720-281-9672 info@ogxconsulting.com

In 2006, British mathematician Clive Humby postulated that “data is the new oil.” This is a profound statement that provides insights into two aspects of the current day. First, vehicle transportation powered by oil products, which used to connect the world, has been replaced by internet and online technology powered by data sources. However, the second aspect on which the statement provides insight is that crude data is significantly less helpful and must go through refining processes similar to crude oil products. Only through this refinement does the data provide useful insights to continue to advance society and connect communities. As such, effective business coincides with the establishment of effective data governance.

In certain sectors, this establishment is easier said than done as Congress and state legislatures have passed laws that create limits on data governance in the name of data privacy. These national laws include the U.S. Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA). There are also various state laws that must be followed in states such as California, Virginia, and recently, Colorado. By understanding the data governance policies required by these statutes, companies can establish protocols to optimize the refinement and utilization of their data resources.

U.S. Privacy Act of 1974

Enacted on December 31, 1974 by the 93rd United States Congress, the U.S. Privacy Act was the first law of its kind intended to protect the privacy of individuals during the rise of technological databases. The Act was designed to limit government agencies from illegal surveillance and storage of personal data that came to be a major concern during the Watergate scandal. It was also intended to limit the amount of personal data that could be accessed by means of a universal identifier such as social security number.

The Act started by a recommendation from the Department of Health, Education and Welfare that suggested legislation to adopt a Code of Fair Information for personal data systems. In its final passage, the Law was a targeted restriction for systems of records contained by government-controlled companies, military, and executive agencies, as well as the Office of the President, but does not apply to the House of Representative or the Senate. The first aspect of the law prevents secret databases by requiring agencies to get approval from the Committee on Government Operations in the House of Representatives, the Committee on Governmental Affairs in the Senate, and the Office of Management and Budget for new systems as well as publishing approved systems in a public Federal Register. The second aspect of this Act is that any records held by a government system must be accessible to the individual whom the record concerns. The third aspect of the Privacy Act lays out that the Agency is not able to disclose information held within the database unless it meets 1 of 12 different criteria or they have permission from the designated individual, and any disclosure or disclosure request must be kept as an audit trail. The fourth aspect of the Act requires that only the minimal amount of data necessary for the usage of the data be recorded. The last aspect of the law limits data sharing among agencies such as “matching programs” which would compare an individual in two databases to determine the appropriate benefits or status. This data matching is illegal unless granted permission by the Committees in the House and Senate, made available to the public, and overseen by a Data Integrity Board.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Published on August 20, 1996, the Health Insurance portability and Accountability Act aimed to amend the Internal Revenue Code specific to areas of health insurance coverage and other health care related delivery. In order to do this, the national government intended to improve the Medicare and Medicaid programs while also developing a health information database to increase the efficiency and effectiveness of health care throughout the United States.

The official law calls for the Secretary of the United States Department of Health and Human Services to adopt security standards that considers the needs, technical capabilities, cost, and value of those standards, as well as policies and procedures for clearinghouses. It additionally required administrative, technical, and physical safeguards of health information to ensure integrity and confidentiality against anticipated threats, hazards, and unauthorized disclosures. With these guidelines, the Secretary created the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule).

The Privacy Rule creates protections for individually identifiable health information, which is data that relates to topics such past, present, or future physical or mental health conditions, the provision of healthcare for the individual and the payment of those provisions which could be used to identify the individual. This includes name, address, birthdate, and Social Security Number. In order for this material to be disclosed, it must be required or permitted by the Privacy Rule, or the individual must authorize disclosure in writing. The Privacy Rule requires information to be disclosed to the individual when it is requested and to the Department of Health and Human Services for compliance investigation. There are also only a handful of times the information is permitted to be disclosed. First, the information may be disclosed within an already covered entity for treatment, payment, and health care operation activities. Second, there are some national priority purposes in which information can be used without permission. These purposes include public health activities such as preventing or controlling diseases, tracking FDA product regulation for recalls, and employers concerned for work-related injuries. Medical offices are also permitted to release information for abuse, neglect, domestic violence, health oversight activities, judicial and administrative proceedings, cause of death examination, donation and transplantation of organs, research, and worker’s compensation. Release of records is permitted for essential government functions such as military missions, national security activities, protective services for the President, medical suitability for State Department employees, health and safety of inmates, and enrollment in government benefit programs. Law enforcement purposes also permit disclosure of information for uses such as court subpoenas, identifying a suspect, fugitive or missing person, a suspected victim of a crime, death caused by criminal activity, crime on the health care facilities premises, or medical emergency not on the premises. Lastly, information such as name, general condition, religious affiliation, and location may be released in a facility directory only if the individual has acquiesced. This information may be released but must follow the minimum necessity rule, where they disclose only the least amount of information necessary and must restrict access and use of all the additional information. All this information and the specific policies followed by the institution must be laid out in a written privacy policy that is provided to the individual seeking treatment and must obtain a receipt acknowledging that notice has been given. The HIPAA protections must be developed and implemented by a designated privacy official, and all workers must undergo training to follow data safeguards intended to mitigate violations.

These protections must additionally follow the HIPAA Security Rule which establishes standards for the appropriate administrative, physical, and technical safeguards of electronic personal health information to ensure the confidentiality, integrity, and security of the data. The HIPAA Security Rule lays out that entities must obtain a National Provider Identifier to identify themselves and communicate with the National provider System. Under this NPI, the provider must create standards for the protection and security of individual’s data that can be reviewed by the Secretary. In these standards, the covered entity must use applicable data codes to communicate with health care plans, clearing houses, and other covered entities through referrals. The entity must also submit compliance reports and cooperate with investigations and reviews to ensure the established standards are being followed and protecting individual data.

Gramm-Leach-Bliley Act (GLBA)

The Financial Services Modernization Act of 1999, more commonly referred to as the Gramm-Leach-Bliley Act (GLBA) was enacted on November 12, 1999, by the 106th Congress and named after Senator Phil Gramm and Representatives Jim Leach and Thomas Bliley. The primary purpose of the bill was to allow commercial banks, investment banks, securities firms, and insurance companies to consolidate and provide multiple services. This was in response to a merger of Citicorp and Travelers Group to create the conglomerate Citigroup which would have been in violation of the Glass-Steagall Act. The intended aim of the bill was to facilitate a more consistent bottom line for banks by allowing people to save in commercial banks during difficult times and invest in investment banks during prosperous times.

The Gramm-Leach-Bliley Act protects data in three approaches. The first is through the Financial Privacy Rule. This rule requires financial institutions to keep personal identifiable information private such as name, date of birth, and Social Security number. This rule also requires financial institutions to keep private transactional data such as credit card numbers, bank account numbers, and credit reports. This policy must be established, and notice must be provided to customers and consumers and provide the customer an option to opt-out of any disclosures of their information. The second approach is a Safeguards Rule. This rule requires specific administrative, technical, and physical practices and procedures to safeguard data during the accessing, collecting, distributing, processing, protecting, storing, usage, transmission, and disposal of customer information. These practices and procedures include training employees, installing proper software, and monitoring for vulnerabilities. The last approach is pretexting provisions. Under this approach, financial institutions are also required to take measures to detect and prevent data loss from unauthorized access through phone, email or in person. In order to follow these approaches, one or more employees must be designated to coordinate the data security programs.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act of 1998 was enacted on October 21, 1998, but took effect on April 21, 2000. The law stemmed from a rise in online usage of children and the collection of data of young kids. The Federal Trades Commission issued the “KidsCom Letter” which said data collection and usage practices needed to be told to parents about the risks of their child’s internet privacy and to receive parental consent.

The law itself prohibits unfair practices in connection with collecting, using, and disclosing personal information of children under the age of 13 while on the internet. The regulations state that it is illegal for operators to collect information from a child on a website directed towards kids or where the operator has knowledge that the information is coming from a child in a manner that violates what the law allows. Under this law an operator has certain requirements to which they must adhere in order to be allowed to collect data. First, they must provide notice on what information the website collects from children, how they use the information and its disclosure practices which is available on the website and is made available to the parents with every reasonable effort. Second, they must obtain verifiable parental consent prior to collection, use or disclosure of personal child information. Third, they must provide a means for parents to review the information collected from their child and to refuse any usage of that information. Fourth, the website is not allowed to make a child’s participation in a game, the awarding of a prize, or other activities conditional on the child disclosing personal information that is not necessary for such activity. Lastly, the website must establish and maintain procedures to protect confidentiality, security, and integrity of children’s personal information.

State Laws

Multiple states have established laws to further increase the protection of their constituent’s online data privacy. These laws include the Virginia Consumer Data Protection Act (VCDPA), the California Privacy Rights Act (CPRA), and the Colorado Privacy Act (CPA), with more laws to come in states such as Connecticut, Utah, and Iowa.

The Virginia Consumer Data Protection Act took effect on January 1, 2023. In this law, Virginia ensures that consumers have six rights when it comes to their data. The right to confirm that their data is being processed by a firm, the right to access that data, the right to correct inaccuracies in that data, the right to delete personal data held by the firm, the right to obtain a copy of the personal data, and the right to opt-out of their personal data being sold, profiled, or used for targeted advertising. The law requires controllers to only collect reasonably necessary data and develop administrative, technical, and physical data security protections. It also requires controllers to create a means for consumers to exercise their rights, disclose any sale of personal data and allow opt-out possibilities to consumers, and provide consumers with a clear privacy notice. The controller is finally required to conduct and document an assessment of the data’s protection whenever it processes data for targeted advertising, profiling, selling, if processing the data creates a risk of harm to the consumer, or if the processed data is sensitive.

The California Privacy Rights Act effectively amended the California Consumer Privacy Act of 2018 on January 1, 2023. This law requires that a privacy notice be given to employees and applicants at the time their personal information is collected. As well as extends employees the right to access and correct personal information. To consumers, the law grants the right to correct inaccurate personal information and to limit the use of sensitive personal information. This extends on the protections afforded by the California Consumer Privacy Act of 2018 such as the right to know what personal information was collected by the business and how it was used, the right to delete personal information collected, the right to opt-out of the sale of personal information and the right to not be discriminate against for exercising the rights granted through the law.

The Colorado Privacy Act came into effect on July 1, 2023. The CPA requires that operators obtain clear, specific, informed, unambiguous consent, freely given by the consumer prior to processing sensitive or personal data about children, selling a consumer’s data, processing data for targeted advertisement, profiling, or processing personal data for unnecessary purposes. The law also limits processing of data that was collected under prior consent and establishes that new consent must be given for new processing purposes. Controllers are allowed to re-seek consent but not in a fashion that cause consent fatigue. Additionally, the Act requires the data collected to be minimized to only the necessary capacity and allows universal opt-out mechanisms as well as access requests for the consumer’s data that is being held. The Colorado law also establishes data protection assessments and requires key stakeholders and all relevant external actors to identify, assess, and address data protection risks.

Best Practice Recommendations

There are many laws in place that restrict how data can be collected and for what that data can be used. It is critical for companies to understand what best policies and procedures they should enact to ensure they are compliant with these laws while also governing their collected data. Although this is not intended to be advice given by a legal professional, the following criteria lays out a general model of data governance to comply with the national and state legal requirements.

  1. Identify what information needs to be collected for business purposes.
    • The information that is collected must be the minimum of data necessary for the business activities related to the collection of the data.
  2. Design policies and procedures for the technical and physical protection of data assets
    • This includes training for staff as to how to properly lock physical data files, how to ensure online data files are only shared with the proper staff, and the correct way to deal with phishing emails.
  3. Develop automated tools to allow consumers to opt-out of the collection of their data
    • The opt-out/opt-in options must be conveniently accessed by consumers
    • Must clearly state how to opt-out/opt-in
    • Garner unambiguous consent
    • Not be repeated so often as to create consent fatigue
  4. Create a privacy notice available to consumers that describes what information is collected and the policies for how it will be protected.
    • This notice should inform the consumer of the company’s data policy and the customer’s rights (as afforded by National Laws):
      • The information the company collects
      • The ways in which the company uses that information
      • The protective policies the company uses to secure the information
      • The right of the consumer to access the collected information
      • The right of the consumer to correct inaccuracies in the information
      • The right of the consumer to opt-out of the collection and usage of the information
      • The right of the consumer to request their information be deleted
    • This notice must be made available to the consumer through every reasonable effort
  5. Designate a data officer
    • This officer must ensure that:
      • Data privacy procedures are being practiced by staff
      • The rights of consumers are being respected and their requests followed
      • Continually improve notification and procedures to comply with new laws at the National and State levels

This is not a comprehensive requirement list nor is it advice from a legal professional. However, these recommendations will set the business down a course to properly govern their data and ensure they are in compliance with national laws such as the U.S. Privacy Act of 1974, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act, as well as various state laws such as the Virginia Consumer Data Protection Act, the California Privacy Rights Act, and the Colorado Privacy Act.


Just as laws shape and manage oil production, so do data privacy regulations, defining the boundaries for data utilization and collection. By understanding these legal requirements, businesses can establish more robust governance over their data resources. This can be done by collecting only essential data, crafting effective data protection policies and procedures, providing customers with a comprehensive privacy notice, and giving them the option to opt-out of their data being collected. Moreover, it’s crucial to institute proper oversight for these data governance protocols. Through these compliance principles, businesses can maximize the value derived from the refinement of their crude data. This not only ensures that the business stays on the right side of the law, but also places it on the most favorable trajectory to harness the transformative power of data, enabling the continuation of global connection.

Written by Hunter Steele, Contributions by Abbey Pint

Published Jul 27, 2023

Hunter Steele

Hunter has a demonstrated history working in economics as well as broad experience pertaining to the legal field. He strives to fuse these two fields to help businesses increase their efficiency and effectiveness while following the proper regulations.


Abbey Pint

Chief Marketing Officer

Abbey has a demonstrated history working in emerging technology, research, content development, creative strategy, and marketing at large. Abbey also holds a passion for community development, with a longstanding background working in Rwanda.

Related Articles

Future-Proof Your Workforce

Future-Proof Your Workforce

This article highlights how you can optimize your workforce, improve performance levels, and achieve your business goals while making the most of your resources.

read more

Unparalleled expertise

We dig deep into the inner workings of numerous industries. Pairing our knowledge with proven methodologies, we consistently deliver value to our clients.

Sign up to expect firsthand knowledge from our team that will help you to make informed decisions and give you an edge over your competition.

Unparalleled expertise

Join our community of forward-thinkers. Receive valuable expertise from our seasoned professionals, thought leaders, and industry experts. We dig deep into the inner workings of numerous industries. Pairing our knowledge with proven methodologies, we consistently deliver value to our clients.

Sign up to expect firsthand knowledge from our team that will help you to make informed decisions and give you an edge over your competition.