Comment on page
Relevant Laws & Regulations
US Federal, State, and EU laws
Below is a list of relevant identity, privacy, and data protection laws and regulations that affect the conversation around digital identity. This list is non-exhaustive, as legislative and regulatory bodies are continuing to pass and update laws and regulations as more of everyday life continues to migrate online. Further, this list contains laws and regulations that pertain explicitly or primarily to identity, privacy, and data protection; there are many others that have an auxiliary impact that are not included in this version, but will be in future updates.
From this list, it should be apparent that digital privacy and users controlling their online identity are not novel concepts. They are instead ones that have been found valuable and necessary to such a large extent that legislators have enshrined them into law in myriad ways across multiple jurisdictions over the decades, and in many cases, made them successively stronger.
The Privacy Act of 1974 is a federal law that regulates the US government's collection and use of records Federal bodies maintain in a system of records. A system of records is any grouping of information about an individual, under the control of a Federal agency, from which information is retrievable by personal identifiers, such as name, social security number, or other identifying number or symbol (systems of records include computer databases, physical document repositories, etc.).
Under the Act, government agencies that use systems of record must also create a System of Records Notice (SORN) for each system under its control. The Act also requires federal agencies to publish all System of Records Notices (SORNs) in the Federal Register.
Each SORN describes the types of information contained in the records, the legal authority for collecting and maintaining them, and how the records are used within the agency controlling them. Under the Privacy Act, federal agencies may not disclose information about subjects without their consent unless certain exceptions apply to the disclosure. SORNs also publicly indicate whether and which records may be exempt from specific Privacy Act requirements.
In addition to data protection and transparency via SORNs, the Act protects individuals in three primary ways. It affords individuals the:
-Right to request their records, subject to Privacy Act exemptions;
-Right to request a change to their records that are not accurate, relevant, timely, or complete; and
-Right to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of their personal information.
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all educational agencies and institutions that receive federal funding.
FERPA gives parents, legal guardians, and eligible students (18 years of age or older) the right to access and review the student's education records. FERPA also requires educational institutions to obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the student's education records. However, there are exceptions to FERPA's consent requirement, including disclosures to school officials with legitimate educational interests, disclosures to comply with a judicial order or subpoena, and disclosures to state or federal authorities for audit or evaluation purposes.
Parents and eligible students have the right to request that an education record be amended if it is inaccurate, misleading, or violates the student's privacy rights. Educational institutions must notify parents and eligible students of their rights under FERPA annually.
The Fair Credit Reporting Act (FCRA), part of the Consumer Credit Protection Act, is a Federal law that regulates the collection, dissemination, and use of consumer credit information. The Act was designed to ensure that credit reporting agencies, also known as consumer reporting agencies (CRAs), provide accurate and complete information to lenders, employers, landlords, medical information companies, and other entities that use credit reports to make decisions.
Under the Act, companies that provide information to consumer reporting agencies also have specific legal obligations, including the duty to investigate disputed information. In addition, any entity using consumer information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken on the basis of such reports.
Lenders must also first obtain consent from an individual in order to obtain and use their credit report in determining whether to authorize a loan, mortgage, rental application, etc.
Individuals are given the right to request their credit report from CRAs at any time under the Act.
Since the FCRA was originally passed, multiple laws have been enacted that update the original law. The Fair and Accurate Credit Transactions Act added many provisions to the law, primarily relating to record accuracy and identity theft. The Dodd-Frank Act transferred most of the rulemaking responsibilities added by the Fair and Accurate Credit Transactions Act and the Credit CARD Act to the Consumer Financial Protection Bureau, but the Federal Trade Commission retains all enforcement authority.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a Federal law that provides privacy protections for individuals' medical records and personal health information.
The law sets national standards for the protection of individuals' health information and also establishes certain rights for individuals with respect to their health information. Healthcare providers, health plans, and healthcare clearinghouses, collectively referred to as "covered entities," are required to protect the privacy and security of individuals' health information. This includes implementing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
HIPAA also requires covered entities to provide individuals with certain rights with respect to their health information, such as the right to access and obtain a copy of their health records and the right to request corrections to their health information.
The law also establishes rules for the use and disclosure of individuals' health information. Covered entities are generally required to obtain individuals' written authorization before using or disclosing their health information for most purposes, including marketing and research. However, there are certain exceptions that allow for the use and disclosure of health information without an individual's authorization, such as for treatment, payment, and healthcare operations.
HIPAA also requires covered entities to provide individuals with a notice of privacy practices that describes how their health information may be used and disclosed and their rights with respect to their health information.
Finally, covered entities must report certain breaches of unsecured ePHI to individuals affected and to the US Department of Health and Human Services.
The Children's Online Privacy Protection Act (COPPA) of 1998 is a Federal law that protects children's privacy by giving parents tools to control what information is collected from their children online.
In addition, COPPA prohibits website operators and online service providers from conditioning a child's participation in a game, contest, or other activity on the child's disclosure of more personal information than is reasonably necessary for the activity.
COPPA also requires website operators and online service providers to take reasonable steps to ensure the security of children's personal information, such as by implementing appropriate data retention and deletion policies and maintaining appropriate security practices and procedures.
The Act imposes certain obligations on third-party advertisers and website operators who allow third-party advertisers to collect personal information from children. These entities must ensure that the third-party advertisers also comply with COPPA's requirements and obtain parental consent before collecting personal information from children.
The Federal Trade Commission is the regulator overseeing COPPA. Since the law was originally passed, the Commission created the COPPA Rule, which puts additional protections in place and streamlines compliance processes for affected entities.
Lastly, COPPA includes a "safe harbor" provision allowing industry groups and others to request Commission approval of self-regulatory guidelines to govern participating websites’ compliance with the Rule.
The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act or the GLB Act, repealed part of the Glass-Steagall Act of 1933, which prohibited banks from engaging in both commercial banking and investment banking activities. It allows commercial banks, investment banks, securities firms, and insurance companies to merge and engage in a broader range of financial activities.
Equally as important, the Act also created requirements to protect consumer financial privacy. Its provisions limit when a financial institution may disclose a consumer's nonpublic personal information to nonaffiliated third parties. The Act covers a broad range of financial institutions, including many companies not traditionally considered financial institutions, but are included because they engage in certain financial activities.
Under the law, financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt out" if they don't want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
To ensure adherence to the Act, the law endows the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions with implementing regulations to carry out the Act's financial privacy provisions. As a result, as of 2001, the FTC created and has been responsible for enforcing its Privacy of Consumer Financial Information Rule (Privacy Rule).
Passed in 2005, the REAL ID Act enacted the 9/11 Commission's recommendation that the Federal Government “set standards for the issuance of sources of identification, such as driver's licenses.” The Act established minimum security standards for state-issued driver's licenses and identification cards and prohibits certain federal agencies from accepting licenses and identification cards from states that do not meet these standards for official purposes. These purposes are:
- Accessing certain federal facilities
- Boarding federally regulated commercial aircraft
- Entering nuclear power plants
The nationwide rollout of driver's licenses and state policies that require drivers to transition to REAL ID licenses has experienced multiple delays. Most recently, in December of 2022, the Department of Homeland Security (DHS) announced it would extend the REAL ID full enforcement date by 24 months, from May 3, 2023 to May 7, 2025. Under the new regulations published to execute this change, states now have additional time to ensure their residents have driver’s licenses and identification cards that meet the security standards established by the REAL ID Act.
As required by the law, following the enforcement deadline, federal agencies, including the Transportation Security Administration (TSA), will be prohibited from accepting driver’s licenses and identification cards that do not meet the federal standards set by the Act.
The California Consumer Privacy Act (CCPA), which went into effect January 1st, 2020, is considered one of the most comprehensive privacy laws in the United States. It has been influential in shaping privacy laws and regulations at both the state and federal levels across the nation.
Specifically, the CCPA enshrines the following rights for California residents:
- Right to know: Residents can request that a business discloses to them: (1) the categories and/or specific pieces of personal information they have collected about them, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. Residents can make a request to know up to twice a year, free of charge.
- Right to delete: Residents can request that businesses delete the personal information they collected from them and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
- Right to opt out of sale or sharing: Residents may request that businesses stop selling or sharing their personal information (“opt-out”), including via a user-enabled global privacy control. Businesses cannot sell or share residents' personal information after they receive their opt-out request unless the resident later reauthorizes the business to do so.
- Right to correct: Residents may ask businesses to correct inaccurate information that they have about them.
- Right to limit use and disclosure of sensitive personal information: Residents can direct businesses to only use their sensitive personal information (for example, their social security number, financial account information, precise geolocation data, or genetic data) for limited purposes, such as providing residents with the services they requested.
The CCPA applies only to businesses that meet certain criteria, such as those that have annual gross revenues over $25 million, collect personal information from at least 50,000 California residents per year, or derive at least 50% of their annual revenue from selling California residents' personal information. The law generally does not apply to non-profit organizations or government agencies.
The California Privacy Rights Act (CPRA) is a ballot initiative that was passed in California in November 2020. It amended and expanded the California Consumer Privacy Act (CCPA), and went into effect on January 1st, 2023.
Via CPRA's adoption, the newly amended CCPA endows Californians with increased control over their personal information and imposes additional obligations on businesses that collect and process such information. Some of the key provisions of the CPRA include:
- Expanded definition of "personal information": The CPRA expands the definition of personal information to include sensitive personal information, such as race, ethnicity, and health information, and extends the CCPA's protections to cover sharing and cross-context behavioral advertising.
- Enhanced consumer rights: The CPRA enhances consumers' rights to access, correct, and delete their personal information, and introduces a new right to restrict the use and disclosure of sensitive personal information.
- Increased obligations for businesses: The CPRA imposes additional obligations on businesses, such as the requirement to conduct regular cybersecurity audits and risk assessments and to enter into contracts with service providers that include certain privacy protections.
The Colorado Privacy Act (CPA) is a privacy law enacted in Colorado that will go into effect July 1st, 2023. The law regulates the processing of personal data of Colorado residents by certain businesses and other entities and establishes certain rights for individuals with respect to their personal data.
Under the CPA, businesses and other entities, such as nonprofits (a group that is not covered in the California or Virginia privacy laws that passed prior), that collect and process the personal data of at least 100,000 Colorado residents or that derive revenue from the sale of personal data and process the personal data of at least 25,000 Colorado residents must comply with the law's requirements.
The Act provides Colorado residents with the right to access, correct, and delete their personal data held by covered entities. Covered entities must also obtain opt-in consent from Colorado residents for the processing of sensitive personal data, which includes data such as an individual's race, ethnicity, religious beliefs, health status, sexual orientation, Social Security number, driver's license number, and financial account information.
The Act requires covered entities to provide clear and concise privacy notices to Colorado residents describing the types of personal data collected, the purposes for which the data is processed, and the categories of third parties with whom the data is shared. Covered entities must also implement reasonable security practices and procedures to protect the personal data they process.
Additionally, the CPA requires covered entities to conduct data protection assessments for certain processing activities that involve sensitive personal data, the sale of personal data, or high-risk processing.
The law also establishes a private right of action for Colorado residents to bring lawsuits against covered entities for violations of the law. The Colorado Attorney General may also bring actions against covered entities for violations.
Finally, covered entities must designate a person or team responsible for compliance with the CPA.
Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CT DPA) is a privacy law enacted in the state that will go into effect July 1st, 2023. The law regulates the processing of personal data of Connecticut residents by certain businesses and establishes certain rights for individuals with respect to their personal data. The Act explicitly excludes personal data processed solely for payment transactions. Thus, entities that process debit or credit cards only to the extent necessary to complete a sale will not be subject to the law’s requirements.
Under the DPA, businesses that collect and process the personal data of at least 100,000 Connecticut residents or that derive revenue from the sale of personal data and process the personal data of at least 25,000 Connecticut, and derived over 25% of their gross revenue from the sale of personal data, must comply with the law's requirements.
Unlike the California Consumer Privacy Act, an entity will not become subject to the law due fully to its annual revenue, as there is no annual revenue threshold set by this law. Further, unlike the Utah Consumer Privacy Act, entities don't need to exceed a certain annual revenue requirement minimum to still fall within the law’s scope.
The Act provides Connecticut residents with the right to access, correct, and delete their personal data held by covered businesses. Covered businesses must also obtain opt-in consent from Connecticut residents for the processing of sensitive personal data, which includes data such as an individual's race, ethnicity, religious beliefs, health status, sexual orientation, Social Security number, driver's license number, and financial account information. Residents also have the right to ask for and receive all data that a covered business has collected about them.
The Act requires covered businesses and other entities to provide clear and concise privacy notices to Connecticut residents describing the types of personal data collected, the purposes for which the data is processed, and the categories of third parties with whom the data is shared. Covered entities must also implement reasonable security practices and procedures to protect the personal data they process.
The Iowa Consumer Data Protection Act was passed in March 2023 and will go into effect on January 1st, 2025.
Similar to the 5 other state privacy laws enacted at the time of its passage, Iowa's Consumer Data Protection Act is most similar in scope to Utah's Consumer Privacy Act of 2022. It was written with provisions of the other laws preceding it in mind, as well. The consumer privacy notice disclosure requirements covered entities must comply with in this bill are functionally equivalent to those mandated by similar privacy bills in California and Virginia.
This Act provides Iowa consumers with specific rights, such as the right to confirm the processing of their personal data, and access to their personal data. Additionally, consumers have the right to request the deletion of their personal data (limited to data they have directly given to a covered entity, not data externally acquired), obtain a copy of their personal data, and opt out of the sale of their personal data.
However, Iowa's law differs from other state laws in certain aspects. It does not require opt-in consent for sensitive data, and does not give consumers the right to correct their personal data. Furthermore, the law does not mandate that covered entities conduct risk assessments or practice purpose limitation and data minimization. The Act does not grant consumers the right to opt out of profiling or other automated decision-making.
Iowa’s data privacy law applies to companies that either control or process data of at least 100,000 Iowa consumers, or control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a New York State law designed to enhance data security requirements and data breach notification standards for businesses that collect the private information of New York residents.
The law applies to any business that owns or licenses private information of New York residents, regardless of whether the business is located in New York. The SHIELD Act expands the definition of private information to include biometric information, email addresses and their corresponding passwords or security questions and answers, and account numbers that can be used to access an individual's financial account without additional identifying information.
Businesses subject to the law must implement reasonable data security measures to protect private information, taking into account the size and complexity of the business, the nature of its operations, and the sensitivity of the information collected. In the event of a data breach, businesses must provide notification to affected New York residents in the most expedient time possible and without unreasonable delay, and must also notify the New York Attorney General's office and other government agencies.
Businesses must also implement a written data security program that includes reasonable administrative, technical, and physical safeguards for private information, and must designate one or more employees to oversee the program. Failure to comply with the SHIELD Act's data breach notification or data security requirements can result in civil penalties of up to $5,000 per violation.
The Utah Consumer Privacy Act (Utah CPA) is a privacy law enacted in the state that will go into effect December 31st, 2023. The Act regulates the processing of personal data of Utah residents by certain businesses and establishes certain rights for individuals with respect to their personal data.
Under the Utah CPA, businesses that have over $25 million in annual revenue and either collect and process the personal data of at least 100,000 Utah residents, or have at least 25,000 customers and receive over 50% of their gross annual revenue from the sale of customer data, are affected.
The Act gives Utah residents the rights to access and confirm whether a covered business is processing their data; to have such data be deleted upon their request; to opt out of having their data sold or processed for targeted advertising services; and to receive their data from a covered entity in a readily accessible format to transmit to another entity.
Businesses covered under the Act must provide clear and concise privacy notices to Utah residents describing the types of personal data collected, the purposes for which the data is processed, and the categories of third parties with whom the data is shared.
The Virginia Consumer Data Protection Act (VCDPA) is a privacy law that came into effect on January 1st of 2023. It regulates the processing of personal data of Virginia residents. The VCDPA is similar to the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in terms of its themes and requirements, though it affords greater clarity to what entities and activities are covered through detailed definitions.
The law applies to businesses that collect and process the personal data of at least 100,000 Virginia residents or that derive over 50% of their gross revenue from the sale of personal data and process the personal data of at least 25,000 Virginia residents. The law also applies to data brokers who process the personal data of at least 50,000 Virginia residents.
Under the VCDPA, Virginia residents have the right to access, correct, and delete their personal data held by covered businesses, who must also obtain opt-in consent from Virginia residents for the processing of sensitive personal data, including data such as race, ethnicity, health information, and geolocation data.
The law requires covered businesses to provide clear and concise privacy notices to Virginia residents that describe the types of personal data collected, the purposes for which the data is processed, and the categories of third parties with whom the data is shared. Covered businesses must also implement reasonable security practices and procedures to protect the personal data they process.
Additionally, the VCDPA requires covered businesses to conduct data protection assessments for certain processing activities that involve sensitive personal data or the sale of personal data, and must designate a person or team responsible for compliance with the Act. The state Attorney General is responsible for enforcement.
The EU's General Data Protection Regulation (GDPR) is a landmark data privacy law passed by the European Union (EU) in 2016 that went into effect in May 2018. It protects the personal data of individuals within the EU by setting strict guidelines for the collection, processing, and storage of this data.
GDPR applies to all organizations that collect, process, or store personal data of individuals within the EU, regardless of whether the organization is located within the EU or not. Personal data under GDPR includes any information that can identify an individual, such as name, address, email address, phone number, IP address, and other identifiers.
Under the law, organizations must obtain explicit consent from individuals before collecting and processing their personal data. Consent must be freely given, specific, informed, and unambiguous, and individuals have the right to withdraw their consent at any time. Further, Individuals have the right to access, correct, and delete their personal data held by organizations. They also have the right to restrict or object to the processing of their data, as well as the right to data portability, which allows them to request a copy of their data in a machine-readable format.
Covered organizations must also implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. This includes measures to prevent unauthorized access, accidental loss, destruction, or damage to personal data. They must also appoint a Data Protection Officer (DPO) if they process significant amounts of personal data or engage in systematic monitoring of individuals on a large scale. The DPO is the person (who leads a large team or department, in many cases) responsible for ensuring the organization's compliance with the GDPR and acting as a point of contact for data protection authorities and individuals.
To better foster adherence to these requirements, the law imposes severe penalties for noncompliance, with fines of up to €20 million or 4% of a company's global annual revenue, whichever is higher. Data protection authorities within the EU are responsible for enforcing the GDPR, and they have the power to investigate complaints, issue fines, and impose other sanctions for noncompliance.
The European Digital Wallet Initiative, sometimes referred to as eIDAS 2.0, is a project launched by the European Commission with the aim of creating a digital wallet that can be used by citizens, residents, and businesses throughout the European Union (EU). The digital wallet would provide a single point of access for users to manage their personal data, identification, and payment credentials, as well as to access a range of online services.
The initiative is part of the EU's broader digital strategy, which aims to ensure that Europe remains at the forefront of the digital economy and that citizens and businesses can fully benefit from the opportunities offered by digital technologies.
The wallet is intended to be interoperable with existing national digital identity solutions and eIDAS-compliant electronic identification and trust services, such as electronic signatures and seals. This would ensure that users can access and use online services across the EU, regardless of their country of origin or the service provider they are interacting with. The initiative is expected to have a significant impact on the digital economy in Europe by promoting cross-border e-commerce, reducing the costs and complexity of online transactions, and enhancing user trust and confidence in online services.
The EU's eIDAS (Electronic Identification, Authentication and Trust Services) Regulation, adopted in 2014 and implemented in 2016, created a harmonized legal framework for electronic identification (eID) and trust services, facilitating secure and convenient cross-border digital transactions and access to online services within the European Union. The Regulation eliminates the need for multiple sets of login credentials, simplifying the identity authentication process for all parties involved.
The regulation provides a consistent legal framework for electronic signatures, seals, time stamps, and electronic delivery services for mutual recognition of eIDs across the EU, allowing citizens and businesses to use their eIDs to access services in other EU countries. This facilitates cross-border transactions and improves access to services for citizens and businesses.
The standards for electronic signatures the eIDAS Regulation also sets out are considered legally equivalent to handwritten signatures and admissible as evidence in court. The Regulation establishes different levels of electronic signatures based on their security and reliability, with the highest level (qualified electronic signature) being equivalent to a handwritten signature.
In addition to electronic signatures, the eIDAS Regulation also sets out standards for electronic seals and time stamps, which can be used to ensure the integrity and authenticity of electronic documents. Electronic delivery services, which provide secure and traceable delivery of electronic documents, are also covered by the regulation.
eIDAS applies to all EU member states and is part of the group's Digital Single Market strategy, which aims to promote the growth of the digital economy within the EU by creating a single market for digital goods and services.
eIDAS (Electronic Identification, Authentication and Trust Services) is a regulation issued by the European Parliament and Council in 2014 and implemented in 2016. Its purpose is to establish a framework for electronic transactions within the European Union (EU) and to ensure that electronic communication is secure, reliable, and trustworthy across borders. It is part of the EU's Digital Single Market strategy that aims to promote the growth of the digital economy within the EU by creating a single market for digital goods and services.
The eIDAS Architecture and Reference Framework (ARF) is a document that provides guidance on how to implement the eIDAS regulation, structured around a set of core principles: user-centricity, security, privacy, and interoperability.
While technology-neutral, the ARF defines the overall technical architecture for eIDAS-compliant systems and describes the functional and non-functional requirements that such systems must meet. It also provides guidance on the governance and legal aspects of eIDAS compliance, such as the liability and responsibility of the different actors involved in the eIDAS ecosystem.
It is intended to be used by developers, system integrators, and other stakeholders involved in the implementation of eIDAS-compliant systems, providing a common framework for these stakeholders to follow to better ensure interoperability and compatibility across different systems and applications.
It also defines several key roles and responsibilities within the eIDAS ecosystem, including identity providers, attribute providers, trust service providers, and relying parties. These roles are intended to ensure that all actors involved in the eIDAS ecosystem understand their responsibilities and are held accountable for their actions.
The document is structured into three layers:
- 1.The Application Layer: This layer includes the applications that use eIDAS services to authenticate and identify users, as well as the services that provide trust services such as electronic signatures, electronic seals, time stamping, and electronic delivery services.
- 2.The Service Layer: This layer includes the services that support the application layer, such as authentication and identity verification services, attribute providers, and validation services.
- 3.The Infrastructure Layer: This layer includes the technical infrastructure required to support the service layer, such as the communication networks, the certificate authorities, and the trust service providers.
The eIDAS ARF is regularly updated to reflect new developments and changes in technology and policy. As a result, it is a living document that evolves over time to ensure that it remains relevant and effective in promoting secure and trustworthy electronic transactions within the European Union.
Next, we will explore the importance of interoperability, facilitated by the standards, guidelines, laws, and regulations outlined above and those to come in the future.