Legal Landscape: Privacy
Constraints on Collecting, Using, and Voluntarily Sharing Information
Federal law places restraints on the collection, use, and disclosure of certain forms of information, and the Federal Trade Commission enforces a prohibition against “unfair or deceptive” trade practices that include inaccurate or inadequate notice to users about privacy practices. State law, including several state constitutions, may impose additional restrictions on the collection, use, or disclosure of user information.
Sector-Specific Privacy Laws
The United States does not have a comprehensive privacy law that applies to all types of data, users, and services. Instead, there are various laws that apply to specific types of information. The broadest of these laws is the Electronic Communications Privacy Act (ECPA), which applies to any service that processes or stores electronic communications. ECPA generally requires consent before any user information is voluntarily shared with a third party, and it prohibits unauthorized access to stored communications. Various other laws apply to specific types of personal information:
- The Health Insurance Portability and Accountability Act applies to many services that are designed for health care providers and related entities.
- The Video Privacy Protection Act applies to services engaged in the rental, sale, or delivery of recorded video content.
- The Children’s Online Privacy Protection Act applies to websites and services that are “directed to children.”
- Other laws may apply to services that handle financial records, consumer credit information, government records, motor vehicle records, or student education records.
FTC and FCC Regulation
The Federal Trade Commission (FTC) is empowered to regulate “unfair or deceptive” practices. The FTC has interpreted this authority to include investigating online actors who fail to comply with their written privacy policies or whose services or policies mislead consumers. In recent years, the FTC has increased its enforcement in the online space, bringing diverse actions against companies, including actions against Google and Facebook for failing to obtain users’ express consent before changing data practices.
The Federal Communications Commission (FCC) regulates interstate and international communications by radio, television, wire, satellite, and cable throughout the United States. It has been engaged in protecting consumer privacy for decades, beginning with the Communications Act of 1934 which charged the agency with implementing a number of privacy protection provisions. In recent years, the FCC has drafted rules controlling the handling, use, and sharing of Customer Proprietary Network Information and has been exploring privacy issues related to mobile and location-based services.
State Laws & Regulations
Article I, section 1 of the California Constitution guarantees an “inalienable” right to privacy that is applicable with respect both to the government and private entities, as do the constitutions of nine other states. California's Privacy Amendment, overwhelmingly passed by ballot proposition in 1972, was specifically intended to safeguard informational privacy by preventing the expansion of data collection and the potential misuse of that data by both the government and the private sector. State courts in Alaska, Hawaii, Louisiana, and Montana also have held that their state constitutions or common law include a right to information privacy applicable to private actors [pdf].
Various states also have specific laws constraining the collection, use, or sharing of certain types of information. For example, California law prohibits publicly posting or displaying social security numbers or embedding them on a card and swiping drivers’ licenses or recording driver’s license information except for very limited circumstances such as age verification or fraud control.
Other state agencies can also play an important role in defining and enforcing privacy rights. For example, the California Public Utilities Commission has taken an active role in defining privacy requirements for products and services such as smart energy meters. And in 2012 the California Office of the Attorney General announced the creation of a Privacy Enforcement and Protection Unit focused on protecting consumer and individual privacy through enforcement and civil prosecution of state and federal privacy laws.
European Union and International Laws
International regulators in Europe and elsewhere have also taken an active role in the privacy sphere. Of particular note for many companies are the existing Data Protection Directive and proposed privacy Regulation in the European Union. The Regulation, which could take effect as soon as 2015 and which would apply directly to all EU member states (and thus potentially to all products or services targeting EU residents), demands “explicit” consent before the collection and use of personal information, requires companies to implement “Privacy by Design” and “Privacy by Default,” and provides individuals with the “Right to be Forgotten” and the “Right of Data Portability.”
More detailed information on international laws and regulations is beyond the scope of this document; please consult an attorney to better understand the legal framework in any countries that your product or service is specifically targeting.
Transparency and Reporting Requirements
Many of the sector-specific laws mentioned above have specific transparency and reporting requirements as well as collection, use, or sharing limitations. In addition, there are various other laws that require transparency in certain circumstances:
California Online Privacy Protection Act
Other State Laws & Regulations
Various other state laws require notice or reporting under certain circumstances:
- Forty-seven states, the District of Columbia, and several territories have laws that require users to be notified if their data is compromised.
- California law empowers consumers to learn how their personal information is shared by companies and encourages companies to adopt simple methods for individuals to opt out of information sharing.
- The California Reader Privacy Act requires companies that sell books or electronic equivalents to produce an annual report detailing the demands for user information received in a given year.
Third Party Demands for User Information
Although many users expect and believe that the letters, diaries, spreadsheets, photographs, videos, and other personal documents and materials that businesses encourage them to store online are as private as those stored in a file cabinet or on their computer’s hard drive at home, the legal requirements for the government and third parties to demand access to these documents are uncertain. Courts have long struggled to interpret the U.S. and state constitutions in the light of evolving technology, with Justice Alito pointedly calling for legislative action in the recent Supreme Court case United States v. Jones. Privacy laws at both the federal and state level are also becoming rapidly obsolete as technology outpaces the rate of legislative change.
The U.S. Constitution
The Fourth Amendment to the United States Constitution guarantees “[t]he right of the person to be secure . . . against unreasonable searches or seizures.” Generally speaking, when an individual has a “reasonable expectation of privacy,” the government cannot search or seize this information without demonstrating probable cause and obtaining a warrant from a judge. But the exact boundary of that reasonable expectation of privacy, particularly as applied to information collected by technological means and held by third parties, remains an unresolved question.
For example, courts are still addressing the applicability of the “third party doctrine,” which holds that an individual does not possess a reasonable expectation of privacy in records held by a third party, in the modern context. The third party doctrine was originally established in a pair of 1970s Supreme Court cases concerning the privacy of calling and banking records. Modern courts faced with the question of whether the third party doctrine applies to electronic data held by a third party have reached divergent opinions: some courts have held that the contents of an email or a person’s location history are constitutionally protected even if held by a third party, while others have held that the third party doctrine negates such protection.
Similarly, courts have only begun to address the question of whether individuals retain a “reasonable expectation of privacy” in information that was at one time publicly available. In the 2012 case United States v. Jones, the U.S. Supreme Court did not directly answer that question, though a majority of the justices expressed a willingness to consider whether long-term monitoring of a person’s location, even in public, violated the Fourth Amendment. However, other courts have rejected the idea that information made publicly available still retains constitutional protection.
The Electronic Communications Privacy Act
ECPA was enacted by Congress in part to address the third party doctrine and ensure that the privacy of electronic communications was safeguarded even if this information were held by a third party. ECPA generally prohibits the voluntary disclosure of user communications and requires third parties to obtain a search warrant or court order to force such disclosure.
However, ECPA was enacted in 1986, and as a result was based on outdated understandings of communications technology. For example, the law was written around the expectation that users would download emails to personal computers and delete copies stored on a central server. In addition, the law did not anticipate new developments such as the collection and use of location information at all. As a result, courts have struggled to apply it to modern technology, frequently reaching different conclusions about the procedural requirements for demands for electronic communications while agreeing only that ECPA is part of “a confusing and uncertain area of the law.”
State Constitutions and Laws
California is among eleven states that have rejected the third party doctrine and held that their state constitution provides protection for personal data held by third parties. These states use a variety of different standards to determine whether state officials can demand access to personal information held by a third party.
State law, both constitutional and statutory, may place additional limitations on demands for specific types of information. For example, the California Reader Privacy Act requires a government entity to obtain a court order and meet additional criteria in order to compel disclosure of records related to books.
The California Electronic Privacy Communications Act
The California Electronic Privacy Communications Act, or CalECPA, became law in January 2016. CalECPA updates California's privacy protections to reflect the modern digital world and reinforces constitutional rights to privacy by ensuring that police must obtain a warrant before accessing digital information like emails, text messages and online documents and tracking or searching electronic devices like cell phones. Full bill language, polling, fact sheets, and more information about CalECPA can be found here: www.aclunc.org/calecpa.