Overview of US Privacy Law

One of the current and future hot button legal issues is privacy law.  As technology progresses, how it intertwines with privacy rights is going to be an interesting area.  There are many instances where people knowing and willingly forego certain rights to privacy, like allowing certain apps to track their movements or share certain information with the world.  There are many instances where people give up part of their privacy rights without even knowing it.

There are a host of areas that people in the United States think of as “privacy” rights, some of which are (1) our individual right to choosing to be alone (to not be taped or viewed in private), (2) decisional privacy (right to contraception, access to abortion, right to marry whomever you choose, right to procreate), (3) information privacy (right to not have your information disclosed to third parties), and (4) others. Each of the privacy rights that we hold as individuals may arise from different areas of law including constitutional law, statutory law, agency regulations and even social norms.

In the United States we have differing schemes of privacy laws depending on what industry or type of information is at play.  Such regimes are referred to as “sectoral” privacy laws.  In addition to being sectoral,  the United States privacy laws are decentralized.  There are no core overarching statutes and no one government body which enforces them.  Some areas are policed intensely and others are more relaxed and the intensity of the enforcement does not always jive with what an individual might see as important or not.

Another factor that makes the privacy laws in the United States so seemingly amorphous is that the laws are largely reactionary as opposed to proactive.  Such laws are usually passed after the public gets inflamed over a particular situation or practice.  The topic is usually ignored by politicians unless they hear from their constituents on the issue.  Additionally, businesses have strong incentives to halt any prospective privacy laws as they can hamper business practice.

Some of the big sectors for privacy law in the United States are consumer data, especially credit scores and other financial information and otherwise) and of course our individual medical data. An example of some of the laws governing privacy in the United States:

  1. Federal Trade Commission Act
  2. FTC Disposal Rule
  3. Fair Credit Reporting Act of 1970 (FCRA) (Pub. L. No. 90-32, 15 U.S.C. §§1681 et seq.)
  4. Privacy Act of 1974 (Pub. L. No. 93-579, 5 U.S.C. §552a)
  5. Family Educational Rights and Privacy Act of 1974 (FERPA) (Pub. L. No. 93-380, 20 U.S.C. §§1221 note, 1232g)
  6. Cable Communications Policy Act of 1984 (CCPA) (Pub. L. No. 98-549, 47 U.S.C. §551)
  7. Video Privacy Protection Act of 1988 (VPPA) (Pub. L. No. 100-618, 18 U.S.C. §§2710–2711)
  8. Telephone Consumer Protection Act of 1991 (Pub. L. No. 102-243, 47 U.S.C. §227)
  9. Driver’s Privacy Protection Act of 1994 (Pub. L. No. 103-322, 18 U.S.C. §§2721–2725)
  10. Telecommunications Act of 1996 (47 USC § 222)
  11. Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191 (Privacy Rule promulgated at 45 CFR § 460))
  12. Children’s Online Privacy Protection Act of 1998 (Pub. L. No. 106-170, 15 U.S.C. §§6501–6506)
  13. Gramm-Leach Bliley Act of 1999 (Pub. L. No. 106-102, 15 U.S.C. §§6801–6809)
  14. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) Act of 2003 (Pub. L. No. 108-187)
  15. State Data Breach Notification Laws (there are 45 of these)
  16. Other State laws.

New privacy bills are introduced in Congress on a regular basis (see Personal Data Protection and Breach Accountability Act of 2011, and Commercial Privacy Bill of Rights, SAFE Data Act as examples). Again, most of these do not see the light of day as powerful groups lobby to ensure their business practices are not disrupted.

Privacy is the next legal battleground.    Each year, the amount of data captured by businesses about individuals doubles. Any app you use, purchase you make with your credit card, or interaction you have in a public setting can be catalogued.  If there is money to be made doing something, and the practice is not per se illegal, then businesses will do it.  Unfortunately to a certain extent, there is money to be made in knowing people’s preferences, purchases, likes/dislikes and modes of operation (where they go, what they do with whom).

Additionally, as technology advances it is still subject to the old human error.  Data breaches happen on an involuntary basis all the time if one clerk hits the wrong button.  This human factor is a large player in the privacy laws.  While intentional breaches are seen as punishable, its not always clear what should be done about purely accidental disclosures.  Determining between the intentional and accidental is another issue.

I’ll be delving into some of the above issues, especially how technology plays a role in privacy law regarding our personal and financial information.