{"id":139518,"date":"2026-04-22T09:25:43","date_gmt":"2026-04-22T09:25:43","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139518"},"modified":"2026-04-22T09:51:25","modified_gmt":"2026-04-22T09:51:25","slug":"united-states-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/united-states-data-protection-cybersecurity\/","title":{"rendered":"United States: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139518","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-united-states"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">White &amp; Case<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/White-Case-Firm-Logo-200x200-1.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">White &amp; Case<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/White-Case-Firm-Logo-200x200-1.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in United States<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The U.S. adopts a sector-specific and state-driven approach to data privacy and cybersecurity, rather than a single, overarching federal data protection law. At the federal level, the legal framework is sectoral, with different laws applying to particular industries and types of data. In contrast, at the state level, a growing number of states have adopted comprehensive privacy laws that offer broad protection for residents\u2019 personal data across all sectors.<\/p>\n<p>At the federal level, several key laws govern data protection and privacy. Section 5 of the Federal Trade Commission (FTC) Act prohibits \u201cunfair or deceptive acts or practices\u201d in commerce, which the FTC uses to protect consumers from companies with inadequate privacy and cybersecurity practices. The Health Insurance Portability and Accountability Act (HIPAA) sets privacy and cybersecurity standards for health-related data, applying to healthcare providers, medical insurers, and business associates and is enforced by the Office of Civil Rights for the Department of Health and Human Services. The Gramm-Leach-Bliley Act (GLBA) imposes privacy and cybersecurity standards on financial institutions in regulating their handling of non-public personal information, while the Children\u2019s Online Privacy Protection Act (COPPA) focuses on the collection of data from children under 13. Both GLBA and COPPA are enforced by the FTC. The Fair Credit Reporting Act (FCRA) governs the collection and protection of consumer credit information, and the Electronic Communications Privacy Act (ECPA) regulates the interception of electronic communications.<\/p>\n<p>On the state level, all states impose obligations on entities to notify individuals, and most states require businesses to maintain \u201creasonable security\u201d to safeguard personal information. Many U.S. states have introduced their own data privacy laws. The California Consumer Privacy Act (CCPA) is one of the most prominent, giving California residents rights to access, delete, correct, and opt-out of the sale of their personal information. The law applies to businesses that collect data from California residents and meet certain criteria, such as revenue, data sales or data volume thresholds. Since the CCPA became effective, a number of states have passed comprehensive data privacy laws including: Virginia (Virginia Consumer Data Protection Act), Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Delaware (Delaware Personal Data Privacy Act), Indiana (Indiana Consumer Data Protection Act), Iowa (Iowa Consumer Data Protection Act), Kentucky (Kentucky Consumer Data Protection Act), Maryland (Maryland Online Data Privacy Act), Minnesota (Minnesota Consumer Data Privacy Act), Montana (Montana Consumer Data Privacy Act), Nebraska (Nebraska Data Privacy Act), New Hampshire (New Hampshire\u2019s SB 255), New Jersey (New Jersey\u2019s SB 332), Oklahoma (Oklahoma\u2019s SB 546), Oregon (Oregon Consumer Privacy Act), Rhode Island (Rhode Island Data Transparency and Privacy Protection Act), Tennessee (Tennessee Information Protection Act), Texas (Texas Data Privacy and Security Act), and Utah (Utah Consumer Privacy Act). With a few exceptions, most notably the California Privacy Protection Agency (CPPA), most comprehensive state data privacy laws are enforced by state attorneys general.<\/p>\n<p>As a result of this wave of legislation, nearly half of the U.S. population will be protected by a comprehensive state privacy law by 2026. Meanwhile, several other states, including Alabama, Alaska, Arizona, Arkansas, Georgia, Hawaii, Illinois, Louisiana, Maine, Massachusetts, Michigan, Mississippi, New Mexico, New York, North Carolina, Pennsylvania, South Carolina, and Vermont are actively considering similar privacy regulations.<\/p>\n<p>Finally, there are sector specific laws at the state level as well. Biometric data regulation remains active under the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, the Washington Biometric Privacy Protection Act. Connecticut (2023), Nevada (2024), and Washington (2023) have also implemented comprehensive consumer health privacy laws. Further, the New York Department of Financial Services requires covered banking, insurance and financial services entities to comply with specific cybersecurity requirements covering their IT systems and associated data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>On a state level, 2026 is likely to continue 2025\u2019s overall trend in having more diverse and comprehensive regulations in data protection, privacy, and cybersecurity. Indiana, Rhode Island and Kentucky have data privacy laws that became effective on January 1, 2026, and Oklahoma recently became the latest state to enact a data privacy law in March of 2026. The federal direction of legislation, however, still lacks comprehensive federal law. The current FTC Commissioner, Andrew Ferguson, is more likely to resort to case-by-case enforcement rather than enact broad-ranging new legislation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>California continues to refine its privacy regime through recently amended final regulations to the CCPA, addressing automated decision-making technology (ADMT) access and opt-out rights, as well as risk assessments and cybersecurity audits. In light of the current federal administration\u2019s reluctance to regulate artificial intelligence, illustrated by President Trump\u2019s December 2025 Executive Order, <em>Ensuring a National Policy Framework for Artificial Intelligence<\/em>, states are expected to continue filling the regulatory gap, including by imposing guardrails on the use of ADMT.<\/p>\n<p>Regarding enforcement, actions by state attorneys general is expected to increase, with multi-jurisdictional collaborations becoming commonplace especially in areas of shared concern such as the adequacy of consumer choice mechanisms and children\u2019s privacy. Further, the cure provisions under certain state comprehensive privacy laws, such as Oregon\u2019s Consumer Privacy Act\u00a0have lapsed which could spur additional enforcement. On the federal level, the FTC has signaled increased scrutiny of businesses processing children\u2019s information as it focuses on minors\u2019 data through strict enforcement of updated COPPA regulations, that include enhanced transparency obligations and limits on cross-platform sharing of minors\u2019 data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the United States, the regulatory framework for data protection and cybersecurity does not typically require businesses to register or obtain a license to operate under most data privacy laws. However, some states impose registration requirements in certain sectors or for specific activities, including data brokers and covered financial, banking and insurance entities.<\/p>\n<p>Data brokers are businesses that knowingly collect and sell or license personal consumer information; such businesses usually lack a direct relationship with consumers. Such information can be gathered privately via other brokers or publicly from public records, social media, and websites. Brokered information includes personal information of the consumer collected for dissemination to third parties. States have taken the lead in regulating data brokers. Vermont enacted its Data Broker Act in 2019 and required data brokers to annually register with the state, implement security measures, and disclose specific information. Texas and Oregon also followed and passed their individual data broker registration law in 2022 and 2023. California enacted the current version of its Data Broker Registration Law in 2023. The California Data Broker Registration law requires data brokers to register and honor consumer rights requests submitted under the CCPA: the right to know the usage and dissemination about personal information a business collects, the right to request deletion of personal information, the right to opt-out of sale and sharing of information, and the right to non-discrimination for exercising CCPA rights. Additionally, under 23 NYCRR 500, covered entities, including banks, insurance companies, mortgage lenders, and other financial services providers licensed by the New York Department of Financial Services (NYDFS), are required to submit an annual certification of compliance to the NYDFS, attesting to their adherence to the regulation\u2019s cybersecurity requirements. Failure to obtain a license is treated as violations of the relevant laws.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the United States, there is no single federal definition of \u201cpersonal data\u201d or \u201cpersonal information.\u201d Instead, \u201cpersonal data\u201d (or \u201cpersonal information\u201d) is defined across a patchwork of federal sector-specific statutes and state-level comprehensive privacy laws. Personal information is uniquely defined in various capacities under healthcare, financial and children\u2019s privacy laws. The most widely applicable state-level definition is found in the CCPA, which broadly defines personal information as any information that identifies, relates to, or could reasonably be linked to a particular consumer or household. In addition, most state privacy laws cover individuals acting in both personal and household capacities. Notably, the scope of CCPA includes individuals acting in a commercial capacity as well, while other states exclude B2B data from the scope of their privacy laws.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Several federal laws regulate specific types of personal data without any single overarching federal definition of sensitive personal data: HIPAA governs Protected Health Information, the GLBA covers nonpublic personal information (NPI), and COPPA imposes heightened requirements on the \u201cpersonal information\u201d of children under the age of 13.<\/p>\n<p>In addition, the Federal Trade Commission, in guidance and regulatory enforcement actions under Section 5 of the Federal Trade Commission Act, have identified various types of personal data as sensitive information, including financial information, children\u2019s information, health information, browsing data, geolocation data, biometric data, viewing data and certain personal identifiers (such as social security or drivers license numbers)<\/p>\n<p>At the state level, California\u2019s CCPA defines \u201csensitive personal information,\u201d and affords consumers the right to limit its use. While most other state comprehensive privacy laws, including those enacted in Virginia, Colorado, Connecticut, and Texas, adopt the terminology of \u201csensitive data\u201d or \u201csensitive personal data.\u201d Across these state frameworks, the categories most consistently recognized as sensitive and subject to heightened protections include protected health data, biometric data, financial data, geolocation data, children\u2019s data, and browsing data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The United States data privacy framework, at both the state and federal level, is generally derived from the Fair Information Practice Principles (FIPPs). Such principles provide for:<\/p>\n<ul>\n<li>Organizations should be transparent about information policies and practices with respect to PII, and should provide clear and accessible notice regarding creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII.<\/li>\n<li>Individual Participation. Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the creation, collection, use, processing, storage, maintenance, dissemination, or disclosure of PII. Organizations should also establish procedures to receive and address individuals\u2019 privacy-related complaints and inquiries.<\/li>\n<li>Purpose Specification. Agencies should provide notice of the specific purpose for which PII is collected and should only use, process, store, maintain, disseminate, or disclose PII for a purpose that is explained in the notice and is compatible with the purpose for which the PII was collected, or that is otherwise legally authorized.<\/li>\n<li>Organizations should only create, collect, use, process, store, maintain, disseminate, or disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose, and should only maintain PII for as long as is necessary to accomplish the purpose.<\/li>\n<li>Use Limitation: The organization should use PII solely for the purposes specified in the notice.<\/li>\n<li>Quality and Integrity. Organizations should create, collect, use, process, store, maintain, disseminate, or disclose PII with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual.<\/li>\n<li>Organizations should establish administrative, technical, and physical safeguards to protect PII commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, dissemination, or disclosure.<\/li>\n<li>Organizations should be accountable for complying with these principles and applicable privacy requirements, and should appropriately monitor, audit, and document compliance. Organizations should also clearly define the roles and responsibilities with respect to PII for all employees and contractors and should provide appropriate training to all employees and contractors who have access to PII.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the United States, consent is context specific. Unlike the European Union\u2019s GDPR, which requires legal basis for all data processing activities, U.S. privacy law generally does not mandate consent as a universal prerequisite. Instead, consent is required or typically obtained in certain circumstances, especially when dealing with sensitive data or particular types of consumers. Protected health information, biometric data, financial information, geolocation data, children\u2019s data, genetic data, browsing data and viewing data are all considered sensitive data that generally requires notice and affirmative consent prior to collection and processing. Children\u2019s data in particular requires verifiable parental consent before collecting personal data from children under the age of 13.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed in Question #8 above, protected health information, biometric data, financial information, geolocation data, children\u2019s data, genetic data, browsing data and viewing data are all considered sensitive data that generally require notice and affirmative consent.<\/p>\n<p>COPPA further protects children\u2019s online privacy by imposing specific requirements on website operators with regard to the collection, use and sharing of children\u2019s data. Such requirements include obtaining verifiable parental consent, providing notice of website operator\u2019s children\u2019s data processing practices, providing parental right to withdraw consent, imposing data minimization requirements, banning the use of children\u2019s data for targeted advertising. Maryland has also enacted the \u201cKids Code,\u201d and Connecticut amended its Consumer Data Protection Act to include similar protections for children\u2019s personal information.<\/p>\n<p>The Illinois Biometric Information Privacy Act regulates the collection, use, and storage of biometric data. Companies must obtain written consent before their biometric data can be collected, along with a notification about the purpose and duration of data collection, storage, and use. While Texas and Washington also have laws covering biometric data, the Illinois Biometric Information Privacy Act has often been regarded as presenting the most risks to entities processing biometric data due to its consumer private right of action.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed in Question #9 above, COPPA safeguards children\u2019s online privacy by imposing specific obligations on website operators with respect to the collection, use, and sharing of personal data relating to children under the age of 13. These obligations include obtaining verifiable parental consent, providing notice of the operator\u2019s data processing practices concerning children, affording parents the right to withdraw consent, implementing data minimization requirements, and prohibiting the use of children&#8217;s data for targeted advertising. At the state level, several states have enacted laws designed to protect the collection of processing of personal data. For example, Maryland has enacted the Maryland Age-Appropriate Design Code Act to incorporate certain protections for children&#8217;s personal information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>U.S. federal and state privacy laws typically include a number of exclusions and limitations. If an entity complies with related obligations under sector-specific federal laws, such as HIPAA, the GLBA, the FCRA, and other federal regulations, the entity or the related data may be exempt from similar requirements under applicable state laws.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, risk or impact assessment are required under various state and federal data privacy laws. At the federal level both HIPAA and GLBA require risk analyses to assess and safeguard PHI and to protect financial data respectively. Additionally, the CCPA regulations have recently been amended to provide for specific requirements for businesses to perform privacy risk assessments for processing activities that present a \u201csignificant risk\u201d to consumer privacy, such as selling data or handling sensitive information. Typically, these assessments involve identifying data processing activities, evaluating the necessity and proportionality of data use, assessing risks associated with such processing activity, implementing mitigation measures, and documenting the process for future review.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The U.S. does not typically have codes of practice for processing of personal data. However, the processing of personal information is subject to different laws as mentioned above.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>U.S. data privacy laws do not typically require that an organization maintain a record of data processing activities, but some laws impose other record keeping requirements. For example, the CCPA requires that a business maintain a log of all consumer requests.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the U.S., there is no single comprehensive federal law imposing uniform data retention limitations. HIPAA requires protected health information to be retained for a minimum of six years. At the state level, most comprehensive privacy laws incorporate data minimization principles that implicitly limit retention to what is necessary for the stated data processing purpose.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The U.S. does not have an overall framework for companies to schedule a consultation with the applicable data protection regulators. However, many state breach notification laws require companies to notify the state Attorney General office of a data breach and to provide additional information upon request by the state Attorney General. In addition, state Attorneys General tasked with enforcing comprehensive state data privacy law may send notices of violation letters to businesses in an effort to understand the nature of, and reason for, any violation of the applicable data privacy law. Similarly at the federal level, various regulators will issue requests for information relating to a potential violation of applicable data privacy laws including COPPA, GLBA and HIPAA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While no overarching federal law in the U.S. mandates appointing a formal data protection officer or information security officer, several sectoral data privacy regulations mandate appointing an officer in charge of maintaining information security programs for sector-specific tasks. For instance, the GLBA mandates appointment of a Chief Information Security Officer who would oversee the organization\u2019s information security program, whose duties also include regular written risks assessments, mitigating identified risks, and presenting regular reports to the governing body. Similarly, HIPAA requires the appointment of a HIPAA Privacy Officer, which is an employee monitoring the company to ensure that individuals\u2019 health-related information is stored, processed, and released in compliance with HIPAA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While no overarching federal law in the U.S. mandates a data protection training for employees, organizations handling sensitive data or subject to certain regulations like HIPAA must implement training programs and protect sensitive information. HIPAA requires covered entity to train all members of its workforce on policies and procedures as necessary and appropriate for the members of the workforce to carry out their functions. In addition, a covered entity or business associate must \u201cimplement a security awareness and training program for all members of its workforce including management\u201d to comply with HIPAA Security Rule. Additionally, training may be required to ensure businesses\u2019 ability to respond to consumer rights requests under comprehensive state data privacy laws.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Both federal and state-level data protection laws require controllers to provide notice to data subjects of their processing activities.<\/p>\n<p>At the federal level, the FTC requires companies to provide notice of its processing activities to consumers, and ensure that such notice is accurate and transparent about its processing practices. Businesses typically satisfy this requirement by posting a privacy policy.<\/p>\n<p>At the state level, all comprehensive state data privacy laws require businesses to provide specific notices and disclosures regarding the business\u2019s data collection, processing and sharing activities, as well as controls to enable the consumer to exercise choices regarding personal information. Under the CCPA, for example, businesses must provide consumers with clear and conspicuous notices regarding the types of personal information collected, the usage, and consumers rights that include the rights to opt out and to know. Such notices must be included in a privacy policy and notice at collection, that is given to consumers before or at the point of data collection.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the United States, the controller\/processor distinction from the GDPR framework is not uniformly adopted across federal or state law, though several state comprehensive privacy laws have introduced analogous concepts. Typically, a \u201ccontroller\u201d designates an entity that determines the purpose and means of processing personal data. Controllers are primarily responsible for providing notice of data processing practices to consumers, honoring consumer rights requests and executing compliant data processing agreements with processors. In contrast, a \u201cProcessor\u201d processes personal information on behalf of the controller under vendor contractual terms in data processing agreements. Processors are responsible for complying with the specific data processing instructions and limitations, as well as privacy and security requirements under data processing agreements with controllers, which may include assisting the controller with responding to consumer rights requests.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although not addressed comprehensively at the federal level, most U.S. comprehensive state data privacy laws provide consumer the right to opt-out of the use of their personal information for profiling using automated decision-making technology. In addition, the CCPA has finalized regulations governing automated decision-making tools (ADMT). A business using ADMT must provide a pre-use notice on the purpose, training, and use scenario of the ADMT, along with a reminder that the consumer has CCPA rights to opt-out of ADMT and access information about the ADMT, typical processes, and the message that businesses cannot retaliate against them for using these rights. The business must then provide an easy way for consumers to opt-out of the business\u2019s use. If the consumer does not opt out, the business must make easily accessible information on how the company has used the ADMT.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Beginning with California, many comprehensive U.S. state privacy laws require controllers (or businesses) to provide consumers with the right to opt-out of the sale of their personal information. These state laws define sale very broadly to include facilitating activities such as cross contextual behavioral advertising or targeted advertising. The CCPA defines \u201ccross-context behavioral advertising\u201d as advertising based on consumer activity across non-affiliated businesses or websites. California residents can opt out of the sale and sharing of their personal information for these purposes. Businesses must provide links to allow consumers to request not to sell or share their information. Most comprehensive U.S. data privacy law allow consumers to opt-out of targeted advertising and personal data sales.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As noted in Question #4, several states require data brokers to register and obtain a license to carry the business of selling personal data.<\/p>\n<p>In addition, the Department of Justice has recently issued a final rule by the name \u201cBulk Data Rule,\u201d implementing Executive Order 14117 from the Biden administration to restrict the transfer of bulk sensitive personal data and government-related data to countries and persons of concern. The relevant countries of concern are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela; individuals with significant ties to these nations are similarly under scrutiny. Although \u201csale\u201d is not explicitly defined in the bulk data rule, the rule prohibits data brokerage transactions involving bulk sensitive U.S. data or government-related data to companies or residents of the above-mentioned countries, The term data brokerage means the sale of data, licensing of access to data, or similar commercial transactions.<\/p>\n<p>The CCPA is the most commonly referenced legislation on the sale of personal information. Under the CCPA, a \u201csale\u201d of personal data is broadly defined to include the \u201cselling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or by other means\u201d a consumer\u2019s personal data to another business or third party \u201cfor monetary or other valuable consideration.\u201d<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The TCPA was passed in 1991 and restricts telemarketing certain phone calls, text messages, and fax, together with automated dialing systems and artificial or prerecorded voice messages, except where a business obtains explicit written consent from the consumer for robocalls or calls with prerecorded voice messages.<\/p>\n<p>The CAN-SPAM Act, enacted by Congress in 2003, established a national standard for regulating commercial email communications. The Act prohibits the use of deceptive or misleading header information and subject lines, requires that commercial emails include accurate identifying information, such as a valid physical postal address, and mandates that businesses provide an opt-out mechanism and honor opt-out requests by refraining from sending further emails to recipients who have unsubscribed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric data is typically defined as data or characteristics about the behavioral and physiological identifiers of individual people, including fingerprints, DNA (in blood, skin, bone, etc.), facial recognition, voice matching, iris pattern, etc. The most significant law is Illinois\u2019 BIPA, which focuses specifically on unique biometric identifiers such as fingerprints, retina scans, and face geometry scans. Most state comprehensive privacy laws (such as the CCPA) also include biometric data within their definition of sensitive personal information, but tend to define it more broadly than dedicated biometric statutes, and cover biometric data reasonably usable to identify an individual.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently, there is no comprehensive federal legislation or regulations in the US that regulate the development of AI or specifically prohibit or restrict their use.\u00a0 However, in December 2025, President Trump issued an Executive Order, <em>Ensuring a National Policy Framework for Artificial Intelligence<\/em>, which signaled a federal preference for a light-touch, innovation-friendly approach to AI governance. Notably, the Executive Order expressed a desire to establish a unified national policy framework and to preempt state-level efforts to regulate AI.<\/p>\n<p>Existing US federal laws have limited application to AI. A non-exhaustive list of key examples includes:<\/p>\n<ul>\n<li>Federal Aviation Administration Reauthorization Act, which includes language requiring review of AI in aviation.<\/li>\n<li>National Defense Authorization Act for Fiscal Year 2019, which directed the Department of Defense to undertake various AI-related activities, including appointing a coordinator to oversee AI activities.<\/li>\n<li>National AI Initiative Act of 2020, which focused on expanding AI research and development and created the National Artificial Intelligence Initiative Office that is responsible for &#8220;overseeing and implementing the US national AI strategy.<\/li>\n<\/ul>\n<p>Colorado became the first state to enact a comprehensive AI law, the Colorado Artificial Intelligence Act, which became effective on February 1, 2026. The main focus is on high-risk artificial intelligence systems defined as systems that make or contribute substantially to a \u201cconsequential decision,\u201d generally taking place in education, employment, financial services, housing, health care, or legal services. The law imposes obligations to document, timely disclose, analyze and mitigate risk, and to take other actions for high-risk AI systems from both developers (an individual or entity doing business in Colorado developing or intentionally and substantially modifying a high-risk AI system) and deployers (an individual or entity doing business in Colorado deploying a high-risk AI system). It further requires from the deployers notice to consumers who are interacting with any AI system. Notwithstanding the federal administration&#8217;s stated preference for preempting state AI regulation, other states have been active in proposing and enacting laws influencing or regulating the AI space. For example, Utah enacted the Artificial Intelligence Policy Act, which requires individuals and entities to disclose the use of GenAI in communications with consumers. Several additional states, including California and New York, have introduced or are actively considering AI-related legislation addressing issues such as transparency in automated decision-making, and the use of AI in employment decisions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As noted in the \u201cBulk Data Rule\u201d discussion in Question #23 above, the Bulk Data Rule restricts or prohibits the transfer of bulk sensitive personal data (or government related data) to countries of concern or individual located in those countries of concern, which are China (including Hong Kong and Macau), Iran, Russia, North Korea, Cuba and Venezuela. U.S. companies cannot use vendors located in countries of concern to store data covered under the Bulk Data Rule without implementing certain measures. Otherwise, there are generally no data localization requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As noted in the \u201cBulk Data Rule\u201d discussion in Question #23 above, the Bulk Data Rule restricts or prohibits the transfer of bulk sensitive personal data (or government related data) to countries of concern or individual located in those countries of concern, which are China (including Hong Kong and Macau), Iran, Russia, North Korea, Cuba and Venezuela. U.S. companies need to either stop transferring the data or implement additional measures, depending on the nature of the data. Otherwise, transfer of personal data outside the U.S. is generally not restricted.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FTC enforces against unfair or deceptive practices, which includes failure to maintain reasonable data security measures to protect personal data. HIPAA\u2019s Security Rule requires covered entities to implement specific administrative, physical, and technical safeguards for protected health information. GLBA\u2019s Safeguard Rule requires a covered entity to implement a written information security program. At the state-level, the New York Shield Act requires businesses that collect the personal information of New York residents to develop, implement, and maintain a data security program, and Massachusetts 201 CMR 17.00r requires a written security program for companies storing personal information of MA residents. Most U.S. states have laws that require businesses that maintain personal information to implement \u201creasonable security\u201d measures to protect such personal information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>U.S. laws generally require companies to implement reasonable security measures or administrative, technical, and physical safeguards, but do not typically prescribe specific security controls or standards. A notable exception is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, which applies to financial institutions operating in New York and imposes specific, prescriptive security requirements including multi-factor authentication and encryption of nonpublic information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>All U.S. states have breach notification laws require notifying state residents of a security breach. Nearly half of the states also require notice be given to state attorney generals or other state officials in the event of certain data breaches. Notification timeline is typically 30 days, 45 days, or without undue delay. Definitions of a security breach have slight variations between state but are generally the same. For example, security breach, under California law, is defined as \u201ca breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.\u201d<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The U.S. does not have a single data protection law. Thus, various rights for individuals, can be found in various laws enacted at the federal and state levels to protect U.S. residents\u2019 personal data.<\/p>\n<p>At the Federal level, laws such as COPPA and HIPAA provide individual with rights to access and exercise other control over the personal data collected. Comprehensive U.S. state data privacy laws establish the strongest consumer data privacy rights. The key rights of an individual relating to the processing of their personal data would typically fall under the following categories.<\/p>\n<ul>\n<li>Right to Access: these rights typically refer to consumers\u2019 rights to access data or information about the processing of these records.<\/li>\n<li>Right to Correction: these rights typically refer to consumers\u2019 rights to review data about the consumer held by another entity; the consumer may also request corrections to be made to errors in the data.<\/li>\n<li>Right to Delete: These rights typically provide residents with the right to an accessible way to request their data be deleted. The exceptions typically relate to necessities of operating a business; for instance, under the CCPA, exceptions to the right to delete are created for fulfilling transactional and contractual obligations, security and fraud detection, or legal compliance and specific research purposes.<\/li>\n<li>Right to Opt-Out: sometimes referred to as the right to object to processing, these rights refer to the option individuals are given to opt out of certain data collection and interaction activities.<\/li>\n<li>Right to Restrict Processing: these rights typically refer to consumers\u2019 option to restrict entities collecting their data from using such data in certain ways.<\/li>\n<li>Right to Withdraw Consent: Several laws permit individuals to withdraw consent for certain data processing.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Most U.S. data privacy laws do not permit a private right of action. Instead, most laws only allow individuals to alert the responsible agency or the state attorney general for a violation.<\/p>\n<p>The Fair Credit Reporting Act provides rights of action for improper disclosure, failure to investigate disputes, and failure to maintain reasonable procedures. The Electronic Communications Privacy Act allows individuals to sue for unauthorized interception of electronic communications. The Computer Fraud and Abuse Act provides private right of actions for unauthorized access to protected computers causing at least $5,000 in damages. The TCPA similarly allows a private suit for unsolicited calls and texts.<\/p>\n<p>There are limited instances where a private right of action exists at the state level. For instance, the Illinois Biometric Information Privacy Act provides strong private causes of action for violations of biometric data collection and handling requirements. Meanwhile, the CCPA, though more comprehensive and regarded as more consumer-friendly, limits private rights of actions for data breaches occurring due to a business or entity\u2019s failure to implement reasonable security procedures. Companies face statutory damages of between $100 to $750 per consumer, per incident, or actual damages, whichever are greater. The Texas Identity Theft Enforcement and Protection Act also creates a private right of action for businesses that fail to implement reasonable procedures to protect sensitive personal information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As noted in Question #33, most U.S. data privacy laws do not provide for a private right of action. For those laws that do, individuals may recover monetary, and in some instances statutory damage. Some regulators, such as the FTC may also provide impacted individuals with a monetary award from settlements reached with targets of FTC enforcement action.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data protection laws are enacted based on federal (or state) regulatory agency enforcement, state attorney general (or other state official) enforcement, and private rights of actions.<\/p>\n<p>At the federal level, the FTC is the primary privacy enforcer, using its Section 5 authority against unfair and deceptive practices to address privacy violations. Other key federal data protection enforcers include the HHS, and the SEC.<\/p>\n<p>State level enforcement under most comprehensive state privacy laws is carried out by state attorneys general as the main or exclusive enforcers, although notably only select states engage in meaningful regulatory enforcement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the U.S., there is a wide range of enforcement outcomes from regulatory penalties to imprisonment for criminal offenses. The below provides a list of examples.<\/p>\n<ul>\n<li>HIPAA impose tiered civil penalties ($145 to $73,011 per violation, depending on the level of culpability) and severe criminal sanctions (up to 10 years imprisonment). HIPAA has posted four tiers as guidelines for calculating fines.<\/li>\n<li>Financial institutions regulated under the GLBA face civil penalties up to $100,000 per violation and individuals up to $10,000 for failure to protect consumer financial data.<\/li>\n<li>The FTC\u2019s \u201cPenalties for Violations\u201d for cybersecurity violations often depend on the number of violations, the nature of the deception or unfair practices, and the company\u2019s previous record of violations. The FTC can levy fines of up to $53,008 per violation under certain circumstances.<\/li>\n<li>At the state level, non-compliance with the CCPA may result in fines ranging from US$2,663 per violation to US$7,988 for each intentional violation,<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Appeal options will depend on the particular regulator at the state or federal level. At the federal level, enforcement orders can be appealed through an administrative complaint, while private causes of action can be appealed through the typical civil and criminal appeals procedures<\/p>\n<ul>\n<li><u>FTC Enforcement<\/u>: In the United States, cybersecurity enforcement decisions by the Federal Trade Commission (FTC) are open to appeal through a multi-step process. Initially, if a respondent contests the charges, the case is adjudicated by an administrative law judge (ALJ) in a trial-type hearing, with the FTC\u2019s complaint counsel prosecuting the case. Following the hearing, the ALJ issues an initial decision, which can be appealed to the full FTC Commission. The Commission then reviews the case, considering briefs and oral arguments, before issuing a final decision. If the FTC\u2019s decision involves an enforcement order, the respondent can appeal to a U.S. Court of Appeals in the jurisdiction where they reside or do business. If the court upholds the decision, it enforces the order, and the losing party may seek further review from the U.S. Supreme Court. This structured appeal process allows for both administrative and judicial review of the FTC\u2019s cybersecurity enforcement actions.<\/li>\n<li><u>State-Level Enforcement<\/u>: States have their own data protection and privacy enforcement mechanisms. If a state attorney general imposes a fine or penalty, the affected company may appeal the decision in state court. Similarly, state-level enforcement decisions related to cybersecurity may be appealed through the state\u2019s administrative or judicial systems, depending on the state\u2019s laws and procedures.<\/li>\n<li><u>Civil Lawsuits (Private Rights of Action<\/u>): In addition to regulatory agency enforcement actions, companies may face civil lawsuits related to cybersecurity incidents, such as class actions for data breaches. While these lawsuits are not directly an \u201cappeal\u201d of enforcement decisions, they provide another legal avenue for challenging or contesting the handling of cybersecurity incidents. Courts, in these cases, assess the actions of companies based on negligence or failure to protect personal data.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Several cybersecurity laws in the U.S. require organizations to implement specific cybersecurity risk management measures and take actions relating to cybersecurity. While the exact requirements vary by law, they typically focus on safeguarding data, ensuring compliance with security standards, and responding to cybersecurity incidents. In addition, the FTC\u2019s enforcement actions (like those against companies such as Equifax and Zoom) identify specific security controls and practices that need to be implemented and make clear that businesses must adopt adequate risk management practices to prevent data breaches and secure consumer information. Furthermore, HIPAA (which regulates healthcare industry) requires the implementation of specific cybersecurity controls and administrative, physical, and technical safeguards. GLBA requires financial institutions to develop and implement safeguards to protect consumer financial information from security threats, including risk assessments, employee training, and monitoring systems for cybersecurity threats. CISA requires companies that handle critical infrastructure to adopt risk-based cybersecurity measures and share relevant threat intelligence. In 2023, the U.S. Securities and Exchange Commission (SEC) implemented rules requiring public companies to disclose cybersecurity risks, incidents, and governance measures. This includes disclosing the material impact of a cybersecurity incident and providing updates on the status of the response. Although these rules primarily focus on disclosure, the need to establish internal risk management frameworks to assess and manage cybersecurity risks effectively is inherent.<\/p>\n<p>While not requiring specific cybersecurity practices, many states have laws mandating businesses to notify affected individuals in the event of a data breach. These laws typically require companies to implement \u201creasonable security\u201d measures to prevent breaches, which may include encryption, access controls, and vulnerability testing.<\/p>\n<p>Though not a law, the National Institute of Standards and Technology\u2019s (NIST) Cybersecurity Framework is often used as a standard for risk management by federal agencies and private companies. The framework provides guidelines for identifying, protecting, detecting, responding, and recovering from cybersecurity risks, and many laws encourage or require compliance with NIST\u2019s standards.<\/p>\n<p>Overall, obligations vary by industry, size, and the sensitivity of data handled, rather than applying uniformly to all organizations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>U.S. cybersecurity laws generally do not impose a universal, formal audit or certification requirement across all organization. However, specific regimes such as government contracting (e.g., CMMC for Department of Defense suppliers) or payment card processing (PCI DSS, an industry standard) requires certification or third-party audits. Additionally, On September 23, 2025, the California Office of Administrative Law approved the California Privacy Protection Agency (CPPA)\u2019s final regulations concerning cybersecurity audits. The regulations detail the specific obligation to conduct annual cybersecurity audits for businesses whose processing of personal information poses a \u201csignificant risk\u201d to consumers\u2019 security, and confirm that only entities meeting specified thresholds are subject to this requirement. Under these rules, cybersecurity audits must be carried out by auditors who are independent and who base their conclusions on their own evaluation of relevant security testing and related information. Covered businesses must also submit an annual certification to the CPPA confirming completion of the required cybersecurity audit.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no cybersecurity laws that directly impose specific requirements regarding supply chain management. However, Executive Order 14028, issued in May 2021, mandates federal agencies to enhance software supply chain security. This order directs the National Institute of Standards and Technology (NIST) to develop guidelines for evaluating software security, including criteria for assessing developers\u2019 and suppliers\u2019 security practices. The Federal Energy Regulatory Commission (FERC) has also proposed standards requiring entities to identify and assess supply chain risks to their grid-related cybersecurity systems, validate vendor information during procurement, and document and respond to these risks. Furthermore, the Cybersecurity Maturity Model Certification (CMMC) framework, developed by the Department of Defense, requires defense contractors to meet specific cybersecurity standards, including those related to supply chain risk management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While there is no overarching federal law that requires all organizations to appoint a Chief Information Security Officer (CISO) or similar cybersecurity roles, certain sectors and regulatory frameworks do impose requirements for the designation of responsible individuals, including a CISO or regulatory point of contact for cybersecurity. For example, HIPAA requires covered entities (such as healthcare providers) to designate a security officer who is responsible for the organization\u2019s information security practices. The designated security officer must ensure that appropriate technical, physical, and administrative safeguards are implemented to protect the security and privacy of PHI. They are also responsible for managing breach notifications, compliance with security rules, and conducting regular risk assessments. Additionally, financial institutions subject to the GLBA Safeguards Rule must designate a \u201cqualified individual\u201d to oversee the information security program.<\/p>\n<p>State comprehensive privacy laws do not generally require the appointment of a CISO. However, the New York\u2019s Department of Financial Services Cybersecurity Regulation requires covered entities to designate a CISO responsible for the organization\u2019s cybersecurity program. The CISO must oversee the implementation of the cybersecurity program, ensuring the development of policies, the implementation of security measures, and the management of risk assessments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no national federal data breach notification law in the United States. Instead, all 50 states (as well as Guam, Puerto Rico, the U.S. Virgin Islands and the District of Columbia) have adopted their own. Generally, breach notification obligations are triggered when loss or unauthorized access have compromised the confidentiality, security or integrity of an individual\u2019s personal information. Regularly, state statutes include a risk of harm threshold before the obligations are triggered. For example, some states will require a material or substantial risk that misuse is likely to occur before notification is required. A minority of states, including California, Texas and New York do not set a harm threshold, requiring only actual or reasonable belief that a breach has occurred.<\/p>\n<p>In recent years, the landscape of data breach notification requirements has expanded beyond state-level statutes, encompassing a broad range of regulatory bodies. Notably, in late 2023, the FTC amended the Safeguards Rule under Gramm-Leach-Bliley Act (\u201cGLBA\u201d), mandating that financial institutions promptly notify the FTC, and no later than 30 days after discovery, in the event of a security breach affecting the information of at least 500 consumers. The FTC also proposed to amend the Health Breach Notification Rule to ensure that non-HIPAA-covered entities that maintain personal health records are held responsible for notifying consumers of a data breach. The rule mandates notifying affected individuals within 60 calendar days of discovery of a data breach and notifying the FTC less than 10 business days if the breach affects 500 or more individuals. The Incident Reporting for Critical Infrastructure Act of 2022, although not yet active, will require critical infrastructure operators to report to Cybersecurity and Infrastructure Security Agency within 72 hours of the time they reasonably believe that a cyber incident has occurred. In December 2023, the Federal Communications Commission (\u201cFCC\u201d) expanded the scope of the FCC\u2019s breach notification requirements to cover all personal identifiable information that carriers and telecommunications relay service providers maintain on their customers. The rules require those organizations to notify the FCC of breaches, and for breaches affecting 500 or more customers, file an individual pre-breach notification no later than seven business days after reasonable determination of a breach.<\/p>\n<p>The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (implemented by the Cybersecurity and Infrastructure Security Agency) requires designated critical infrastructure entities to report \u201ccovered cyber incidents\u201d that substantially impact network operations, as well as ransomware payments, regardless of whether personal information is involved.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As noted in response to Question 33, most U.S. data privacy laws do not permit a private right of action. Instead, most laws only allow individuals to alert the responsible agency or the state attorney general for a violation.<\/p>\n<p>The Fair Credit Reporting Act provides rights of action for improper disclosure, failure to investigate disputes, and failure to maintain reasonable procedures. The Electronic Communications Privacy Act allows individuals to sue for unauthorized interception of electronic communications. The Computer Fraud and Abuse Act provides private right of actions for unauthorized access to protected computers causing at least $5,000 in damages. The TCPA similarly allows a private suit for unsolicited calls and texts.<\/p>\n<p>There are limited instances where a private right of action exists at the state level. For instance, the Illinois Biometric Information Privacy Act provides strong private causes of action for violations of biometric data collection and handling requirements. Meanwhile, the CCPA, though more comprehensive and regarded as more consumer-friendly, limits private rights of actions for data breaches on sensitive personal information occurring due to a business or entity\u2019s failure to implement reasonable security procedures. The Texas Identity Theft Enforcement and Protection Act also creates a private right of action for businesses that fail to implement reasonable procedures to protect sensitive personal information.<\/p>\n<p>Class actions are widely permitted in U.S. courts, and cybersecurity-related class actions are common, especially after large-scale data breaches.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity laws in the U.S. are typically enforced through a combination of federal and state agencies. For example, on the federal level, the FTC have initiated enforcement actions in the cybersecurity space using the authority provided by Section 5 of the FTC Act, which empowers the agency to oversee acts or practices in trade deemed \u201cunfair or deceptive.\u201d The Department of Health and Human Services oversees compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA). In addition to government agencies, state Attorneys General may also enforce cybersecurity laws, particularly regarding data protection and privacy violations. Enforcement is carried out through investigations, fines, penalties, and litigations in courts to hold violators accountable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the U.S., regulators have substantial powers of oversight, inspection, and audit under cybersecurity laws to ensure compliance with data protection standards. Agencies like the FTC, NYDFS, HHS (OCR), and CISA can conduct investigations, audits, and inspections to assess whether entities are meeting cybersecurity requirements, particularly in industries like finance, healthcare, and telecommunications. These agencies have the authority to enforce regulations through penalties, corrective actions, and sanctions for non-compliance, such as fines or sanctions. They also require companies to report cybersecurity incidents, submit certifications, and provide access to records for audits, with the aim of maintaining robust cybersecurity practices, protecting sensitive data, and mitigating risks to critical infrastructure.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the U.S., the range of sanctions for violations of cybersecurity laws varies depending on the specific law violated, the severity of the offense, and whether the violation is federal or state-level.<\/p>\n<p>Common sanctions include:<\/p>\n<ul>\n<li><u>Civil Penalties<\/u>: Fines can range from hundreds to millions of dollars. For example, under the Federal Trade Commission Act, companies can face fines of up to $53,088 per violation. Under the Health Insurance Portability and Accountability Act (HIPAA), fines can range from $145 to $73,011 per violation)<\/li>\n<li><u>Criminal Penalties<\/u>: In cases involving cybercrime, such as hacking or data theft, violators can face criminal penalties, including imprisonment. Under laws like the Computer Fraud and Abuse Act (CFAA), individuals found guilty of unauthorized access or hacking can face prison sentences of up to 20 years, depending on the circumstances.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As noted in Question #37, cybersecurity enforcement decisions in the U.S. are open to appeal, but the options depend on the specific agency involved and the nature of the enforcement action.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">9810<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}