I am not a lawyer, this topic just interests me so I did some research and made a short index of a summary. A summary of the CCPA and GDPR in the same style can be found here.

HIPPA

Health Insurance Portability and Accountability Act

Intent:

Health information

any information (including genetic information) that is created or received by a health care provider, health plan, public health authority, employer, life insurance company, school or university, or health care clearinghouse and relates to:

• a person's past, present, or future physical or mental health or condition;
• treatment provided to a person; or
• past, present, or future payment for healthcare an individual receives

is kept between provider and client

Exceptions:

• The patient is a threat to themselves or others (most relevant in psychology)
• Employment records are distributable
• Only applies to covered entities
  • health plans
  • health care providers that electronically transmit data
  • health care clearinghouses
• Common examples of NOT covered entities
  • search engines and websites
  • gyms and clubs
  • direct to consumer genetic testing companies
  • mobile apps
  • schools
  • researchers (if health data is collected directly from health care providers)
  • cases where law is impeded: most law enforcement agencies, many state agencies (child protective services), courts

Interesting notes:

• You do not recieve money as a complaintant - it goes directly to the US Treasury
• You cannot sue for violation as an individual
• Anonymized data is not protected
• Data from those deceased for 30+ years is not protected

COPPA

Children’s Online Privacy Protection Act

Intent:

Data cannot be collected from children under 13 years of age without parental consent

Exceptions:

• One-time-contact -> You can request online contact information indtended to notify the child of something a singular time, given that the address is deleted immediately after its use is fulfilled
• Non-profit companies (given they have no commercial profit) may collect data
• Geolocation data may be collected given that it is insufficient to identify street name and name of city
• If you are unaware beyond reasonable doubt that a user is under 13 (ie they participate on an unmoderated forum), you may collect information. You only need to comply if your site is directed at children or you are made aware someone is a child.
• “Support for internal operations” - you may collect data to maintain OR analyze the functioning of your service, including debugging, optimization, statistical reporting, and intellectual property protection
• Schools can consent for children, given that the information is not used for any commercial purpose beyond that of the school
• Censored/anonymized photos may be posted

Interesting notes:

• Penalty of up to $46,517 per violation
• Privacy policies must be clear, not cluttered with promotional material, and prominently displayed
• Parental consent is required for push notifications
• If the service provider mistakenly sends personal information of a child to someone that is not a parental figure, they are not liable

FTC Act

Federal Trade Commission Act

Intent:

A catch-all act for anti-competitive behavior on the web and enforcement of privacy policies and claims.

Interesting Notes:

• FTC has the right to collect (by subpoena, or civil investigative demand, which allows for requirement of answers to questions as opposed to just provision of information) and investigate data of most businesses who deal in commerce
• FTC can require a company to file reports concerning their conduct and connections, leaving the company subject to a penalty for each day of non-compliance 30 days after a federal court order
• FTC can conduct (voluntary) studies on data they collect as they please, and may release their findings “for the public good”
• Confidential information can be shared between government agencies
• FTC must be notified of intent to participate in a merger (so that anticompetitive investigations may be conducted), given that the combined value of the companies will exceed 101 million
• May request data for foreign companies
• FTC protects against unfair or deceptive (likely to be the direct cause of substantial injury to consumers) acts in or affecting commerce [ie false marketing, violated privacy policies]

Exceptions

• Cannot investigate banks, savings and loan institutions
• Company can file a petition to limit/quash a subpoena, which draws out the court process (requires federal enforcement)
• “Although parties are not obligated to comply with a second request, consummation of the transaction without complying is illegal.” Context: a request for merger information extending on the first
• Deceptive activities are allowed if they are “outweighed by countervailing benefits”
• Internet service providers and consumer reporting agencies are protected from liability for disclosure of information relating to fraud or deception
• Court order may end up in: “the accused party to enter into a consent agreement with the FTC in which the party does not admit guilt but agrees never to engage in the questionable behaviour in the future”

Sources:

hhs.gov | nih.gov

ftc.gov - COPPA | ftc.gov - FTCA