A patchwork of acts
Current privacy laws developed as responses to sector-specific concerns. The United States operates from a patchwork of federal and state laws, budded in common-law doctrines. It’s from this jigsaw framework that we have our current data privacy regulations.
In alphabetical order, the following is a list of some laws that protect privacy in the U.S.
- The Children’s Online Privacy Protection Act (“
coppa”)* of 1998 protects information collected from children over the internet. “Children” is defined as persons under 13. Websites that collect such information must
- notify parents of information practices;
- obtain verifiable parental consent for the collection, use, or disclosure of children’s personal information;
- let parents prevent further maintenance, use, or future collection of their child’s personal information;
- provide parents access to their child’s personal information;
- not require a child to provide more personal information than is reasonably necessary to participate in an activity; and
- maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information.
- The Computer Fraud and Abuse Act (“
cfaa”)* of 1984 “prohibits intentionally accessing a computer without authorization or in excess of authorization,” meaning you can’t access data in a computer beyond what you’re allowed. One example could be illegally gaining access to a computer. However, this act also prevents users who are authorized to access a computer from obtaining information to which they aren’t authorized on that computer.
- The Controlling the Assault of Non-Solicited Pornography and Marketing (“
can-spam”)* Act of 2003 regulates who can send unsolicited commercial email. A permitted commercial email must include the following: accurate and non-misleading routing and heading information (i.e., “From,” “To,” and “Reply to” fields), a subject line that’s non-deceptive, and a notice to the recipient of the email providing the right to opt out. (The law, though, doesn’t state where the notice must appear; it merely states that it must be clear and conspicuous so that the recipient need not search for it.) Also required are: an internet-based opt-out mechanism capable of receiving opt-out requests; a clear identification that the email is an advertisement or solicitation (note: this requirement isn’t applicable if the sender is given the recipient’s consent to send such an email); and the sender’s physical mailing address.
- The Electronic Communications Privacy Act (“
ecpa”)* of 1986 updates the Federal Wiretap Act of 1968 to include protection of not only telephone communications but also “computer and other digital and electronic communications.”
- The Fair Credit Report Act (“
fcra”)* of 1970 applies to consumer reporting agencies and the reports generated to consumers regarding their credit reports and activity.
- The Family Educational Rights and Privacy Act (“
ferpa”)* of 1974 “protects the privacy of student education records.”
- The Federal Trade Commission Act (“
ftcAct”)* of 1914 prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies.
- The Health Insurance Portability and Accountability Act (“
hipaa”)* of 1996 governs individuals’ health information.
hipaaalso revised the Security Breach Notification Rule, which requires covered entities to provide notice of breach of protected health information.*
- The Gramm–Leach–Bliley Act (“
glba”)* of 1999 was enacted to regulate the collection, use, and disclosure of financial information. It applies to personal information collected by financial institutions for financial products and services.*
- The Telephone Consumer Protection Act (“
tcpa”)* of 1991 limits robocalls—though additional limits can’t hurt. Generally, these callers can’t do the following:
- “call before 8 a.m. or after 9 p.m.”;
- call if you’ve chosen to opt out of calls from that specific caller or if you’ve added your name to the Do Not Call List,
- send unsolicited fax messages to your home or office (yes, some people and places still send faxes (e.g., law firms)); and
- “refuse to provide their name, the name of the person or organization on whose behalf they are calling, and contact information for that person or organization.”
On the state side, California was the first state to enact a security breach notification law. To date, forty-eight states have enacted their own laws that notify users of a data breach.* With California as a main hub for technology innovation, it’s little surprise to see California as the first state to issue a law that, on its face, deals with the collection of digital information. The California Consumer Privacy Act (“ ccpa
ccpa”),* which strongly resembles the
gdpr, was passed in 2018 and went into effect in 2020. Significant takeaways are that consumers in the state of California now have the right to request the deletion of their data, so long as other laws are not affected by this request; businesses are required to disclose how information is collected and shared; and consumers have the right to instruct a company not to sell their information.
- The California Consumer Privacy Act, California Civil Code § 1798.100 (2018).*
- The Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506 (1998).*
- The Computer Fraud and Abuse Act, 18 USC § 1030 (1984).*
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act, 15 U.S.C. §§ 7701-7713 (2003).*
- The Electronic Communications Privacy Act, 18 USC § 2510 (1986).*
- The Fair Credit Report Act, 15 U.S.C. § 1681 (1970).*
- The Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (1974).* of 1974 “protects the privacy of student education records.”
- The Federal Trade Commission Act, 15 U.S.C. §§ 41-58 (1914).*
- The Gramm–Leach–Bliley Act, 15 USC §§ 6801-6827 (1999).*
- The Health Insurance Portability and Accountability Act, 110 Stat. 1936 (1996).*
- Kerry, Cameron F.: “Filling the gaps in US data privacy laws,” Brookings (2008).*
- Jolly, Ieuan: “Data protection in the United States: overview,” Loeb & Loeb LLP (2008).*
- The Telephone Consumer Protection Act, 47 U.S.C. § 227 et seq. (1991).*