Get to Know US Privacy Law
After completing this unit, you’ll be able to:
- List the government agencies involved in US privacy law.
- Describe the framework of US privacy laws.
- Explain key US privacy statutes.
Privacy laws exist around the globe to protect the personal information of individuals. Although these laws vary significantly, in general privacy laws address:
- How personal information can be collected
- How personal information can be used
- How and with whom personal information can be shared
- Where and how personal information can be stored
- How personal information must be secured
- When to delete or amend personal information
- If and how personal information can be transferred to other countries
- How breaches of personal information are reported
- What rights individuals have regarding their personal information
Privacy laws also differ as to how they define the data they seek to protect. For example, “personal information” or “personally identifiable information” are generally used to define the information that is covered by US privacy laws, focusing on information that can be used to identify a specific individual or that is particularly sensitive. By contrast, “personal data” is a term used in the EU to describe any and all data that relates to an identified or identifiable individual.
This module generally refers to the standard term “personal information” when referring to information about individuals generally, but when discussing a specific law we may use the legal term contained in that law. This module also uses the term “data subject” or “individual” to refer to a person who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity.
While a right to privacy is not explicitly included within the US Constitution, in 1965 the US Supreme Court recognized an implied constitutional right in Griswold v. Connecticut. Congress further developed the right to privacy in 1974 when it passed the Privacy Act, restricting federal agencies in their collection, use, and disclosure of personal information. With this act, the US became one of the first countries in the world to adopt a major privacy law.
Today, the US has an array of privacy and data protection laws at the state and federal level. Depending on an organization’s industry, the type of information it collects, and its use of that information, a company may be subject to one or more of these laws. Naturally, that may affect the organization’s practices and policies.
The US has many different privacy laws because it follows a sectoral approach to privacy regulation. This means the US has implemented laws that focus on certain industries or data types that are particularly sensitive and therefore require more protection. This approach is in contrast to the comprehensive approach, which is what the European Union follows, where broad privacy laws apply to all industries and data types.
In the US, various government agencies enforce privacy laws for different industries. For example, the Department of Health and Human Services typically regulates the healthcare industry. The Consumer Financial Protection Bureau, Federal Reserve, and Office of the Comptroller of the Currency typically regulate the financial services industry.
Beyond industry-specific laws and regulators, one government agency has emerged as the primary authority regarding privacy issues: the Federal Trade Commission (FTC). The FTC was created in 1914 to prevent unfair competition in commerce. Its role expanded to general consumer protection in 1938.
The FTC Act empowers the agency to prevent “unfair or deceptive acts or practices in or affecting commerce.” In the 1990s, the FTC began addressing privacy issues under this authority. In particular, the agency focused on the practice of companies posting but not adhering to a website privacy notice as a deceptive practice.
Today, the FTC also has statutory jurisdiction to address privacy issues under several privacy statutes.
The FTC addresses privacy issues through enforcement actions and consent decrees. It has brought hundreds of privacy or data security cases against companies. An enforcement action is a legal action that the FTC brings before an administrative law judge. It can proceed through trial and result in a judicial decision, but most often, a FTC’s privacy enforcement action is resolved before trial through a consent decree.
A consent decree is like a settlement agreement, where all parties (usually the FTC and the defendant) agree to the terms of the decree in exchange for the FTC ending the investigation or action. Typically, the defendant agrees to stop the conduct at issue without admitting to any wrongdoing and agrees to some corrective or remedial action, such as paying a fine or submitting to regular audits.
The FTC’s First Internet Privacy Enforcement Action
For example, in the first Internet privacy enforcement action, the FTC accused GeoCities in 1999 of conducting unfair and deceptive practices based on misrepresentations in its website policy. GeoCities users could publish personal home pages after they registered with the company and provided certain personal information. GeoCities’ website policy stated it would not sell or distribute the personal information without consent.
The FTC alleged that GeoCities resold the personal information to third parties in violation of the company’s own policy. The FTC also alleged that GeoCities had collected children’s information without parental consent.
Fair Information Practice Principles
The FTC also has issued guidelines on proper practices for companies in the collection and use of personal information. These five Fair Information Practice Principles encourage companies to:
- Provide notice about their privacy policies and procedures to their users and customers
- Describe the choices available to individuals and obtain consent for collection or use of personal information
- Provide individuals with access to their collected personal information
- Properly secure and ensure the integrity of the collected information
- Monitor compliance with their privacy policies and provide means to address concerns or complaints
These principles are only recommendations and are not directly enforceable as laws. However, they do form the basis of many laws that protect privacy rights and underpin the FTC’s interpretation of what is an unfair or deceptive privacy practice.
FTC actions related to companies’ poor data security practices also help set expectations for what are reasonable security practices. Poor security practices cited by the FTC include failures to:
- Apply access controls
- Remedy known security vulnerabilities
- Implement procedures to detect unauthorized intrusions
- Properly train employees
- Contractually require third parties to protect data
- Securely dispose of data
Here are summaries of some significant US privacy laws. We discuss a number of them further in later units.
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
Under CAN-SPAM, commercial emails distributed primarily to promote a product or service must meet certain requirements. For example, commercial emails must have a clear, accurate subject line, a conspicuously displayed postal address for the sender, disclosure of the email’s promotional nature, and a means for the recipient to opt out of similar messages from the sender at no cost.
Children’s Online Privacy Protection Act (COPPA)
COPPA regulates commercial websites or online services, like mobile apps, that are directed at children under 13 or that knowingly collect children’s personal information. COPPA requires that operators of websites and online services obtain verifiable parental consent prior to collecting a child’s personal information. They also must provide parents with further rights regarding the disclosure and deletion of the child’s information, such as providing parents with the opportunity to terminate the collection of information.
Electronic Communications Privacy Act (ECPA)
ECPA regulates the collection and use of phone, text, and other online communications when they are made, transmitted, or stored electronically. These communications cannot be intercepted unless an exception applies, such as when the parties give consent, the interception takes place in the ordinary course of business, or the interception is conducted under a warrant.
Fair and Accurate Credit Transactions Act (FACTA) and Fair Credit Reporting Act (FCRA)
Both of these laws regulate the creation and use of consumer reports. FACTA also regulates the disposal of these reports. The laws refer to reports pertaining to an individual’s credit or general characteristics that are used to establish eligibility for credit, insurance, employment, or another business purpose. FACTA imposes proper disposal standards on anyone who uses consumer reports. It also requires that certain financial businesses implement policies to detect, prevent, and mitigate identity theft.
Family Educational Rights and Privacy Act (FERPA)
FERPA places restrictions on how educational institutions that receive federal funding can divulge student records. It provides students with the right to access, amend, and control the disclosure of records that directly relate to them and that are maintained by or on behalf of a school.
Gramm-Leach-Bliley Act (GLBA)
GLBA regulates US companies and their affiliates engaged in providing financial products or services to consumers. The law applies to mortgage lenders or brokers, check cashers, payday lenders, auto dealers that lease or finance vehicles, some financial or investment advisers, and even government entities that provide financial products, such as student loans.
GLBA requires these companies to provide initial and annual privacy notices that outline their data collection, use, and disclosure practices. It also requires them to protect such data through administrative, technical, and physical security controls. And it requires other US agencies (including the FTC, SEC, OCC, Federal Reserve Board, and state insurance regulators) to adopt standards regarding privacy and security to address the use and sharing or personal financial data.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA imposes a variety of requirements on certain businesses in the healthcare industry regarding the security and privacy of protected health information. For example, it limits the collection, use, and disclosure of protected health information. HIPAA also mandates that such information be protected by administrative, physical, and technical safeguards.
The Privacy Act governs federal governmental agencies’ collection, maintenance, use, and disclosure of personally identifiable information stored in their records. For example, it requires that federal agencies implement administrative and physical security measures to protect their records systems, and it limits their ability to disclose records without consent. The act also provides individuals with a right to review and amend records about them.
Telephone Consumer Protection Act (TCPA)
TCPA regulates and restricts telemarketing solicitations and the use of automatic telephone equipment, such as automatic dialing systems and prerecorded messages. It has also been interpreted to impose restrictions on the transmission of text messages, especially for commercial messaging.
Now that you are familiar with the approach to privacy law in the United States, let’s dive deeper into specific laws and how they affect organizations that process personal information.