Currently, there aren't any country-wide set of data protection guidelines that retailers need to be aware of for their customers. This might sound simple at first, but it actually makes things a lot more complicated. Instead, there are hundreds of separate laws across different states that aren’t tied together. So, this means you have to be aware of the specific data protection laws within every state where your business operates.
As a starting point, it’s useful to know that the Federal Trade Commission Act (FTCA) and the US Federal Trade Commission (FTC) are responsible for assigning these laws and that you should do research into specific regulations.
If you’re familiar with Europe’s General Data Protection Regulation (GDPR), then you’ll know that Europe takes a stricter stance on the protection of consumers’ data. In Europe, individuals own their personal information and have the legal right to control it, who can use it and request to have it permanently erased. But the United States has been far more lenient with data protection laws rooted in harms prevention compared to Europe’s rights-based laws.
But this year marks a major shift in data protection laws in the US. California is the first state to pass its own data protection law, The California Consumer Privacy Act (CCPA), which allows any Californian consumer to demand to see all the information a company has saved on them as well as the full list of all third parties that data has been shared with. And other states, including Colorado, Connecticut, Utah and Virginia, are following suit and planning to enforce new GDPR-inspired laws this year.
There are other laws that relate to data protection. For example, the Telephone Consumer Protection Act (TCPA), stops unsolicited text messages and phone calls. Violating the act can result in between $500 - $1500 fines and there is no cap. So, racking up thousands of violations could lead to millions of dollars in penalties. Meanwhile, the CAN-SPAM Act deals with email regulations, covering things like not using false header information, clearly labelling an email as an ad and giving consumers the ability to opt out of future emails. Failure to comply can lead to penalties of $50,120 and the person who sent the email would also be held responsible as well as the company. Further charges may also be brought up against you for deceptive advertising under Section 5 of the FTC Act, leading to imprisonment.