An Overview of Federal Data Privacy Laws

An Overview of Federal Data Privacy LawsUnlike the European Union’s GDPR, there is no one overarching federal privacy protection law in the United States. Instead, there are numerous federal laws that target narrow and specific information. Most regulate data collection and misuse by the federal government, but a few also regulate private companies.

Federal Trade Commission Act

The Federal Trade Commission provides the greatest data protection for consumers. However, the FTC does so based on its general authority as a federal agency, not through any specific data privacy law. This general authority comes from the Federal Trade Commission Act, which authorizes the FTC to prevent unfair or deceptive trade practices. The Act gives the FTC jurisdiction over most individuals and entities, and the FTC has used this authority to become the “go-to agency for privacy”. The FTC has brought hundreds of enforcement actions against companies alleging deceptive or unfair data protection practices. Most of these actions result in companies entering into voluntary consent decrees, which require the company to take certain measures to prevent further violations. These consent decrees are the FTC’s chief weapon in combating incursions into consumer data privacy.

Although these decrees are not legally binding on other companies, they are significant because they reflect the type of practices that the FTC views as “unfair” or “deceptive. For example, the FTC entered into an agreement with Facebook in 2011 to create a compliance plan and formalized privacy practices, and the FTC hoped other internet companies would model their privacy and data collection policies on this agreement. The FTC has taken the position that companies act deceptively when they gather, use, or disclose personal information in a way that contradicts their posted privacy policy, or when they fail to adequately protect personal information from unauthorized access despite promises that that they would do so. Thus, companies are effectively bound by their data privacy and data security promises.

The FTC has further maintained that companies act deceptively when their privacy policies (or other statements) provide insufficient notice of their privacy practices. With respect to data security, the FTC has more recently maintained that a company’s failure to safeguard personal data may be “unfair,” even if the company did not contradict its privacy policy or other statements. However, the FTC Act does not provide a private right of action or impose any criminal penalties.

The Privacy Act of 1974

The Privacy Act of 1974 protects individuals from the misuse of their data by the federal government. Along with governing the collection, maintenance, and use of such information, the act also grants individuals the right to access and amend the data that is collected on them. However, the protection provided under this act is limited by the fact that it does not protect data that is collected or used by private companies or state agencies.

Children’s Online Privacy Protection Act (COPPA)

One of the first big steps into broad federal regulation of data obtained and held by private companies is the Children’s Online Privacy Protection Act (“COPPA”).  In the interest of protecting children, this law was passed to prohibit a website or online service directed to children from collecting personally identifiable information without providing notice of what information is collected and how it will be used. The law also requires verifiable parental consent for any information collected. COPPA provides that violations will be treated as “a violation of a rule defining an unfair or deceptive act or practice” under the FTC Act. Thus, the FTC has authority to enforce violations by seeking penalties or equitable relief. COPPA also authorizes state attorneys general to enforce violations affecting residents of their states, however, it does not contain any criminal penalties or any provision providing a private right of action.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (“GLBA”) is a broad financial institution and banking law that also imposes several data and privacy obligations. These data and privacy obligations are centered on “consumer” and “nonpublic personal information”. The GLBA provides protections related to sharing this information with third parties, required notices to consumers describing privacy policies and practices, and securing information from unauthorized access. Additionally, the GLBA requires financial institutions to maintain safeguards to ensure the security of their customer’s nonpublic personal information, and requires financial institutions regulated by federal banking agencies to implement programs to respond to unauthorized access of this information.

Under the GLBA data security provisions, federal banking regulators (such as the FDIC) have exclusive enforcement authority for depository institutions, while the FTC has exclusive enforcement authority for all non-depository institutions. The act does not specify any additional civil remedies for it’s violation outside the remedies provided to agencies in their enabling statutes, but it does impose criminal liability on those who “knowingly and intentionally” obtain or disclose “customer information” through false or fraudulent statements or representations. The GLBA does not contain a private right of action that would allow affected individuals to sue violators

Health Insurance Portability and Accountability Act (HIPAA)

The strongest privacy regulations have been enacted to protect certain “protected health information” (“PHI”) due to the sensitive nature of a person’s medical information. HIPAA regulates the use and disclosure of an individual’s PHI, and applies to “covered entities” (health care providers, health plans, health care clearinghouses, and certain “business associates” of these entities). With respect to data security, HIPAA requires covered entities to maintain safeguards to prevent threats to the security of PHI. HIPAA also requires a data breach notification. These notifications must be sent to an affected individual within 60 days from discovering a breach.

Failing to comply with HIPAA’s privacy requirements can result in serious civil penalties, or even criminal penalties. The Department of Health and Human Services has civil enforcement authority, based on the level of culpability. The Department of Justice has criminal enforcement authority, and can seek fines or imprisonment against a person who “knowingly” violates certain provisions. However, like most other privacy regulations, HIPAA does not contain a private right of action to allow individuals to sue alleged violators directly.

Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act covers the collection and use of information on a consumer’s creditworthiness. The act also governs the activities of credit reporting agencies (CRAs), furnishers (entities that furnish information to CRA), and individual users of credit reports issued by CRAs. In contrast to HIPAA or the GLBA, the FCRA has no privacy provisions that require the entities to provide notice to a consumer. Additionally, the FCRA does not have privacy provisions to require the opt-in or opt-out consent of a consumer before collecting or disclosing their data to third parties. Furthermore, there are no required safeguards to protect consumer information from unauthorized access. Instead, this act requires that the consumer information reported is accurate and only used for permissible purposes. Consumers are granted certain rights to dispute and correct information in their reports. Likewise, consumers and are provided notice if a report results in an “adverse action” [1] against a consumer. The FTC and the CFPB share civil enforcement authority, subject to their respective jurisdictions. However, unlike many other acts, consumers hold a private right of action when injured by negligent or willful violations.

Computer Fraud and Abuse Act (CFAA)

The Computer Fraud and Abuse Act was intended to target computer hacking and unauthorized intrusions into computers, not collection and data use issues. Specifically, the CFAA imposes liability when a person intentionally accesses a computer without authorization, or exceeds authorized access, and obtains information. Violations are subject to criminal prosecution, including fines or imprisonment. However, because the CFAA provides a private right of action, people can seek damages or an injunction against offenders. People have already attempted to sue companies tracking their online activity. They have argued the unauthorized use of tracking efforts constitutes an unauthorized access of their computers. However, these claims are usually dismissed for failing to establish the CFAA’s $5,000 actual damages threshold.  How do you put a price on this data?

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act of 1974 is an early privacy act that created privacy protections for student education records. This includes any “materials which contain information directly related to a student” and are “maintained by an educational agency or institution.” The act generally requires educational institutions to give parents or students control over disclosure of student educational records, an opportunity to review the records, and an opportunity to challenge inaccuracies. Enforcement is through the Department of Education, and the receipt of federal funding is on the line. However, there is no civil or criminal enforcement, nor a private right of action.

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act was enacted in 1986 and is composed of three separate acts.

  1. The Wiretap Act
  2. The Stored Communications Act
  3. The Pen Register Act.

Much of the Act is directed at law enforcement. But it also contains privacy obligations for non-governmental actors. In fact, the ECPA is perhaps the most comprehensive federal law on electronic privacy, as many of its provisions apply to a wide range of private and public actors. The Wiretap and Stored Communications Act provide for a private right of action for actual damages and equitable relief.  Regardless of its reach, the ECPA’s has had limited impact on online privacy practices. It was designed to regulate electronic snooping, not commercial data gathering. Therefore, litigants attempting to apply ECPA to online data collection have generally been unsuccessful.

[1] Adverse actions include refusing to grant credit on substantially the terms requested, reducing insurance coverage, and denying employment