In contrast to the UK, the US does not have one single national law governing the collection and use of data. Instead, the United States has a patchwork system of states and federal laws that can sometimes dovetail, overlap and contradict one another on Data Protection. Also, there is a lot of guidelines, established by industry groups and governmental agencies that do not have the force of laws.
There are many national privacy-related laws that regulate data collection and use. Some apply to specific information categories, such as electronic communications, health or financial information. Others are applicable to undertakings that use personal information, like commercial email and telemarketing. In addition, there are a lot of consumer protection laws which although they are not privacy laws, prohibit deceptive and unfair practices involving security procedures for protecting personal information.
Without limitation, the following are the major federal laws that deal with data protection:
1) The Federal Trade Commission Act (15 U.S.C. §§41-58) (FTC Act)
FTC Act is a consumer protection law that outlaws deceptive and unfair practices and is mainly applied to online and offline data security policies. This law has brought a lot of enforcement actions against firms failing to comply with privacy policies and for disclosing personal data without authority.
2) The Financial Services Modernization Act (15 U.S.C. §§6801-6827)
This Act regulates how institutions collect, use and disclose financial information. The act applies broadly to financial institutions such as insurance companies, banks, and security firms, and to other companies that offer financial products and services. It prohibits disclosing non-public personal information. In some cases, it requires institutions to give notice of privacy policies and opportunities for people involved to opt out of having their data shared.
3) The Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.)
Also known as HIPAA, this act regulates medical information. It applies widely to data processors, health care providers, pharmacies and other bodies that work with medical information.
4) The Fair Credit Reporting Act (15 U.S.C. §1681)
This Act applies to all consumer reporting agencies, firms that use consumer reports like lenders and those that offer consumer-reporting information. Consumer reports are communication offered by consumer reporting agency including consumer’s creditworthiness, character, credit history, credit capacity, and general information that can be used to evaluate consumers’ eligibility for insurance or credit.
5) The Telephone Consumer Protection Act (47 U.S.C. §227 et seq.) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 U.S.C. §§7701-7713 and 18 U.S.C. §1037) regulate the collection and use of telephone numbers and e-mail addresses, respectively.
At the state level, there are many laws that regulate how individuals and organizations collect and use personal data. On some cases, federal data protection laws pre-empt laws of the states on the same topic. For instance, the federal law that regulates commercial e-mail pre-empts many state laws regulating similar activities.
As you have noted, the US has many data protection laws and your fintech business needs to be familiar with all those laws. Depending on the state your business is located; ensure your company is complying with both federal and state data protection law.