The U.S. uses a sectoral approach to privacy, protecting certain kinds of industry data, such as financial and medical and health information, through self-regulation and regulatory enforcement actions. The U.S. also protects various types of information under both federal and state laws, such as school records, insurance documents, driver's license and cable television records, credit information, employment data, Social Security numbers, mailing lists and telephone records.
The only omnibus protections to personal data are those granted through the Privacy Act of 1974, which only applies to personal information collected by the U.S. government. In addition, because the U.S. is a "common law" jurisdiction, it has another layer of privacy law that has been created through court decisions and administrative orders.
Since the privacy uproar two years ago over Choice-Point's sale of consumer PII to a criminal organization, state action has been propelling privacy in the U.S., particularly in the area of security breach notification laws. At that time, California was the only state to require notification of unencrypted PII that was subject to a breach. By last October, 33 more states had passed some form of breach notification law.
Consistency, however, is not a hallmark of these laws. Some have strong consumer protections, requiring prompt notification, whereas others are "risk-based" with some analysis of risk of harm determining whether notification is required. In addition, some laws apply to private sector entities or state agencies, but not both, and others may exempt certain entities, such as financial institutions.
