Legal Landscape: Privacy
Constraints on Collecting, Using, and Voluntarily Sharing Information
Federal law places restraints on the collection, use, and disclosure of information in certain sectors, and the Federal Trade Commission enforces a prohibition against “unfair or deceptive” trade practices that include inaccurate or inadequate notice to users about privacy practices. State law, including several state constitutions, imposes additional restrictions on the collection, use, or disclosure of people’s personal information.
Sector-Specific Privacy Laws
There is no comprehensive federal privacy law that applies to all types of data, users, and services. Instead, there are various laws that apply to specific types of information. The broadest of these laws is the Electronic Communications Privacy Act (ECPA), which applies to any service that processes or stores electronic communications. ECPA generally requires consent before any user information is voluntarily shared with a third party, and it prohibits unauthorized access to stored communications. Other laws apply more narrowly to certain kinds of personal information, or to particular business sectors:
- The Health Insurance Portability and Accountability Act applies to many services that are designed for health care providers and related entities.
- The Video Privacy Protection Act applies to services engaged in the rental, sale, or delivery of recorded video content.
- The Children’s Online Privacy Protection Act applies to websites and services that are “directed to children.”
- Other laws may apply to services that handle financial records, consumer credit information, government records, motor vehicle records, or student education records.
FTC and FCC Regulation
The Federal Trade Commission (FTC) is empowered to regulate “unfair or deceptive” practices. The FTC has interpreted this authority to include investigating online actors who fail to comply with their written privacy policies or whose services or policies mislead consumers. The FTC has frequently enforces the FTC Act in the online space, bringing diverse actions against—including actions against Google and Facebook—for failing to obtain users’ express consent before changing how people’s information is used. And more recently, the FTC has brought cases targeting misuse of personal information to build machine-learning tools and required, as a remedy, that companies to delete the algorithms that resulted.
The Federal Communications Commission (FCC) regulates interstate and international communications by radio, television, wire, satellite, and cable throughout the United States. It has been engaged in protecting consumer privacy for decades, beginning with the Communications Act of 1934 which charged the agency with implementing a number of privacy protection provisions. The FCC has also brought enforcement actions relating to the handling, use, and sharing of Customer Proprietary Network Information and has been exploring privacy issues related to mobile and location-based services.
State Laws & Regulations
Article I, section 1 of the California Constitution guarantees an “inalienable” right to privacy that applies both to government and private entities, as do the constitutions of nine other states. California's Privacy Amendment, overwhelmingly passed by ballot proposition in 1972, was specifically intended to safeguard privacy by preventing the expansion of collection of information about people and the potential misuse of that information by the government and the private sector. State courts in Alaska, Hawaii, Louisiana, and Montana also have held that their state constitutions or common law include a right to privacy applicable to private actors [pdf].
Various states also have specific laws constraining the collection, use, or sharing of certain types of information. For example, California law prohibits publicly posting or displaying social security numbers or embedding them on a card and swiping drivers’ licenses or recording driver’s license information except for very limited circumstances such as age verification or fraud control. California specifically has numerous privacy laws and the Attorney General’s office maintains a comprehensive list.
Other state agencies can also play an important role in defining and enforcing privacy rights. For example, the California Public Utilities Commission has taken an active role in defining privacy requirements for products and services such as smart energy meters.
Many of the sector-specific laws mentioned above have specific transparency and reporting requirements as well as collection, use, or sharing limitations. In addition, there are various other laws that require transparency in certain circumstances:
The California Consumer Privacy Act (“CCPA”), which became effective in 2020, requires businesses to provide notice to consumers prior to collecting information and to disclose what they do with that information. The California Privacy Rights Act (“CPRA”), a ballot measure that passed in 2020 amending the CCPA, is scheduled to take effect in January 2023. The CPRA requires notice of (1) whether people’s personal information is sold or shared and imposes new limits on the collection and use of “sensitive personal information.” The CPRA also establishes the California Privacy Protection Agency to enforce the CCPA and CPRA.
Other State Laws & Regulations
Various other state laws apply privacy protections to people’s personal information. All fifty states, the District of Columbia, and several territories have laws that require users to be notified if their data is compromised. And Colorado, Virginia, and Utah have passed privacy laws that impose some limits on what personal information companies collect and what they can do with it. The Illinois Biometric Information Privacy Act, enacted in 2008, was one of the first state laws to address business’s collection of biometric data, requiring robust consent before a person’s biometric can be collected. Finally, Maine's Internet Service Provider privacy law requires broadband internet access service providers to present customers with notice and obtain customers' opt-in consent before using, disclosing, selling, or permitting access to 'customer personal information.
European Union and International Laws
Regulators in Europe and elsewhere have also taken an active role in the privacy sphere. Of particular note is the Data Protection Directive and the https://www.gibsondunn.com/the-general-data-protection-regulation-a-primer-for-u-s-based-organizations-that-handle-eu-personal-data/ in the European Union. The GDPR, which took effect in 2018, applies to all EU member states and to all products or services targeting people in the EU. It also demands “freely given, specific, and unambiguous” consent (or some other lawful basis) before the collection and use of personal information, requires companies to implement “Data Protection by Design and by Default,” and provides individuals with the “Right of Data Portability.”
More detailed information on international laws and regulations is beyond the scope of this document; please consult an attorney to better understand the legal framework in any countries that your product or service is specifically targeting.
Third Party Demands for User Information
Although many users expect and believe that the letters, diaries, spreadsheets, photographs, videos, and other personal documents and materials that businesses encourage them to store online are as private as those stored in a file cabinet or on their computer’s hard drive at home, the legal requirements for the government and third parties to demand access to these documents are evolving.
The U.S. Constitution
The Fourth Amendment to the United States Constitution guarantees “[t]he right of the person to be secure . . . against unreasonable searches or seizures.” Generally speaking, when an individual has a “reasonable expectation of privacy,” the government cannot search or seize this information without demonstrating probable cause and obtaining a warrant from a judge. But the exact boundary of that reasonable expectation of privacy, particularly as applied to information collected by technological means and held by third parties, remains an unresolved question.
For example, courts are still addressing the applicability of the “third party doctrine,” which holds that an individual does not possess a reasonable expectation of privacy in records held by a third party, in the modern context. The third party doctrine was originally established in a pair of 1970s Supreme Court cases concerning the privacy of calling and banking records. Modern courts faced with the question of whether the third party doctrine applies to electronic data held by a third party have reached divergent opinions: some courts have held that the contents of an email or a person’s location history are constitutionally protected even if held by a third party, while others have held that the third party doctrine negates such protection.
Similarly, courts have begun to address the question of whether individuals retain a “reasonable expectation of privacy” in information that was at one time publicly available. In the 2018 case United States v. Carpenter, the U.S. Supreme Court made clear that long-term monitoring of a person’s location, even in public, violated the Fourth Amendment. However, other courts have rejected the idea that information made publicly available still retains constitutional protection.
The Electronic Communications Privacy Act
ECPA was enacted by Congress in part to address the third party doctrine and ensure that the privacy of electronic communications was safeguarded even if this information were held by a third party. ECPA generally prohibits the voluntary disclosure of user communications and requires third parties to obtain a search warrant or court order to force such disclosure.
However, ECPA was enacted in 1986, and as a result was based on outdated understandings of communications technology. For example, the law was written around the expectation that users would download emails to personal computers and delete copies stored on a central server. In addition, the law did not anticipate new developments such as the collection and use of location information at all. As a result, courts have struggled to apply it to modern technology, frequently reaching different conclusions about the procedural requirements for demands for electronic communications while agreeing only that ECPA is part of “a confusing and uncertain area of the law.”
State Constitutions and Laws
California is among eleven states that have limited the third party doctrine and held that their state constitution provides protection for personal data held by third parties. These states use a variety of different standards to determine whether state officials can demand access to personal information held by a third party.
State law, both constitutional and statutory, may place additional limitations on demands for specific types of information. For example, the California Reader Privacy Act requires a government entity to obtain a court order and meet additional criteria in order to compel disclosure of records related to books.
The California Electronic Privacy Communications Act
The California Electronic Privacy Communications Act, or CalECPA, became law in January 2016. CalECPA updates California's privacy protections to reflect the modern digital world and reinforces constitutional rights to privacy by ensuring that police must obtain a warrant before accessing digital information like emails, text messages and online documents and tracking or searching electronic devices like cell phones. Full bill language, polling, fact sheets, and more information about CalECPA can be found here: www.aclunc.org/calecpa.