Privacy Law

Privacy Laws - PeopleSmart

Privacy Law

Though the modern technological landscape may seem more like an untamed jungle at times, the United States has a long history of working to protect individual privacy rights, whether through the Fourth Amendment or more specific legislation. Unfortunately, the pace of innovation has vastly exceeded the rate at which Congress has been able to mandate updated privacy protections. As a result, many of the laws that businesses operate under today are considered somewhat antiquated: the vast majority were written in the 1980s, before the wide adoption of the Internet and long before the term "social media" was coined.

What laws exist to protect privacy?

A wide range of legislation has been enacted by Congress to protect individual privacy, from the expected (US Census responses) to the unusual (video rental records). Speaking broadly, US privacy laws cover the following topics:

  • Communications
  • Financial data
  • Health records
  • Children’s online privacy
  • Education records
  • Marketing and advertising communications
  • Government records about citizens

What is the Electronic Communications Privacy Act?

The Electronic Communications Privacy Act (ECPA) was enacted in 1986 to make sure that electronic communications (such as email and VoIP calls) received the same sorts of privacy protections that traditional communication methods receive. Its primary purpose is to prevent unauthorized government access to your private messages, though the Patriot Act and the Communications Assistance for Law Enforcement Act have weakened some of the original protections.

Because the ECPA was created before the rise of cloud email providers like Gmail, emails that have remained on a third-party server for more than 180 days are considered abandoned, and can be accessed by the government without a warrant. This is due to the fact that emails used to be downloaded directly to your local computer and then immediately deleted off of your email provider’s servers. Nowadays, it’s common for individuals to have emails stored on a Gmail or Hotmail server that are several years old.

What is the CAN-SPAM Act?

The CAN-SPAM Act was created in 2003 to address the spam email overload that many consumers were experiencing. It created some strict new requirements for businesses that want to send emails to individual consumers:

  • Commercial emails must accurately identify the sender of the message
  • The subject line of the email cannot be deceptive
  • Unless you opt-in to receiving marketing messages from the company or have done business with them within the last year, the email must be clearly identified as an advertisement
  • The email must include a physical mailing address where the company can be reached
  • The email must clearly explain how you can opt out of receiving future advertisements
  • If you do opt out, the business must honor your request within 10 business days
  • A business is responsible for any marketing companies sending emails on its behalf

If you receive an email that doesn’t comply with these guidelines, you can report the business to the FTC. Companies can be fined up to $16,000 per email for each non-compliant email that they send.

A lot of marketers will use third-party providers like Constant Contact or MailChimp to distribute commercial emails. These companies generally have even stricter compliance policies than the law requires, so if you receive an unsolicited email and notice that it contains messaging such as "Sent through Constant Contact," you can also report abuse to the email provider.

What is the Children’s Online Privacy Protection Act?

The Children’s Online Privacy Protection Act (COPPA) is meant to protect the safety of children’s personal information on commercial websites. If a website offers a service to children age 12 or younger, it must inform parents about how it handles personal information, and also obtain parental consent before collecting any information from their child. Furthermore, it gives parents the right to review and correct any personal information that the site may hold about their child.

Before letting your child provide personal information to a website, you should check the Terms of Use to see whether the site is COPPA-compliant – if it isn’t, the site may not allow usage by anyone under the age of 13.

What is the Freedom of Information Act?

The Freedom of Information Act (FOIA) fosters open and transparent government by allowing individuals to access almost any federal record from any federal agency. For example, you can ask the FBI to send you any information it has about you. As long as the record doesn’t fall under an exempted category (for example, sensitive national security information), the agency is required to send you a response. You can learn more about the types of data available to you, as well as how to file a FOIA request, at FOIA.gov

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLB) was passed in 1999 to update regulation of the financial services industry, including new consumer privacy protections. Under the GLB, any financial institution that you regularly do business with must provide a copy of their privacy policy to you, as well as notify you of your right to opt-out of letting the institution share your information with third parties. They must provide you with a copy of the privacy policy at least once per year, as well as any time the policy changes.

What is the Communications Assistance for Law Enforcement Act?

The Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications providers to design their systems in such a way that law enforcement officials will be able to monitor all activity on their networks without making users aware that they are being monitored. CALEA was enacted in 1994 after the FBI voiced concerns that they would be unable to track criminal activity as telephone providers upgraded to all-digital systems.

The Federal Communications Commission, which oversees the implementation of CALEA, expanded its scope in 2004 from just telephone carriers to any communications provider, including Internet and VoIP services. While service providers based outside of the US are exempt from CALEA requirements, any domestic telecom must provide a wiretap to law enforcement upon receiving a court order or warrant.

How does the Patriot Act affect my privacy rights?

The Patriot Act was passed in 2001 in response to the 9/11 attacks on the US. It changed a large number of federal statutes related to privacy and surveillance, giving law enforcement and intelligence agencies vast new powers to access consumer data and compel service providers to assist with secret surveillance. Because the law gave the government such expanded powers, a "sunset provision" was included which would have terminated many of the new powers in 2005. Congress, however, has renewed the law several times since the sunset date, without significantly modifying any of the surveillance powers it has granted.

The National Security Agency (NSA) has performed much of its controversial surveillance under Section 215 of the Patriot Act, which enables the government to compel a business to turn over "any tangible things" that the government deems relevant to an investigation. Civil liberties groups have argued that this violates the Fourth Amendment because it allows the government to collect potentially sensitive information about individuals who aren’t suspected of any wrongdoing.

While several privacy reform bills have been proposed in Congress recently, none have been signed into law. As a result, the safest assumption to make is that the FBI and NSA can get access to any records about you held by a third party.

How does the Federal Trade Commission protect consumer privacy?

The Federal Trade Commission (FTC) is responsible for enforcing legislation and rules around fair and honest business practices. When a business is suspected of scamming customers or misusing their personal information, the FTC will investigate and bring charges accordingly. The FTC also provides guidance to businesses on good privacy practices and data security.