclose to consumers what data they’re collecting, how they’re storing it, and what they’re doing with the data. This law doesn’t restrict how companies use data, but rather that they disclose such information.

• COPPA: The Children’s Online Privacy Protection Act applies to any website or online company that collects, uses, or discloses personal information from children under the age of 13. Any company that’s subject to COPPA must have a clear privacy policy describing how data is used and what is collected. The law also requires the company to get parental consent before collecting or using any personal data of a minor.

• FTCA: The Federal Trade Commission Act allows the FTC to charge a website, an app, or its owner when it violates its own privacy policy. 

In most states, companies can use personal data however they like, including selling it without telling consumers. Further, the buyers of consumer data can also turn around and sell it. 

So if there’s so little regulation around consumer data in the US, why are we discussing it? Because there are still some laws that your company needs to know and adhere to, depending on the industry you operate in and the data you may collect from employees and consumers. 

We’re going to focus on your HR team and how they play an integral role in keeping your employee data safe while adhering to compliance standards.

Topics to Cover in US Data Protection Training

Your employees expect that you’ll keep their data secure. You would expect the same of any business you deal with, and it goes well beyond simply protecting digital data.

Storage of Employee Data

Your HR team needs to know what’s employee performance data, personal data, private data, and confidential data. These are all different and should be treated differently. Unsurprisingly, these rules vary by state. Here’s what to consider:

• Employee performance data includes performance reviews, write-ups, and promotion information. This can be kept in their personnel file, accessible to HR.
• Personal employee data are things like their address, contact information, and emergency contacts. This information may also be kept in an employee’s personnel file, but may also be kept separate.
• Private data would be information about an employee’s salary. This isn’t confidential data, but should not be disclosed without the employee’s information. Even though this is private information, it may also be kept in the employee’s personnel file.
• Confidential data is different. It includes health insurance information, medical details (if any), and any accommodation requests. This data should be kept separate from the employee’s personnel file and kept secure.

State Data Privacy Laws

Not every state has its own data privacy and protection laws. Recently, however, more states are jumping into the mix as more consumers are seeking additional protections from online surveillance. 

Email Scams

All employees, especially HR, must be trained on email scams. These phishing emails could infiltrate important and confidential employee data. 

Train employees on how to spot scam emails. Look at the sender address. Look at the text, Is it different from how the person usually types? It’s getting harder to spot these types of cybersecurity scams so take care to ensure your employees know how to spot them and what steps to take.

Password Policies

The same is true of password policies. We know, it’s hard to remember all those passwords, both personal and professional. But if you use the same one over and over, you’re bound to have nightmares if your password is ever breached.

We recommend using a password manager that requires you to remember one strong password. The software then creates and stores hard to breach passwords for you. While nothing is perfect, having a clear password policy and requiring regular changes will help keep your employee’s data secure.

Which Data Privacy Protections Apply to My Company?

It depends. And we know that’s unsatisfying, especially considering the overwhelming confusion with the different laws. To help you understand whether a data protection law applies to you, consider the following:

• If you have a physical location in a state, you’re most likely subject to their state data protection and privacy laws.
• If you have remote employees working in a state, but you don’t have a physical location there, you may be subject to any data protection laws in that state.
• If you operate in certain industries (finance, healthcare, among others), you will have additional data protection laws you’ll need to follow, both at the state and federal levels.

Consequences of Noncompliance

Financial Penalties

Businesses can be subject to financial penalties for non-compliance with US data protection laws. The size of the penalty will depend on the severity and location of the violation, but expect at least several thousand dollars in damages. In addition, companies may be required to pay for any damages that occur as a result of their noncompliance.

Reputational Damage

Another consequence of US data protection law noncompliance is reputational damage. When employees or candidates learn that a company has not been protecting their data properly, they may lose trust in that company. Not only is this loss of trust difficult to regain, it could lead to employee departures and candidates choosing to apply at competing organizations.

Legal Action

Noncompliance with US data protection laws can also lead to legal action. This could take the form of a class-action lawsuit or an investigation by the FTC. If a company is found to have violated data protection laws, they may be required to change their practices and pay a fine. Employees can also sue companies for additional damages, further hurting the finances of the business.

It’s clear to see why US compliance matters, so be sure to take proactive steps to get compliance training in place and ensure your business is up to date on the latest state and federal requirements.

Data Protection Tips for HR Professionals

There are a few simple things you can do to help protect your employees’ data. Make sure that you also communicate these steps to your entire company, letting everyone know that you’re taking steps to protect their data. 

Make sure you have a secure system for storing employee information. This means using a password-protected database or file system that only authorized personnel can access, usually restricting this to HR employees only. 

Encrypt all sensitive employee data so that it’s unreadable if it falls into the wrong hands. If you use software to maintain your HR files, this probably comes standard.

Get rid of any unnecessary employee information that you’re not required by law to keep on file. Having too much data could increase your chances of a breach or mishandling that leads to a lawsuit.

A note about the future of US data protection laws: expect more. As private and sensitive data online becomes more common, it’s increasingly crucial that companies take proactive steps to protect that data. By starting the process now, you ensure your business is ready when new state and federal data privacy laws hit.

Get Data Privacy Training Right with eloomi

Data protection is not only a hot topic, it’s also crucial for HR to understand, develop, and enforce policies to ensure your business stays compliant. Your employees expect you to keep their data safe but too many HR teams simply don’t know what rules they need to abide by or how.

To help your HR team understand the nuances of data protection and privacy in the US, partner with a training platform does the hard work for you, so you can focus on your core business needs. With eloomi, we make sure your compliance training is up to date and contains accurate information to help guide and support your employees.