Over the last 20 years, international concern about citizen data privacy on the Internet has grown into a patchwork of national and regional legislation. In addition to the U.S., both federally and the 50 states, there are laws in the European Union, Israel, Argentina, Canada, Australia and various other countries. Each country follows a different approach. The U.S., the European Union and Israel provide good examples of how these different national approaches vary.
The U.S. does not provide a single consumer data protection law. Instead, there is a patchwork of different industry specific state and federal privacy laws and court-based decisions. For example, at the federal level, these laws include the Electronic Funds Transfer Act for money transfers, the Fair Credit Reporting Act for credit information, the Health Insurance Portability and Accountability Act for medical information. At the state level, there are the Oklahoma Bill 1989 on student information and Vermont Law 69 on digital tracking of license plate information. Several states now require data services providers to notify the user of an unauthorized access. New Jersey, Connecticut, Puerto Rico and several others mandate a risk-harm analysis. Based on legislation alone, a U.S. company needs to consider what industry it is in, where it is incorporated and what state the affected consumer, customer or client resides in to adequately assess its potential obligations and liabilities.
