Selected United States Privacy Laws

Published Date: 02 Nov 2017

The United States and many foreign countries have legal structures that affect the collection, use, transfer, or disclosure of PII. The United States uses a sectoral approach that relies on a mix of legislation, regulations, and self-regulation. These laws, regulations, industry best practices and other binding structures, which have been enacted at the federal, state and even local, pertain to such a variety of matters (e.g. financial information, video rentals, electronic communications, or healthcare information). As a result, it is certain that one or more privacy law or regulation, local, state, or federal, does affect and govern some portion of a company's activities. Outside of the United States, numerous countries have privacy or data protection laws, as well. These laws often restrict transborder transfers of personal information to countries that do not provide comparable privacy rights and protection, such as the United States. Thus, US companies intending to send or receive personally identifiable information about individuals protected by those foreign laws must ensure compliance. The local laws that control their foreign subsidiaries or distributors regulate the use and access of data that the subsidiary or distributor wants to share with the US company. As the recipient or processor of foreign PII protected by foreign law, the US company must be aware of the restrictions placed on the foreign source PII, and be prepared to assist and cooperate with its foreign counterpart to ensure cross-border transfer within the limits permitted by the applicable foreign law.

Selected United States Privacy Laws

In the United States, many federal or state laws address privacy issues. Recently, additional laws or local ordinances were passed at the county level to remedy the state legislature failure to enact privacy protection laws. The examples below are only a very limited sample of the privacy laws that populate the American legal landscape.

Financial Information

The privacy and confidentiality of financial information is highly regulated. The recent Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801- 6827, increased the nature and scope of protection to address, in particular, the dissemination of financial information in connection with marketing activities. The GLBA establishes a number of privacy-related provisions that apply to all "financial institutions." The law reaches most entities that engage in an activity that could be deemed financial in nature, such as companies in the banking, securities, and insurance industries. Numerous entities that perform services other than banking are considered financial institutions, such as travel agencies or tax preparation businesses. The privacy provisions also apply to third parties that receive nonpublic personal information from financial institutions. The privacy provisions in GLBA protect all information whether in electronic or paper form. Companies subject to GLBA must provide a consumer with periodic notices explaining the institution's privacy policies and practices and give consumers a reasonable opportunity to "opt out" of disclosures to third parties. Financial institutions are restricted from sharing consumer personal information outside the scope described in the privacy notice. Companies that own or use databases of PII must have in place security procedures to ensure the protection of the PII and limit the dissemination of the PII. While the privacy provisions in GLBA cover only a few pages, each federal agency that regulates the different "financial institutions" (e.g. FDIC, SEC) and the FTC have published more detailed regulations that expand on the GLBA provisions.

 

In addition, the GLBA allows states to enact or use laws that provide additional privacy protection to financial information. Since the enactment of GLBA, numerous states have enacted privacy laws that strengthen the protection set forth in the GLBA.

Medical Information

The HIPAA Privacy Rule, 45 CFR Subtitle A Subchapter C Parts 160 & 164 established in application of the mandate in the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §§ 1320 et. seq., addresses the protection of health care information. The HIPAA Privacy Rule protects all information pertaining to the past, present or future provision of health services and the payment of such services, whether the information is in electronic or paper form. The HIPAA Privacy Rule applies to specific "covered entities," which are health plans, healthcare providers, and healthcare clearinghouses. In addition, any person or entity that provides services to the covered entities and handles or has access to patients' protected information is also subject to the HIPAA Privacy Rule as a "business associate." The HIPAA Privacy Rule came in effect as of April 21, 2003 for most covered entities. Small plans have one additional year to comply.

 

The HIPAA Privacy Rule imposes restrictions on the use and disclosure of patient information and outlines patients' rights, namely, the right to have access to their records, the ability to amend those records, the right to receive an accounting of disclosures, the right to limit the use and disclosure of the records, and the right to receive responses to their requests pertaining to their rights.

 

As a result, companies that qualify as a "covered entity" must ensure the security and integrity of these records, provide notices to patients of their rights, respond to patient inquiries, request for access or modification of their records and appoint a Chief Privacy Officer who will be responsible for the proper management of the protected health information. Companies that provide services to the covered entities as "business associates" must also have policies and procedures to assist the covered entity in responding to patients inquiries, and must, as well, ensure the security and integrity of the PII that to which they have access as part of their services to the covered entities.

 

HIPAA contains stiff penalties for violations, including fines and prison time. However, the law does not provide a private cause of action for patients who wish to sue under the act. Instead, complaints for violation of the HIPAA Privacy Rule must be brought to the Department of Health and Human Services, which will investigate the complaints and pursue the infringing "covered entity" as appropriate.

Information Regarding Children

The Children's Online Privacy Protection Act (COPPA) 15 U.S.C. sections 6501, et seq. governs information that online businesses collect about children under the age of thirteen. COPPA defines how business may collect such information, and the extent to which they can use that information. COPPA applies not just to websites specifically directed toward children; it also regulates the activities of websites with a general audience if companies have actual knowledge that they collect information from individuals under thirteen.

 

COPPA requires each site to provide a clear and conspicuous notice of its privacy practices on its website. In addition, before it may collect, use, or disclose children's personal information, a company subject to COPPA must obtain verifiable parental consent. COPPA also defines how and to which extent, once the children PII has been collected, the company may use such information.

Employment

Many laws govern those aspects of the employer-employee relationship that are confidential and require the handling of personal information. For example, the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., contains rules pertaining to background checks of prospective employees. Privacy law is also implicated when employers need access to employee offices, computers, etc., or when employers electronically monitor their employees' Internet usage and email. The Electronic Communications Privacy Act (ECPA), 15 U.S.C. § 1681 et seq., governs the interception of electronic and wire communications and limits access to certain networks and communications. There are also laws about permissible interview inquiries and state laws about inquiry into arrest records for prospective employees. Use of personnel records is governed by both federal and state rules. These privacy protection laws continue to apply even after the employment relationship is terminated.

Foreign Data Protection Laws

US companies that do business internationally, have subsidiaries or distributors abroad, or sell on foreign markets must be aware of the requirements in the foreign privacy laws that are in place in those countries whose courts may have jurisdiction over the US company or its local subsidiaries or contractors. Many foreign laws restrict transfers of personal information outside of their borders to countries. As a result, US corporations with operations in other countries or receiving data from foreign companies may need to conform to these laws to some extent, so that they can receive PII from their subsidiaries, distributors, and other contractors established abroad.

 

For example, European Union member states rely on comprehensive legislation that requires the creation of government data protection agencies, registration of databases with those agencies, and, in some instances, prior approval before personal data processing may begin. Privacy laws in all E.U. member states prohibit the transfer of PII outside the E.U. to countries that do not offer an adequate level of privacy protection. Since the E.U. commission has declared that the United States does not offer adequate privacy protection, transfer of PII from a subsidiary, distributor, or other co-contractor is restricted. Special precautions must be taken, and permissions obtained. Many countries outside the E.U. have enacted privacy laws that are very similar to the model and structure used in the European Union.

Self-Regulation Programs

Most companies have adopted privacy policies, tailored to their own business purposes and ethics, which they frequently post on their website. Many companies, in addition, register with seal programs such as BBB Online, http://www.bbbonline.com, or TRUSTe, http://www.truste.com. To obtain a seal under these programs, companies must agree to follow specific privacy guidelines.

Self-Certification under Safe Harbor

Because the US currently has no privacy legislation of general applicability, the E.U. deems the US as a whole to lack adequate protection, thereby constraining companies that transfer data from the E.U. To help US companies (or their subsidiaries or contractors) comply with the laws of the E.U. Member States and to facilitate international business transactions, the US Department of Commerce (DoC) has implemented a Safe Harbor privacy program. A US company that adheres to the Safe Harbor Principles may complete the DoC's self-certification program, and receive a presumption from all 15 E.U. Member States that such company will provide the required adequate privacy protection to personally identifiable data from the E.U. However, the foreign company that would be transferring information to the US company still needs to comply with its own Data Protection Law. In addition, since the United States does not have a similar agreement with other foreign countries with privacy laws that restrict trans-border data transfers, and preclude transfers to countries that are deemed not to offer sufficient protection, there is currently no alternative to companies that do business abroad in the remainder of the world. Participation in the E.U. Safe Harbor program has no effect on compliance with the requirements of privacy laws outside the E.U. area.

Noncompliance Risks

Too many companies act on the wrong impression that privacy awareness equates to posting a privacy policy on their website. Privacy protection concepts, however, apply to much more than the collection of data from a website. Privacy policies are complex and must reflect actual company practices. Promising more than what one is prepared to give could be costly. Thus, cutting and pasting a privacy policy from another company is foolish and could create much harm.

 

Most privacy laws contain civil and/or criminal penalties. Some include a private right of action. For example, violation of the HIPAA Privacy Rule may result in civil or criminal penalties for failure to comply with the requirements and for wrongful disclosure of confidential information. Civil and criminal penalties may be assessed for violations of a patient's privacy rights. The civil penalties are up to $100 for each violation, with a cap of $25,000 for all violations of an identical requirement or within a calendar year. There may be lower penalties if the covered entity can provide that it did not know of any violation; or had reasonable cause, and did not willfully neglect to comply with the requirements; or if the failure is corrected within 30 days. Criminal penalties may be assessed if the covered entity knowingly obtained and disclosed protected information. Fines may be up to $50,000; and may be combined with a prison term up to one year. If information was obtained under false pretenses, there may be fines up to $100,000 and/or prison up to 5 years. If protected information was obtained with intent to sell, transfer, use information for commercial advantage, personal gain, or malicious harm, then higher fines and prison terms may be assessed against the violators, up to $250,000; prison up to 10 years.

 

In addition to the penalties provided for by the applicable statute, there may be additional damages assessed for deceptive or unfair practices under Section 5 of the FTC Act and the state law equivalent. In recent years, there has been increased attention to the protection of PII, domestically and abroad. Privacy-related complaints have been filed. Numerous government actions (e.g. FTC, State agencies) and private actions (individual or class action) against well-known companies targeting violations of privacy have taken place. Foreign Data Protection Agencies have investigated subsidiaries of US companies. In addition to the embarrassment of being the target of investigations, complaints or lawsuits reported in the press, these actions generally have resulted in the assessment of damages and penalties, the obligation to pay plaintiff's attorneys' fees, and the requirement to implement strict privacy and security procedures. In other instances, government action has prohibited a contemplated transaction.

 

For example, the FTC recently investigated Microsoft's Passport Single Sign-in (Passport), Passport Express Purchase (Passport Wallet) and Kids Passport. Under the September 2002 consent decree, Microsoft has agreed to implement and maintain a comprehensive information security program, have its security program certified as meeting or exceeding the standards in the consent order every 2 years, and pay a civil penalty of $10,000 for each future violation of the order.

 

Double-Click has also been the target of several investigations and class action suits, which ended up in costly damages. To end a 30-month privacy investigation by the FTC and ten states, Double-Click agreed to pay $1.8 million in plaintiff's cost in a class action suit, pay $450,000 in fines, and agreed to adhere to specific practices and policies, which included the following requirements: display 300 million consumer privacy banner ads that invite consumers to learn more about how to protect their online privacy; provide easy to read explanation of its ad-serving services; provide opt-in before it can combine PII and clickstream; ensure that Internet user's online data will not be used in a manner inconsistent with the privacy policy under which it was collected; develop internal policies to ensure protection and routine purging of data collected online; limit the life of new ad serving cookies to five years. In addition, Double Click must submit to two annual reviews for the next 2 years, by an independent accounting firm, to verify compliance with the settlement.

 

In some cases, a suit or investigation may occur because of an inadvertent error. For example, Eli Lilly was sued for privacy violation both at the federal and state levels after an error by one of its employees caused the individual email addresses of Prozac patients to be published in an email sent to the entire listserv. The email, which was meant to be sent in a confidential manner, instead prominently displayed the email addresses of more than 600 addressees in the "recipient" box. After a lengthy investigation, the company settled with the FTC in January 2002, and agreed to take steps to ensure the security of data, follow a specific four-stage information security program, and submit to an annual review "by qualified persons" of its information security program. Although the FTC settlement did not provide for any fine, the July 2002 settlement with eight states for the same event included a $160,000 payment to these states and required the company to strengthen its internal standards relating to privacy protection, training, and monitoring.

 

Even if there is no specific privacy law applicable, once a company has published its privacy policy, it is bound by the public statements made. Publishing a privacy policy exposes the company to prosecution if it fails to perform according to the representations made in the public privacy policy. For example, Toysmart and Microsoft were subject to investigations by the FTC and state attorney generals because of their alleged failure to perform according to the representations made in the privacy policies published on their websites. Similarly, a company that self-certifies with the DoC about its privacy protection policies and procedures in connection with the E.U. Privacy Safe Harbor Program must carry out these practices in the United States. Making inaccurate statements about its actual data collection practices, or making promises that it does or cannot keep would otherwise expose the company to prosecution from the FTC or state attorney general based on misrepresentation or deceptive practices under Section 5 of the FTC Act or state equivalent unfair and deceptive practices acts.

 

Problems could occur, as well, when a company tries to transfer certain databases in connection with the sale of the company's assets in a manner inconsistent with its published privacy policy. For example, one of the early cases in this area related to the bankruptcy of the Toysmart company. In re Toysmart.com, LLC, No. 00-13995- CJK (U.S. Bankr. Ct. Mass.) filed in May 2000 and FTC v Toysmart.com, LLC, No. 00- 11341-RGS (U.S.D.C., D.Mass) filed July 10, 2000. Toysmart's online privacy policy stated that the company would "never share" its information with a third party. Toysmart ultimately sought bankruptcy protection and offered to sell its database of customer information. The FTC objected, and in a first settlement, Toysmart agreed that any buyer would have to be in the same business as Toysmart and agree to follow all of the requirements of Toysmart's privacy policy. Ultimately, after many months of additional transactions with the FTC and the bankruptcy court, a shareholder of the company purchased the customer list and agreed to destroy it promptly thereafter. Altogether, something that could have been a "simple" sale of assets, delayed the database owner by more than one year.

Identity Theft - Business Owner's Responsibilities

What Are Identity Theft and Identity Fraud?

The short answer is that identity theft is a crime. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. These Web pages are intended to explain why you need to take precautions to protect yourself from identity theft. Unlike your fingerprints, which are unique to you and cannot be given to someone else for their use, your personal data especially your Social Security number, your bank account or credit card number, your telephone calling card number, and other valuable identifying data can be used, if they fall into the wrong hands, to personally profit at your expense. In the United States and Canada, for example, many people have reported that unauthorized persons have taken funds out of their bank or financial accounts, or, in the worst cases, taken over their identities altogether, running up vast debts and committing crimes while using the victims's names. In many cases, a victim's losses may include not only out-of-pocket financial losses, but substantial additional financial costs associated with trying to restore his reputation in the community and correcting erroneous information for which the criminal is responsible.

In one notorious case of identity theft, the criminal, a convicted felon, not only incurred more than $100,000 of credit card debt, obtained a federal home loan, and bought homes, motorcycles, and handguns in the victim's name, but called his victim to taunt him -- saying that he could continue to pose as the victim for as long as he wanted because identity theft was not a federal crime at that time -- before filing for bankruptcy, also in the victim's name. While the victim and his wife spent more than four years and more than $15,000 of their own money to restore their credit and reputation, the criminal served a brief sentence for making a false statement to procure a firearm, but made no restitution to his victim for any of the harm he had caused. This case, and others like it, prompted Congress in 1998 to create a new federal offense of identity theft.

What are the Most Common Ways To Commit Identity Theft or Fraud?

Many people do not realize how easily criminals can obtain our personal data without having to break into our homes. In public places, for example, criminals may engage in "shoulder surfing" watching you from a nearby location as you punch in your telephone calling card number or credit card number or listen in on your conversation if you give your credit-card number over the telephone to a hotel or rental car company.

Even the area near your home or office may not be secure. Some criminals engage in "dumpster diving" going through your garbage cans or a communal dumpster or trash bin -- to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. These types of records make it easier for criminals to get control over accounts in your name and assume your identity.