Laws that govern data collection
Other federal laws that govern the online collection of PII include:
- The Health Insurance Portability and Accounting Act (HIPAA): Governs the collection of health information.
- The Gramm-Leach-Bliley Act: Governs the collection of personal information by banks and financial institutions.
- The Children's Online Privacy Protection Act: Governs the collection of information about minors.
- The Fair Credit Reporting Act: Regulates the collection and use of credit information.
A checklist for setting up a data center in the US
To set up a data center and run your business without interruptions, make sure you comply with and follow:
- The data privacy laws specific to the state in which you wish to set up your data center.
- HIPAA, if you're dealing with health information.
- The National Institute of Technology (NIST) and Uptime Institute's tier certifications.
- Quality standards, like ISO.
- Security standards, like SOC.
- Environmental management standards, like ISO 140001.
- Energy efficient data center designs.
State-wise data privacy laws in the US
There are many data privacy and data security laws among different states. After the CCPA passed in 2018, multiple states started to propose similar laws to protect their residents from data breaches and theft.
Signed on June 28, 2018, the CCPA went into effect on January 1, 2020, and is a major outcome of the GDPR's far reach and the myriad of data breaches recorded in 2017. The CCPA is aimed at protecting California residents' consumer rights, ensuring stronger privacy, and increased transparency. As cross-sector legislation, the CCPA is considered very comprehensive. With definitions similar to the GDPR, it imposes key duties on individuals or organizations that collect PII from or about a California resident.
Under the CCPA, a consumer is broadly defined as "a natural person who is a California resident." This law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them.
- The right to opt-out of the sale of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
- The CCPA primarily focuses on businesses that share or sell information. For example, the right to opt-out is available only in the case of selling or sharing personal information.
- Under the CCPA, "personal information" does not cover publicly available information, i.e., information lawfully made available from federal, state, or local government records.
- The CCPA doesn't include medical information, as it is governed by the Confidentiality of Medical Information Act.
- Civil penalties can be issued if the Act is violated. The penalty is issued by the court. Since California has a much larger economy than the EU, the penalty also differs. Depending on the violation, the penalty may be up to $2,500 for each violation, and $7,500 for each intentional violation.
New York SHIELD Act
New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019. This law is technically an amendment to an already-existing data breach notification law in New York, and it creates a greater scope for data security by applying to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York. The major difference from the CCPA is that the CCPA is a data privacy law, while the SHIELD Act is a security regulation.
Other state-level data privacy laws
California and New York were the first states to introduce broad legislation for data privacy. However, other US states have also enacted laws that are typically extensions of the existing United States federal laws, with alterations and implementations specific to the state's needs.
Nevada’s Senate Bill (SB) 220
Nevada’s SB 220, an Act relating to internet privacy, prohibits website operators or those who run online services from selling consumer information to data brokers without the consumer's permission. Unlike the CCPA, Nevada’s SB 220 does not include rights of access, portability, deletion, or non-discrimination, and it does not apply to companies that collect PII offline. Also, under Nevada's SB 220, organizations have to respond within 60 days of request submissions, plus an additional 30 days; under the CCPA, organizations have 45 days to respond to requests, plus an additional 90 days.
Maine's Act to Protect the Privacy of Online Consumer Information
Also known as LD 946, this bill prohibits a provider of broadband internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.
Other data center standards
In addition to the above laws on privacy and data protection, there are also other standards for setting up and maintaining the infrastructure in a data center.
The Uptime Institute's tier standard
The Uptime Institute is a neutral organization that established four tiers of data center certifications for categories including design, construction, and operational sustainability.
- Tier I: Basic capacity
- Tier II: Redundant capacity components
- Tier III: Concurrently maintainable
- Tier IV: Fault tolerance
The Telecommunications Industry Association's (TIA) ANSI/TIA-942-A is the telecommunications infrastructure standard for data centers. It is an American National Standard that specifies the minimum requirements for structured cabling work. Defined in TIA/EIA-568, it describes the design, installation, and performance requirements for cabling in data centers.
NIST Special Publication (SP) 800-53
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency responsible for creating security standards to enhance efficiency in data centers. Based on IT security and cybersecurity, NIST security standards cover regulations for data center infrastructure, along with the technology and the applications used.
NIST SP 800-53 is an important publication that covers the "Security and Privacy Controls for Federal Information Systems and Organizations." This offers security and privacy control in the areas of application security, and mobile and cloud computing, and also covers real-time monitoring of systems.
There are different types of data centers, like traditional and hybrid, that each come with their own pros and cons. It's the choice of the individual organization to choose the type that fits their needs, and successfully incorporate all elements of privacy, safety, security, and other environmental standards. With so many controls, standards, audits, and reports, it's always recommended to adhere to and maintain compliance with all region-specific laws.