Primer: Data Privacy in the U.S.

  • Leah Zitter
  • October 29, 2019

We’ve come a long way from the time Benjamin Franklin sought to protect privacy with mailed items by locking the postal carrier’s saddlebags. And we’ve still got a way to go. In the absence of a federal mandate, at least 25 states that include California, Maryland, Nevada, Massachusetts, and Texas have either introduced, or implemented, provisions for data privacy, but there are differences in their definitions of personal data and in their conceptions of a data breach. Streaming platforms, among other online services that handle and broker personal data, also have to abide by the EU’s General Data Protection Regulations.

General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) was passed in 2018, obligating companies to provide users with data privacy and data portability. Data privacy ensures that users know which of their personal information is shared and why, and that they consent to that distribution of their information. With data portability, Big Data collecting companies (like Facebook or Google) are legally obligated to allow users to move all personal information the company has collected on them from that particular service to another. The company has to port that information in a usable format that allows for easy transmittal, and the information must be transmitted “without hindrance.”

California Data Privacy Law

The California Consumer Protection Act (CCPA) only involves internet companies that are either based in California or that have users in that state. The rule mandates companies to disclose the information they collect on users as well as to delete that personal information if so asked. Businesses have to respond promptly to enquiries of California consumers, and, if they gross more than $25 million annually, are fined if they fail to “cure” violations within 30 days. The CCPA is due to come into effect January, 2020.

New York Data Privacy Law

The New York Consumer Privacy Act (NYPA) is similar to California’s CCPA. It empowers residents of New York to inquire about what data a business has collected on them, request that the business correct or delete the data, and opt out of having their data shared with or sold to third parties. As with the CCPA, the NYPA applies to “legal entities that conduct business in New York” or that “intentionally target” residents of New York with their products or services. The law applies to businesses of any size, both for profit and non-profit, and, unlike the CCPA, does not include a revenue threshold.

Other States: Their Data Privacy Law

Twenty-five other states have put into effect their own laws which, although not as strong as those of California or New York, do provide a certain modicum of data privacy.

Maine and Nevada have consumer privacy protections signed into law. Maine’s Act to Protect the Privacy of Online Consumer Information (effective July 1, 2020) prohibits broadband Internet access service providers from using, selling, distributing or permitting access to customer personal information for purposes other than providing services. Meanwhile, Nevada’s Senate Bill 220 (passed Oct. 1, 2019) requires websites and online services to post privacy notices to users regarding access to their information.

Maryland’s Online Consumer Protection Act, if passed, would force companies to demand access to user data and disclose when user data is being collected and what user data is being sold.

Texas created its Texas Privacy Protection Advisory Council to study data privacy laws in Texas, in other states, and around the world. Findings and recommendations will be annunciated, September 1, 2020. Hawaii’s Act Relating to Privacy, introduced May 9, 2019, is more like the CCPA in that it requires a business to disclose the information they collect and sell on consumers as well as to delete that personal information if so asked. 

The Standards for The Protection of Personal Information of Residents of the Commonwealth mandates organizations that own or license personal data on Massachusetts residents to put a program in place that safeguards this data. Meanwhile,  Minnesota’s Government Data Practices Act (MGDPA), if passed, will have a classification system that protects the use and dissemination of private data. 

 Unlike New York and California’s provisions, most of these Acts exclude rights of access, portability, deletion, or non-discrimination. They’re also less severe in following through remissions and in their penalties.

Streaming Companies That Abide By These Data Privacy Laws

January 2019, privacy group Noyb accused streaming giants that included Amazon, Apple, Google, Netflix and Spotify for ignoring various GDPR provisions.  Amazon, Apple, Spotify, and Google’s YouTube, for instance, let consumers download their personal data but large parts of that data were “unintelligible”. All four streaming giants also withheld diverse information, such as a list of other companies with whom their data was shared. Netflix took about 30 days to reply and gave consumers incomplete data. Some SVOD companies did not reply to the information requests at all.

Here’s What Streamlytics Found…

Last week, Streamlytics conducted research on 16 top SVOD and social media companies to see whether, and to which extent, they abide by data privacy rules. Our companies included Amazon, Apple, Google, Netflix, and Hulu. 

We downloaded requests for our personal data and found Google the most advanced, giving us saturated access to all information including our streaming data. Google even gave us the non-mandated option of regular updates, every two months. We found that Amazon and  Netflix had also improved their performances, boosting both the readability and the scope of their released data. 

Apple, on the other hand, failed to provide our streaming data. When we received our other data from Apple, the file, weighing over 76GB would have crashed our computer had we downloaded it. In that way, Apple still has not fully complied with GDPR rules of giving consumers a copy of their personal data. (We reasoned that providing data that is unusable (Google provides some files in JSON) or inaccessible (e.g., large files that can’t be connected to the user’s own cloud service provider) violates the GDPR mandate that allows users to move their personal information from one particular service to another). 

With Amazon, it took perseverance to finally find their directions on how to access user data. In contrast to Bet+, Hulu, Warner Brothers, and Netflix excelled on all counts. Most SVOD companies cited and said they would adhere to California’s CCPA.  


In the absence of federal provisions, data protection is largely left up to the states – and that’s a problem since states vary in whether and how they deal with the issue. Some states, notably California and New York, ensure that businesses, including streaming services, share their collected data with users and even delete it when requested. Other states stop at investigating the issue and formulate hypothetical recommendations, at best. In the last few months, most streaming platforms have taken significant steps to boost their privacy protection.

About Leah Zitter

Dr. Leah Zitter has a Ph.D. in Psychology Research with a focus on Behavioral Neuroscience and over a decade of experience as an analyst, covering emerging technology, innovation, and media. She trained as an investigative journalist at the Center for Near East Policy Research, is a researcher at heart and enjoys exploring technology’s impact on culture and society.