Privacy Law

Privacy laws of the United States are not enacted together in a single legislation. They are enacted depending on the need of personal privacy, different industry (such as finance, health care, telecom, advertising etc) requirements for managing privacy at various points in time of technological innovation. Some of them has statutory protection, whereas others in the form of federal agency regulation rule-making. Some states enacted additional statutes that go beyond what is required under federal law. We look at some of the statutes below. Please contact us for scheduling an appointment by email or phone to discuss any issue regarding privacy law.

Federal Trade Commission (FTC) Act

FTC Act provides statutory protection in the form of preventing deceptive practices of trade. The FTC Act statute states in part that include “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45 (a) (1).

These deceptive practices of trade include using privacy information of customers for profit without any prior disclosure for consent. We will discuss below some of the relevant statutes related to an industry.

Finance industry related statutes- FCRA, GLBA, Red Flags rule under FACTA

Privacy issues addressed by statutes are given below:

Fair Credit Report Act (FCRA): The consumer reports, companies that ask for consumer reports such as employer, landlord etc, credit card companies that report customer credit card information all come under FCRA. Credit history, credit worthiness etc are included in this report. Failure to adhere to privacy of the consumers, or collecting consumer information under false pretenses may result in civil penalties under the law.

Gramm-Leach-Bliley Act (GLBA): This act is applicable to financial institutions who provide financing, financing related investment advise, insurance, any third party who receive non-personal information etc are required to maintain certain privacy safegaurds. The institutions need to provide consumer with a choice to opt-out of sharing identifiable personal information with third parties.

Red Flag rule under Fair and Accurate Credit Transactions Act (FACTA): The Red Flag rule requires financial institutions to provide consumers identity theft prevention mechanisms to identify and prevent something that may be harmful to the consumer.

Technology industry related Framework & statutes- Privacy Shield, COPAA, ECPA, CPNI

Privacy Shield Framework: There are two privacy shields currently in place. They include EU-U.S. privacy shield and Swiss-U.S. privacy shield framework. Swiss-U.S. privacy guidelines mostly mirror that of EU-U.S. privacy shield. These privacy shield framework is based on regulatory authority granted “to foster, promote, and develop international commerce by the congress.” 15 U.S.C. § 1512.

1. Voluntary: Any entity want to enter the framework may do so through self-certification. However, the entity need to follow the principles outlined in the framework throughout its membership. Failure to adhere to the principles may lead to civil penalties by Department of Commerce.

2. Purpose: EU requires entities who conducts business within its borders, and also who process personal data of EU citizens to adhere to certain guidelines. This privacy shield framework provide guidelines to US entities who conducts business in EU countries and also process EU citizens data outside of the EU. “The Principles do not affect the application of national provisions implementing Directive 95/46/EC that apply to the processing of personal data in the Member States.”

Children’s Online Privacy Protection Act (COPPA): This act applies in situation, where children under the age of 13 access websites or mobile applications. Before the collection of personally identifiable information, websites need to require parents provide affirmative consent. Websites also need to have a procedure in place to maintain confidentiality and security of the information collected under this act.

Electronic Communications Privacy Act of 1986 (ECPA): Unauthorized interception of electronic communication in interstate commerce is a violation under the statute.

Customer Proprietary Network Information (CPNI): The statutory protection for customer information stored by a telecommunications carrier is below: “Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U.S.C. § 222 (a). Recently, Federal Communications Commission (FCC) with its rule-making authority required the carriers to provide customers choice about how to share their data including opt-out provisions.


Healthcare Privacy

Healthcare Privacy involves complying with various statutes including HIPAA and HITECH Act. Due to digitization of healthcare industry, technology companies who are tasked with the duty need to follow both statutory guidelines as well as HHS rule-making authority. We dedicated a separate page for healthcare privacy under the privacy law menu in this website.