Laws that govern data collection
To make up for the absence of a single common law, the US has many sector-specific and medium-specific
laws to regulate and channelize the way telecommunications, health, credit card, financial institution,
and marketing data is stored and handled. Since its implementation, the Federal Trade Commission (FTC) Act
of 1914 has been providing enforcement to protect consumers' data and privacy. The FTC's privacy
enforcements include its positions against companies that fail to comply with its published privacy
Other federal laws that govern the online collection of PII include:
- The Health Insurance Portability and Accounting Act (HIPAA): Governs the collection of health
- The Gramm-Leach-Bliley Act: Governs the collection of personal information by banks and financial
- The Children's Online Privacy Protection Act: Governs the collection of information about minors.
- The Fair Credit Reporting Act: Regulates the collection and use of credit information.
A checklist for setting up a data center in the US
To set up a data center and run your business without interruptions, make sure you comply with and
- The data privacy laws specific to the state in which you wish to set up your data center.
- HIPAA, if you're dealing with health information.
- The National Institute of Technology (NIST) and Uptime Institute's tier certifications.
- Quality standards, like ISO.
- Security standards, like SOC.
- Environmental management standards, like ISO 140001.
- Energy efficient data center designs.
State-wise data privacy laws in the US
There are many data privacy and data security laws among different states. After the CCPA passed in
2018, multiple states started to propose similar laws to protect their residents from data breaches and
Signed on June 28, 2018, the CCPA went into effect on January 1, 2020, and is a major outcome of the
GDPR's far reach and the myriad of data breaches recorded in 2017. The CCPA is aimed at protecting
California residents' consumer rights, ensuring stronger privacy, and increased transparency. As
cross-sector legislation, the CCPA is considered very comprehensive. With definitions similar to the
GDPR, it imposes key duties on individuals or organizations that collect PII from or about a California
Under the CCPA, a consumer is broadly defined as "a natural person who is a California resident." This
law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used
- The right to delete personal information collected from them.
- The right to opt-out of the sale of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
The organization that collects the data must disclose the type of information collected in a privacy
policy displayed on its website. Though there are many similarities between the CCPA and the GDPR, there
are some differences, including:
- The CCPA primarily focuses on businesses that share or sell information. For example, the right to
opt-out is available only in the case of selling or sharing personal information.
- Under the CCPA, "personal information" does not cover publicly available information, i.e.,
information lawfully made available from federal, state, or local government records.
- The CCPA doesn't include medical information, as it is governed by the Confidentiality of Medical
- Civil penalties can be issued if the Act is violated. The penalty is issued by the court. Since
California has a much larger economy than the EU, the penalty also differs. Depending on the
violation, the penalty may be up to $2,500 for each violation, and $7,500 for each intentional
New York SHIELD Act
New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019. This law
is technically an amendment to an already-existing data breach notification law in New York, and it
creates a greater scope for data security by applying to “any person or business which owns or licenses
computerized data which includes private information” of a resident of New York. The major difference
from the CCPA is that the CCPA is a data privacy law, while the SHIELD Act is a security regulation.
Other state-level data privacy laws
California and New York were the first states to introduce broad legislation for data privacy. However,
other US states have also enacted laws that are typically extensions of the existing United States
federal laws, with alterations and implementations specific to the state's needs.
Nevada’s Senate Bill (SB) 220
Nevada’s SB 220, an Act relating to internet privacy, prohibits website operators or those who run
online services from selling consumer information to data brokers without the consumer's permission.
Unlike the CCPA, Nevada’s SB 220 does not include rights of access, portability, deletion, or
non-discrimination, and it does not apply to companies that collect PII offline. Also, under Nevada's
SB 220, organizations have to respond within 60 days of request submissions, plus an additional 30
days; under the CCPA, organizations have 45 days to respond to requests, plus an additional 90 days.
Maine's Act to Protect the Privacy of Online Consumer Information
Also known as LD 946, this bill prohibits a provider of broadband internet access service from using,
disclosing, selling, or permitting access to customer personal information unless the customer
expressly consents to that use, disclosure, sale, or access.
Other data center standards
In addition to the above laws on privacy and data protection, there are also other standards for
setting up and maintaining the infrastructure in a data center.
The Uptime Institute's tier standard
The Uptime Institute is a neutral organization that established four tiers of data center
certifications for categories including design, construction, and operational sustainability.
- Tier I: Basic capacity
- Tier II: Redundant capacity components
- Tier III: Concurrently maintainable
- Tier IV: Fault tolerance
The Telecommunications Industry Association's (TIA) ANSI/TIA-942-A is the telecommunications
infrastructure standard for data centers. It is an American National Standard that specifies the
minimum requirements for structured cabling work. Defined in TIA/EIA-568, it describes the design,
installation, and performance requirements for cabling in data centers.
NIST Special Publication (SP) 800-53
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency
responsible for creating security standards to enhance efficiency in data centers. Based on IT
security and cybersecurity, NIST security standards cover regulations for data center
infrastructure, along with the technology and the applications used.
NIST SP 800-53 is an important publication that covers the "Security and Privacy Controls for
Federal Information Systems and Organizations." This offers security and privacy control in the
areas of application security, and mobile and cloud computing, and also covers real-time monitoring
There are different types of data centers, like traditional and hybrid, that each come with their own
pros and cons. It's the choice of the individual organization to choose the type that fits their needs,
and successfully incorporate all elements of privacy, safety, security, and other environmental standards.
With so many controls, standards, audits, and reports, it's always recommended to adhere to and maintain
compliance with all region-specific laws.