For public and private entities, data collection is a way of life. That fact has led to the proliferation of common regulations to protect consumers and individuals from unacceptable use or storage of their private data. But it's not just data collection laws companies have to adhere to. There are many US-based and international statutes that put constraints on how they do business. What follows summarizes the most common regulations and how they can affect the work you do, day to day.

Table of Contents

  1. General Data Protection Regulation (GDPR)
  2. Health Insurance Portability and Protection Act (HIPAA)
  3. California Consumer Privacy Act (CCPA)
  4. Family Educational Rights and Privacy Act (FERPA)
  5. Gramm-Leach-Bliley Act (GLBA)
  6. Financial Industry Regulatory Authority (FINRA)
  7. Sarbanes-Oxley Act (SOX)
  8. Federal Information Security Modernization Act (FISMA)
  9. Payment Card Industry Data Security Standard (PCI-DSS)
  10. Children's Online Privacy Protection Rule (COPPA)
  11. Protect Your Data with


General Data Protection Regulation (GDPR)

The GDPR is a European Union law that governs the collection and use of the personally identifiable information of European Union citizens. What's notable about the GDPR is its wide reach. Your business does not have to have an EU location for the GDPR to apply. Your business falls under its auspices as soon as you gather information on European Citizens, no matter where you do the collecting.

The GDPR distinguishes between a "controller" and a "processor" — basically between those who determine the purpose and method of gathering data and those who carry it out. Under the GDPR, both are liable for a breach. The law mandates strict protocols around the collection, use, storage, and transfer of personally identifiable data of EU citizens. In addition to things like name, address, and phone number, the GDPR imposes stringent requirements on special categories of personal information because of their sensitive nature. These include biometric data, health data, genetic data, religious or trade union affiliation, and political loyalties.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA became US law in 1996, before the age of big data. Part of its function is to protect the personally identifiable information of individuals and to protect personal health information. The law applies to "covered entities," who have access to PII and/or PHI. Some examples are hospitals, clinics, seniors care facilities and pharmacies. The law also refers to "clearinghouses," opening the door to regulation of third-party data processors and others who may have access to sensitive health information about individuals.

HIPAA is an older statute that still applies to newer businesses interested in retaining and analyzing information. In the early days of the law, governments expected it would be health care providers or university researchers who would get health data and quickly dispose of it. Now, data has great value not only to private organizations for economic purposes but for health care providers who want to use aggregate data to improve patient care. As a result, complying with HIPAA has become challenging. Organizations use ETL processors to transform data in order to meet their legal responsibilities while still keeping valuable data points.

California Consumer Privacy Act (CCPA)

The CCPA applies to businesses that collect personal information about California residents, even if those residents are temporarily out of state. As with the GDPR, your business does not have to have a California location for the CCPA to apply to you. Some businesses may fall under the thresholds of the CCPA, however, meaning the law doesn't apply to them. Generally, the CCPA applies to businesses with gross annual revenues of $25 million, or collect the information of 50,000 or more California residents, or make at least half of their revenue through the sale of the personal information of California residents.

So what rights do consumers have under the CCPA? Consumers can ask, and should receive, information about the data that's collected about them. They can opt-out of the sale of that information and in some cases can ask for the deletion of their information. This all applies to personally identifiable information, such as name, address, and even internet browsing history, with which the business may create a marketing profile. Although the CCPA is a California-only law, there are a number of states enacting similar legislation to apply to their own residents. For that reason, it's sensible for organizations to increase their data protection protocols in anticipation of new laws.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects educational information about students. This applies to universities and schools that receive federal funding under certain criteria. FERPA limits the information an institution may disclose about a student's records, with some notable exceptions. Those include the school to which a student transfers and release in compliance with a legal order. If the disclosure doesn't fall into an exception, the school must have written permission of a parent (if the student is under 18) or student (if the student is 18, or if under 18, attends a school above a high school level) to disclose records. FERPA is another older law that is still finding its place in the age of big data. To ensure compliance, institutions may want to have robust data security protocols, such as by adopting a cloud-based system.


Gramm-Leach-Bliley Act (GLBA)

The GLBA was enacted in 1999 to modernize financial institutions, granting them more opportunity to engage in diverse business activities. At the same time as it created this expansion, GLBA imposed new rules around certain information. Specifically, it has a new regulation on the privacy of non-public information. It limits the amount of non-public information the institution can disclose to non-affiliated third parties, and at the same time, mandates that institutions inform the consumer about information-sharing practices. Consumers also have an opt-out option for the sharing of information. GLBA also requires many companies to protect themselves against unauthorized access, anticipate security risks, and to refrain from using false pretenses to get consumer information.

Financial Industry Regulatory Authority (FINRA)

FINRA isn't a law per se, but it is an important regulatory body in the financial services industry. It is a self-governing body that operates independently from the government. It not only enforces the rules that apply to registered brokers and broker-dealers — it writes those laws as well. FINRA's stated purpose is to, in part, create confidence in the market so it works for everyone. Part of its service is to offer a free, searchable database of broker information for public access.

Sarbanes-Oxley Act (SOX)

SOX was passed in the early 2000s after several high-profile financial scandals, such as the collapse of Enron. SOX creates tighter controls over financial record-keeping and reporting. This is to protect shareholders and the public from potentially fraudulent activity. Among the important SOX provisions are the need for senior officials to certify a company's financial records in writing and compliance with new rules about record retention and destruction. SOX also mandates internal controls over financial record-keeping. This last obligation has heightened the need for companies to ensure a high level of internal security, including perhaps a Service Organization Controls (SOC) framework.

Federal Information Security Modernization Act (FISMA)

FISMA was updated in 2014; the earlier law was called the Federal Information Security Management Act, enacted in 2002. FISMA is designed to protect the information held by the government, as well as to safeguard government operations and assets from threats. According to the official FISMA website, the 2014 act put into law the role of Homeland Security in implementing and overseeing compliance with information security practices in civilian agencies within the government's executive branch.

Payment Card Industry Data Security Standard (PCI-DSS)

The PCI-DSS is, like FINRA, not a law so much as a self-governing organization. The standard was created by the PCI Security Standards Council in 2006. The Council is made up of the world's largest card payment issuers, like JCB, Visa, Mastercard, American Express and Discover. The standard applies to any business or individual that is processing payments using these brands.

For companies who process payments, security is essential to maintain the integrity of their networks — and to pass muster with the PCI Council. There is an annual validation process by a qualified external assessor. Smaller companies must complete a self-assessment questionnaire.

Children's Online Privacy Protection Rule (COPPA)

COPPA applies to those who run websites aimed at children under the age of 13. As stated by the FTC, COPPA's main intent is to put more control into the hands of parents about what information companies collect about their children. It gives parents the right to know what information is collected about their children, as well as the opportunity to opt-out of collection. It also imposes strict security protocols on the collection and use of that information.


Protect Your Data with

Anyone living in the digital age has to hold with great respect the data they collect and release to others. When it comes to cleaning, storing, and purging data in a way that aligns with the highest regulatory standards, you can count on's feature-rich and secure platform to treat your customers' personal information with the utmost care. For more information, to schedule a demo, or to start a risk-free 14-day pilot of the platform, contact our support team today.