Skip to content

Legal Obligations When Collecting Personal Information in the United States

Your business will have several privacy obligations when collecting personal information in Australia and sharing it with an overseas third party or related body corporate. The general position is that an Australian business can be responsible for any privacy breaches of the overseas entity. This article explores your obligations as an Australian business with a related body corporate in the United States and considerations when collecting personal information. 

At LegalVision, our clients with overseas operations, particularly in the US, are increasingly asking us about their privacy obligations. While we recommend seeking specific legal advice on your circumstances, this article provides a helpful introduction to the US federal privacy laws and your key obligations when collecting personal information in the course of your business.

Collecting Personal Information

US law will apply if your Australian business collects personal information in Australia but discloses such information to a related body corporate in the United States. A related body corporate can include a US-based subsidiary or affiliate company.

Unlike Australia, the US does not have a single comprehensive federal legislation to regulate businesses that collect personal information. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) forms Australia’s privacy framework, particularly the Australian Privacy Principles.

However, the US has a range of federal and state laws and regulations that set out the obligations of businesses regarding the privacy of their clients and customers. The following three US federal laws aim to regulate the collection, use and disclosure of personal information of US-based businesses.

The US Privacy Law Framework

The Federal Trade Commission Act 15 U.S.C. §§ 41-58 (Federal Trade Commission Act)

The Federal Trade Commission Act is the consumer protection law in the US. Although its application is not limited to privacy, the Act prohibits unfair and deceptive business practices. The courts have also applied it to data security policies and offline and online privacy.

The Federal Trade Commission (FTC) is the US independent law enforcement agency that enforces the Federal Trade Commission Act (similar to our Australian Competition and Consumer Commission). They have brought several actions against reputable businesses (including Google, Oracle and Facebook) for breaches of their privacy obligations and their engagement in unauthorised disclosure of personal information.

For example, the FTC brought an action against the dating site, Ashley Madison, due to the data breach of their network in July 2015. Ashley Madison had failed to protect 36 million users’ accounts and profile information. At the time of the data breach, they had:

  • no written information security policy;
  • inadequate employee training on security;
  • no knowledge of whether their third-party service providers were using reasonable security measures; and
  • no measures to help monitor their security system and its effectiveness.

As part of the settlement with the FTC, Ashley Madison was required to implement a comprehensive data security program and pay $1.6 million in fines.

The Financial Services Modernization Act (Gramm-Leach-Bliley Act) (15 U.S.C. §§6801-6827 (GLB Act)

The GLB Act requires businesses that are ‘financial institutions’ to ensure the security of any financial information that they collect. Financial institutions include:

  • banks;
  • insurance companies;
  • securities firms; and
  • other businesses that provide financial products or services.

It is important to note that a business will be regarded as a financial institution if it has ‘significantly engaged’ in providing financial products or services, regardless of whether it identifies itself as one.

The GLB Act regulates the use, disclosure and collection of personal financial information. Likewise, the ‘Safeguards Rule’ requires that all businesses under the GLB Act have measures in place to keep their customer information secure. The business must develop a written ‘information security plan’ that describes how they will keep their customer information secure. As part of their plan, each business must:

  • design and implement an information security plan;
  • allocate one or more employees to oversee and coordinate their information security plan;
  • select service providers that can maintain acceptable safeguards and require in the contract that they maintain safeguards and oversee the handling of customer information; and
  • adjust the information security plan in light of changing circumstances to ensure its continued effectiveness.

The Safeguards Rule also requires businesses to assess and address privacy risks in all areas of their operations, particularly:

  • employee management and training;
  • information systems; and
  • detecting and managing system failures.

The FTC encourages businesses to:

  • conduct background checks and check the references of prospective employees who will have access to personal information;
  • control access to sensitive information (e.g. by requiring employees to change their passwords regularly);
  • impose disciplinary measures for any security data breach in the organisation; and
  • dispose of customer information in a secure way.

The GLB Act also applies to third parties that are not financial institutions but receive personal information from non-affiliated financial institutions.

The Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.) (The HIPA Act)  

The HIPA Act regulates the collection and use of individuals’ protected health information. It applies to a ‘covered entity’ that comes into contact with medical information, including:

  • health care providers;
  • pharmacies; and
  • data processors.

It also applies to ‘business associates’, who include a person or entity that performs functions involving the use or disclosure of protected health information on behalf of, or to service, a covered entity. These activities can include:

  • re-pricing;
  • billing;
  • benefit management; and
  • claims processing or administration.

Additionally, Standards of Privacy of Individually Identifiable Health Information (HIPA Privacy Rule) sets out national standards for protecting ‘identifiable medical information’. This includes:

  • an individual’s past, present or future physical health or mental health;
  • the provision of health care to the individual; and
  • past, present or future payment for the provision of health care information to the individual.

The HIPA Privacy Rule states that a business cannot use or disclose personal health information except as allowed under the HIPA Privacy Rule or with the individual’s written consent. However, a business covered by the HIPA Privacy Rule must disclose protected health information in the following two circumstances:

  • to individuals when they request access to their information; and
  • to the Department of Health and Human Services when they are undertaking a compliance investigation, enforcement action or a review.

Furthermore, a business is permitted (but not obligated) to use and disclose personal health information without the individual’s consent in the following circumstances:

  • to the individual who is subject to the information;
  • for treatment, payment and health care operations;
  • for the public interest or benefit activities. For example, in certain circumstances, businesses can disclose protected health information to government authorities regarding abuse, domestic violence or neglect;
  • during judicial and administrative proceedings; and
  • to comply with workers’ compensation laws.
Continue reading this article below the form
Loading form

New US State Data Privacy Laws

Depending on what state you have set up your Australian business in, you will have to follow different state privacy laws. Some recent privacy laws include:

  • California Privacy Rights Act (CPRA) – amends the California Consumer Privacy Act. The CPRA provides additional protection for Californians, such as the right to know what personal data entities are collecting about them and the right to know if businesses are selling their data and to whom.
  • Colorado Privacy Act – all businesses must disclose their data collection and sharing practices to consumers and give Colorado residents the right to opt out of the sale of their personal data. There will be penalties for companies in breach of the Act, and the state attorney general may bring enforcement actions.
  • Connecticut Personal Data Privacy and Online Monitoring Act – covers businesses that collect personal information from Connecticut residents. The Act imposes regulations for data controllers and processors and requires them to take reasonable security measures to protect personal data. Consumers will have the right to request information about whether their data is being processed and opt out of their data being processed for certain activities. 
  • Maryland Online Consumer Protection Act – protects consumers from cybersecurity threats, including data breaches, theft, phishing, and spyware. The Act applies to all businesses that collect, use, or disclose personal data about Maryland residents, including out-of-state companies that sell goods or services in Maryland. By comparison to other state laws, it is more comprehensive in requiring:
    • businesses to take reasonable steps to protect consumers’ personal information from unauthorized access, use, or disclosure; and
    • entities to provide consumers with a way to opt out of having their personal information collected, used, or sold. 
  • New York Privacy Act – sets strict rules about how businesses must handle consumers’ personal information. The act helps ensure all residents control their personal information. Some key provisions include:
    • entities must disclose what categories of consumer data they collect, use, or sell, and the purposes for which they’ll use the data; and
    • consumers have a right of action for any violation.
Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Key Takeaways

If you have set up a related body corporate in the US, it is important to understand that you will be subject to US laws if you collect personal information. There are significant differences between US privacy laws and the privacy laws of Australia. It is best to confirm which laws apply to your business (including the relevant federal and state laws) and understand your obligations to ensure your business is compliant. 

For assistance understanding your privacy obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Alice Ireland

Alice Ireland

Read all articles by Alice

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards