How To Stop a Business From Collecting Personal Data

Is selling personal information illegal?

Companies collect data from users all the time, and they may sell that data legally, with some limits. Every time you interact with a company through a website or app, they might record data about your activities. They can sell your data to others as long as they inform you in advance. The Terms and Conditions you accepted when you started using the website or app often include an agreement that the company may collect and sell your data.

A complicated set of data protection laws limits the type of data that companies may sell to data brokers. The exact protections a law offers depend on the type of data and the type of company. For example:

• Healthcare providers may not share medical records or other sensitive data about a person’s medical history.
• Financial service providers may not share many types of personal financial information.
• Companies may not sell Social Security numbers collected from customers and other people.
• Companies may not sell any information about children under the age of 13.

Other types of data may be fair game. This may include:

• Personal data, such as phone numbers and online activity.
• User data, such as social media handles, online accounts, search engine activity, and IP addresses.
• Consumer data, like credit card activity, but not credit card numbers themselves.

Some state laws may impose additional restrictions that prevent companies from collecting or selling some of the above types of data.

Can I take legal action to stop telemarketing calls and texts?

You can register your phone number on the National Do Not Call Registry. Two government agencies, the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC), created this registry in 2003 to help cut down on telemarketing calls. The authority to do this comes from the Telephone Consumer Protection Act (TCPA) of 1991.

You may be able to file a lawsuit against a telemarketer under the TCPA in situations like the following:

• A telemarketer calls or texts before 8:00 a.m. or after 9:00 p.m.
• They call or text you even though you are on the Do Not Call Registry.
• They call or text after you have asked them not to do so.

What individual or consumer privacy rights protect my personal data from businesses?

The U.S. has no comprehensive data privacy law at the federal level. However, some states have laws that mirror comprehensive laws like the European Union’s General Data Protection Regulation (GDPR). That said, several U.S. federal laws protect consumers from having companies collect data and sell it to data brokers. Federal data privacy laws include the following:

• Privacy Act of 1974: Governs the use of personal data by federal government agencies.
• Fair Credit Reporting Act: Regulates the use of financial and credit data by credit reporting agencies.
• Children's Online Privacy Protection Rule (COPPA): Protects data privacy for children under 13.
• Health Insurance Portability and Accountability Act (HIPAA): Protects the privacy of medical records and other health information.
• Financial Services Modernization Act of 1999: The Financial Privacy Rule limits the use of personal data by financial institutions.
• Social Security Number Fraud Prevention Act of 2017: Bars federal agencies from including Social Security numbers on documents sent through the mail, with some exceptions.

As of late 2024, twenty U.S. states have laws that offer comprehensive privacy protections. This includes the California Consumer Privacy Act (CCPA) and laws in Texas, Florida, Illinois, Virginia, New Jersey, and Massachusetts.

Several more states have narrower data protection laws, including New York, Michigan, Nevada, and Washington.

Do state privacy laws, like the CCPA, apply to other states?

Because of the online marketplace, it may be possible for a state data privacy law to apply across state lines. Comprehensive laws like the CCPA have led companies with a web-based presence all over the country to adopt the privacy practices of other states to minimize the risk of legal liability. The GDPR has even taken concerns about online privacy global.

For example, the CCPA’s jurisdiction includes any company that ships goods to consumers in California. A Florida business that sells to people in California would need to comply with the CCPA for its California customers.

Note, however, that while these laws may apply to companies nationwide, they only protect individuals in their own states. The CCPA protects consumers in California from businesses in Florida or elsewhere, but it does not protect consumers in Florida or any of the other forty-nine states.

What can I do after a business that collects my data is hacked?

You may need to take immediate action if a company experiences a data breach that exposes or compromises your personal information. A wide range of cybersecurity issues, from phishing scams to direct hacking, may put your sensitive data at risk. To prevent further damage, you might consider the following steps:

• Changing your online account passwords.
• Using two-factor authentication whenever possible.
• Regularly checking for security updates.
• Keeping a close eye on your bank accounts and credit reports, and acting quickly if something doesn’t look right.
• Freezing your credit, such as by reporting data breaches to your credit card company.

Rocket Lawyer offers a variety of identity theft documents that can help you protect your personal data and prevent or recover from identity theft. You may be able to trace identity theft or other cybercrimes against you to a specific data breach. If so, it might be possible for you to recover some or all your losses through a civil lawsuit.

How can I stop businesses from storing, using, or selling my data?

The U.S. still has no comprehensive data protection law that covers the entire country. While your state might have a more robust law, your best bet is likely to be a proactive approach to protecting your personal data. Rocket Lawyer has tools to help you do this:

• You could send a Request to Remove Personal Information to any companies you do business with. Many states have laws that require companies to remove your information and stop selling it after receiving a request from you. A company may comply with your request even if you live in a state without this kind of law.
• Sending a Request to Remove Name from Direct Marketing List could reduce or stop robocalls, unsolicited mailers, and other nuisances. It might not be legally binding in your state, but companies may respect your wishes anyway.
• It is not always possible to resolve a dispute informally. A Complaint Letter to a Company addressed to the company president or consumer office could be the next step.
• If you cannot resolve your issues directly with the company, you may have to seek help elsewhere. The Better Business Bureau (BBB) in your area may offer help with dispute resolution or log your complaints about the company. Your state’s attorney general may also be able to help. You can file a Complaint Letter to a BBB or Attorney General to get those processes started.

If you have questions about data privacy rights, connect with a Rocket Legal Pro today and explore your legal options with confidence.

This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.