How to Navigate the Minefield of Data Protection Laws

a land mine warning sign stands in grass with yellow caution ribbon with the repeated word MINESA “minefield” is defined as a subject presenting unseen hazards, and that’s how many people view the continuously evolving slew of data protection laws. There are hundreds of laws about protecting data, but below is a selection of laws most likely to impact you or your business.

The Simple Life

In 1936, a new piece of valuable personal data was distributed to American citizens: the Social Security Number. This instigated the Social Security Act, prohibiting companies from revealing clients’ numbers.

The Computer Age

By 1974, concerns about how the creation and handling of personal data might impact a person’s rights brought about the Privacy Act. The act entitles individuals the right to request their records, request inaccurate records to be corrected, and be protected against unwarranted invasion of their private records.


As time, culture and technology advanced, federal, state, and local governments continued to enact legislation to protect the information of individuals. Consider whether any of these federal laws affect you or your business:

  • Educational Institutions: The Family Educational Rights and Privacy Act (FERPA) of 1974 protects the privacy of student education and parent records.
  • Computers: The Computer Fraud and Abuse Act (CFAA) of 1986 has been updated several times and prohibits accessing a computer without authorization.
  • Motor Vehicles: Drivers Privacy Protection Act (DPPA) of 1994 governs the privacy and disclosure of information gathered by the Department of Motor Vehicles (DMV).
  • Medical: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs the privacy and security of Personal Health Information (PHI).
  • Online Services: Children’s Online Privacy Protection Act (COPPA) of 1998 protects the privacy of children under 13 years old by requiring parental consent to collect or use their child’s personal information.
  • Audio-Visual Providers: The Video Privacy Protection Act (VPPA) of 1988 prevents wrongful disclosure of audio-visual rental information.
  • Financial Institutions: The Gramm-Leach-Bliley Act (GLBA) of 1999 requires financial institutions to explain their information sharing-practices to their customers and to safeguard sensitive data.
  • Retention Periods: The Sarbanes-Oxley Act (SOX) of 2002 sets the minimum retention time prior to the shredding of documents.
  • Consumer Reporting Agencies: The Fair and Accurate Credit Transaction Act (FACTA) of 2003 provides means to reduce identity theft and protects consumers through transparency on decisions made by mortgage lenders. The Fair Credit Reporting Act (FRCA) added provisions designed to improve the accuracy of consumers’ creditrelated records and provide consumers the right to receive one free credit report each year.

Privacy Act Clarity

To help businesses understand what kind of information they are legally responsible for, the term Personally Identifiable Information (PII) was defined as personal identifiers that include one or a combination of any of the following pieces of information:

  • Name
  • Address
  • Birthdate
  • Geographic information
  • Phone numbers
  • Email address
  • Full face
  • Social Security Number
  • Website
  • Biometric ID
  • Account numbers
  • License numbers
  • Medical information

The Cloud Era

With advancing technology, the Cloud Act of 2018 amended the Stored Communications Act of 1986, which was written with the intention to create a Fourth Amendment-like privacy protection for email and other digital communication stored or held by internet service providers, like email, instant messaging, video conferencing, wireless phone data, remote or backup data storage, and cloud hosting or processing. Service providers are obligated to comply whether any of these services are located within or outside of the United States.

Ongoing Compliance

In the United States, there is no single data protection law, and many of the laws are still unclear and contain loopholes. This is why data protection laws are thought of as a “minefield.” Fortunately, you have the option of working with a reputable records and information management company that is well-versed in the data protection laws that affect your business.

CI Information Management’s experienced professionals can help you safeguard your data in a legally-compliant manner. Let us navigate the minefield you don’t have to! Simply call us at 509-586-6090 or complete the form on this page.