Unlike the EU and Canada, which take an approach of general applicability, the U.S. has historically taken a sector-specific approach to data privacy.
There is no single U.S. law, code, or statute governing data privacy. Instead, there are multiple systems of law that overlap and sometimes contradict each other.
These include, among others:
- Federal Statutes. There are dozens of federal statutes that govern data privacy. Notable examples include:
- The Health Insurance Portability and Accountability Act (“HIPAA”) protects the privacy of individually identifiable health information.
- Section 5 of the Federal Trade Commission Act (“FTC Act”) prohibits “unfair or deceptive” business practices.
- The Economic Espionage Act applies to the theft of corporate trade secrets.
- The Electronic Communications Privacy Act regulates access to stored electronic messages and information about customers’ use of email and similar systems.
- The Fair Credit Reporting Act (“FCRA”) regulates the use and disclosure of financial data in certain consumer reports.
- The Federal Communications Act (“FCA”) regulates the use and disclosure by telecommunications companies of Customer Proprietary Network Information (“CPNI”).
- The Gramm-Leach-Bliley Act (“GLBA”) limits the disclosure and use of information by financial institutions.
- FTC Proposals, Guides, and Enforcement Actions. The FTC is the leading federal enforcement agency in the area of data privacy. Its powers stem from a broad interpretation of Section 5 of the FTC Act, which prohibits “unfair or deceptive” business practices. Pursuant to this authority, the FTC has, from time to time, issued “Proposals,” “Guides,” and “Enforcement Actions.” Although none of these constitute binding federal law, they are extremely important because they provide helpful guidance to companies and signal practices against which the FTC might take enforcement actions.
- Industry Best Practices. A number of industries have issued internal, non-binding “guidelines,” “best practices,” or “codes” pertaining to the use of customer data. While not legally binding, these guidelines provide a good idea of where companies are heading and the issues they are most concerned with. The two most prominent examples are the 2008 National Advertising Initiative (“NAI”) Principles (“NAI Principles”) and the Trade Association Self-Regulatory Principles for Online Behavioral Advertising (“Self-Regulatory Program”).
- State Laws
- In addition to federal laws and industry best practices, there is a large and constantly evolving body of state law. Various forms of state legislation stipulate the collection and use of personal data, and the number grows each year. Some federal privacy laws pre-empt state privacy laws on the same topic. For example, the federal law regulating commercial e-mail and the sharing of e-mail addresses pre-empts most state laws regulating the same activities. Conversely, there are many federal privacy laws that do not pre-empt state laws, which means that a company can find itself in the position of trying to comply with federal and state privacy laws that regulate the same types of data (for example, medical or health records) or types of activity.
- While the FTC Act is enforced exclusively by the FTC, every state has some form of deceptive trade practices act. Many of these statutes not only enable a state attorney general to bring actions but also provide a private cause of action to consumers. Several of these laws have provisions for statutory minimum damages, punitive damages and attorney’s fees. In interpreting laws, many state courts have been heavily influenced by FTC Act jurisprudence.
- Most states have enacted some form of privacy legislation; however, California leads the way in the privacy arena, having enacted multiple privacy laws, some of which have far-reaching effects at a national level. Unlike many federal privacy laws in the U.S., California’s privacy laws resemble the European approach to privacy protection. For example, the “Shine the Light” law requires companies to disclose details of third parties with whom they have shared their personal information, and the data security law requires businesses to implement and maintain reasonable security procedures to protect personal information from unauthorized access, destruction, use, modification, or disclosure. California is one of only a handful of states to create an Office of Privacy Protection. California was also the first state to enact a security breach notification law, which requires any person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system to all California residents whose unencrypted personal information was acquired by an unauthorized person.
- Most of the early state security breach notification laws mirrored California’s law, and tended to be reactive–that is, they established requirements for responding to a security breach. More recently, a handful of state laws were enacted that are prescriptive and preventative–that is, these laws are more stringent and actually establish requirements to avoid a security breach.
- The best example of a preventative-type of law is the Massachusetts Regulation (201 CMR 17.00), which prescribes in considerable detail an extensive list of technical, physical and administrative security protocols aimed at protecting personal information that affected companies must implement into their security architecture, and describe in a comprehensive written information security program. New York has introduced a data security breach notification statute (N.Y. L. 2005, c. 491, amending N.Y.L. 2005, c. 442), requiring any person or entity that conducts business in the state, and that owns or licenses certain types of computerized data, to give expedient notice of any data security breach to any New York resident whose data was, or was reasonably believed to have been, acquired by an unauthorized person. The Attorney General may bring an action to enjoin a violation of the statute and for damages sustained by persons not noticed who were entitled to notice. For a knowing or reckless violation, the court may impose a civil penalty of the greater of $5,000, or $10 per instance of failed notification (up to $150,000).
- As of March 2013, 46 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands all have enacted laws requiring notification of security breaches involving personal information. At least 29 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
- State tort laws may provide additional information privacy protections for consumers by enabling customers to recover remedies through the civil litigation process from businesses that misuse their personal data or expose customers to privacy and security harms. However, tort law is viewed as an unlikely vehicle to protect consumers’ information privacy absent proof of specific harm.
- Non-U.S. Laws. Although foreign laws are non-binding in the United States, they often provide helpful guidance as to where U.S. law might be headed, and can be a source of practical suggestions for the development of effective data protection policies. Two prominent examples are the European Union Data Protection Directive (“EU Directive 95/46/EC”) and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
To find out more, please: