Legislatures and courts have long struggled not only to define privacy but to determine and balance enumerated and implied privacy rights for individuals and organizations. The right to privacy is especially important in the digital age, as increasing volumes of personally identifiable information are collected, stored, and transmitted electronically.
What are privacy laws?
Privacy laws govern the regulation, collection, storage, and use of personally identifiable information. They are intended to:
- Ensure that individuals and organizations have control over their data (and who is granted access to it);
- Prevent crime, such as fraud and identity theft; and
- Ensure optimal digital functionality.
Privacy laws protect data such as social security and driver’s license numbers, educational or employment records, medical history, financial information, date and place of birth, IP addresses, and internet history.
U.S. data privacy law
Data privacy laws in the U.S. have garnered increased support from both lawmakers and the public in recent years. In addition to established privacy laws that protect healthcare data and consumer privacy, new laws and proposals for increased regulation targeting biometric data collection, use, storage, and transmission are on the rise.
Federal privacy laws
While there is no comprehensive federal data privacy law, certain federal laws protect specific segments of personal data:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs how healthcare providers and healthcare businesses are allowed to store, use, and share patients’ personally identifiable information with anyone other than the patient or the patient’s authorized representatives without explicit consent.
- The Telephone Consumer Protection Act of 1991 (TCPA) places restrictions on certain marketing phone calls, faxes, and text messages, as well as limits on the use of autodialers and pre-recorded voice messages. Telephone-based collection activities are also regulated by the TCPA.
- The Privacy Act of 1974 (the Privacy Act) protects individuals against unwarranted invasions of their personally identifiable information and was designed to balance the government’s need to maintain data on individuals with individuals’ right to be protected from invasions of privacy.
Congress has introduced comprehensive privacy bills; none has been signed into law.
SAFE DATA Act
There is currently no comprehensive federal privacy law in the U.S., but this may change as more institutions and industries recognize the importance of data privacy and cybersecurity. The latest federal privacy bill introduced by lawmakers is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, which is designed to:
- Give Americans more choice and control over their data;
- Require businesses to be more transparent and accountable for their data practices; and
- Bolster the Federal Trade Commission’s authority to respond to potentially harmful changes in technology and hold businesses accountable for unlawful use of consumer data.
The SAFE DATA Act would limit how businesses can handle sensitive consumer data and require them to implement heightened cybersecurity measures. If passed, compliance could be initially burdensome. At the same time, fulfilling these measures could also help businesses minimize exposure in consumer privacy actions.
Internet privacy laws
In the U.S., no single law governs online privacy, but key laws regulating online data include:
- The Federal Trade Commission Act, Section 5, prohibits unfair or deceptive acts in the marketplace. Section 5 gives the FTC the authority to address various privacy and consumer safety issues.
- The Children's Online Privacy Protection Act (COPPA) navigates the online collection of personal information from children under 13 years of age and dictates certain marketing restrictions and parental consent standards. COPPA applies to websites, including social media sites and apps, and carries a significant penalty for noncompliance—up to $50,120 per violation.
- Section 230 is a section of the Telecommunications Act of 1996 that prevents online businesses—and, recently, social media companies—from being held liable for content generated by its users. Section 230 also protects the identities of users posting content anonymously.
- The Video Privacy Protection Act (VPPA). Originally intended to protect consumers’ videotape rental histories, VPPA actions by the plaintiffs’ bar are on the rise in the context of businesses’ use of online tracking technologies, such as cookies and Pixel code.
In addition to these laws, several states have introduced and/or passed legislation banning certain social media platforms—for both children under 18 and adult users. We anticipate legal challenges to these bans.
Data privacy laws by state
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act, is the most comprehensive state privacy law. It protects both consumer and employee data and governs how businesses and employers must handle the collection, storage, usage, and sharing of personal data.
New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) imposes strict data security and breach notification protocols on any person or business that owns or licenses computerized data that includes private information of New York residents, regardless of whether that person or business conducts business in New York.
The Illinois Biometric Information Privacy Act (BIPA) regulates how private entities may collect, use, and store biometric information. BIPA is the only law in the U.S. that grants a private right of action to individuals harmed by BIPA violations, which has led to an explosion of consumer- and employee-led BIPA class actions.
Several additional states are enacting privacy laws similar to those above pertaining to residents’ data, including consumer data. With most states considering at least one privacy bill, privacy legislation is expected to increase dramatically in the next decade.
Privacy laws and law firms: How Nixon Peabody attorneys can help you
Empowering our clients to understand and follow the patchwork of related federal and state rules that govern privacy is the core of our Cybersecurity & Data Privacy practice. We understand that the lack of federal oversight and the varying state regulations can cause confusion for businesses that have to comply with conflicting regulations, including small businesses that may not have the resources needed to comply.
We advise businesses of all sizes and across industries on navigating the privacy laws that govern them now or that may govern them in the future to ensure that their data management policies and procedures are compliant in all areas where the patchwork of data privacy laws may impact operations.