Existing Federal Privacy Laws
Chapter Three: Existing Federal Privacy Laws
- The Electronic Communications Privacy Act (1986) [full text]
- Telephone Consumer Protection Act of 1991 [full text]
Privacy of Financial Information
- Fair Credit Reporting Act (1970) [full text]
- Right to Financial Privacy Act (1978) [ excerpts] [full text]
- Taxpayer Browsing Protection Act (1997) [full text]
- Gramm-Leach-Bliley Act (1999) [outline]
- Fair and Accurate Credit Transactions Act (2003) [full text]
Privacy of Government Collections
- Census Confidentiality Statute of 1954 [excerpts]
- Freedom of Information Act (1966) [excerpts]
- Privacy Act of 1974 [excerpts]
- Computer Security Act of 1987 [full text]
- E-government Act of 2002 [full text]
Privacy of Medical Records
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) [full text]
Privacy of Miscellaneous Records and Activities
- Administrative Procedure Act [full text]
- Family Education Rights and Privacy Act (1974) [excerpts]
- Privacy Protection Act of 1980 [excerpts]
- Cable Communications Policy Act of 1984 [excerpts]
- Video Privacy Protection Act of 1988 [excerpts]
- Employee Polygraph Protection Act of 1988 [full text]
- Driver's Privacy Protection Act of 1994 [excerpts]
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 [full text]
- Do-Not-Call Implementation Act of 2003 [full text]
The Census Confidentiality Statute prohibits the use of census data for any other purpose than the original statistical purpose. The Act prohibits disclosure of census data that would enable an individual to be identified, except to officers and employees of the Census Bureau. [full text]
The Administrative Procedure Act establishes detailed procedures for Federal agencies to follow during administrative hearings. Provisions of the Act detail the methods by which administrators inform individuals of their rights, as well as how agencies should gather, portray and assess evidence at hearings. [full text]
The Freedom of Information Act (FOIA) provides individuals with access to many types of records that are exempt from access under the Privacy Act, including many categories of personal information. The Act was amended in 1996 (Electronic Freedom of Information Act), so that requests for information can be made in an electronic format. FOIA procedures are not available to nonresident foreign nationals. [excerpts]
Congress enacted the Fair Credit Reporting Act ("FCRA") to protect consumers from the disclosure of inaccurate and arbitrary personal information held by consumer reporting agencies. While the FCRA regulates the disclosure of personal information, it does not restrict the amount or type of information that can be collected. Under the FCRA, consumer-reporting agencies may only disclose personal information to third parties under specified conditions. Additionally, information may be released to a third party with the written consent of the subject of the report or when the reporting agency has reason to believe the requesting party intends to use the information:
- for a credit, employment or insurance evaluation;
- in connection with the grant of a license or other government benefit; or
- for another "legitimate business need" involving the consumer.
In 2003, the act was modified by the "Fair and Accurate Credit Transactions Act" to help address the identity theft problem and to make it easier for consumers to correct their credit information. Consumers are able to request Credit Reporting Agencies to place "fraud alerts" in their files if they have been or are about to become victims of fraud or a related crime, such as identity theft. The alerts prevent the extension of credit, or establishment of a new line of credit. The protections are stricter in with respect to identity theft- the fraud alert stays in the files of identity theft victims for 7 years, whereas fraud alerts only stay in the files of victims of fraud for 90 days. In order to prevent the discovery of credit/debit card numbers from receipts, the number of digits printed on business receipts has been reduced to five. Consumers can prohibit information sharing with affiliated marketers. All consumers are entitled to one free credit report annually. [full text]
The Privacy Act of 1974 was designed to protect individuals from an increasingly powerful and potentially intrusive federal government. The statute was triggered by the report published by the Department of Health, Education and Welfare (HEW), which recommended a "Code of Fair Information Practices" to be followed by all federal agencies. The Code emphasized five principles:
- there should be no records whose very existence is private;
- an individual must be able to discover what information is contained in his or her record and how it is used;
- an individual must be able to prevent information collected for one purpose from being used for another purpose without consent;
- an individual must be able to correct or amend erroneous information; and
- any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for its intended purpose and must take precautions to prevent misuse.
The Privacy Act incorporates the Code of Fair Information Practices recommended by HEW and empowers individuals to control the federal government's collection, use, and dissemination of sensitive personal information. The Act prohibits agencies from disclosing records to third parties or other agencies without the consent of the individual to whom the record pertains. The prohibition is weakened by several exceptions. As early as 1977, the Privacy Protection Study Commission found that the Privacy Act was vague and would likely not meet its stated purposes.
CDT has maintained that the Privacy Act should undergo a review and be brought up to date. While the fundamentals of the Act ? principles of fair information practices- remain relevant and current, some definitions do not reflect the realities of current technologies and information systems. [excerpts]
Congress passed the Family Educational Rights and Privacy Act (also known as the Buckley Amendment) to protect the accuracy and confidentiality of student records. The Act applies to all schools receiving federal funding. The Act prevents educational institutions from disclosing student records or personally identifiable information about students to third parties without the students and their parents' consent, but does not restrict the collection or use of information by schools. The statute also requires educational institutions to give students and their parents' access to school records and an opportunity to challenge the content of records they believe to be inaccurate or misleading.
In June 2002, the U.S. Supreme Court ruled that individuals do not have the right to sue schools for releasing records covered by the federal Family Educational Rights and Privacy Act. The Court reasoned that the congressional intent underpinning FERPA was not to establish rights for individual students and parents but rather to empower the Secretary of Education to withhold federal funds from any public or private "educational agency or institution which has a policy or practice of permitting the release of education records of students without written consent" in violation of FERPA. The Court has determined that challenges must be handled by the Department of Education. Further, in its analysis the Court highlighted the fact that individual instances of FERPA violations alone are not grounds for withdrawal of federal funds.
See Gonzaga University v. Doe 2002 WL 1338070 (June 20, 2002)
The Right to Financial Privacy Act was designed to protect the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The Right to Financial Privacy Act states that "no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described" and:
- the customer authorizes access;
- there is an appropriate administrative subpoena or summons;
- there is a qualified search warrant;
- there is an appropriate judicial subpoena; or
- there is an appropriate written request from an authorized government authority.
The statute prevents banks from requiring customers to authorize the release of financial records as a condition of doing business and states that customers have a right to access a record of all disclosures. [excerpts]
Congress enacted the Privacy Protection Act ("PPA") to reduce the chilling effect of law enforcement searches and seizures on publishers. The PPA prohibits government officials from searching or seizing any work product or documentary materials held by a "person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication," unless there is probable cause to believe the publisher has committed or is committing a criminal offense to which the materials relate. The PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.
Many commentators believe the PPA extends protection to computer bulletin boards and on-line systems under the "other form of public communication" clause of the Act. However, the only case to present this question to a court, Steve Jackson Games, Inc. v. United States Secret Service, failed to resolve the issue. In Steve Jackson Games, the Secret Service seized a computer game publisher's electronic bulletin board system, e-mail and electronic files to search for evidence involving an employee of the company. The court decided the PPA protected the seized property, but based its decision on the fact that the company published traditional books, magazines and board games. [excerpts]
Congress passed the Cable Communications Policy Act ("1984 Cable Act" or "Cable Act") to amend the Communications Act of 1934. The Cable Act establishes a comprehensive framework for cable regulation and sets forth strong protections for subscriber privacy by restricting the collection, maintenance and dissemination of subscriber data. The Act prohibits cable operators from using the cable system to collect "personally identifiable information" concerning any subscriber without prior consent, unless the information is necessary to render service or detect unauthorized reception. The Act also prohibits operators from disclosing personally identifiable data to third parties without consent, unless the disclosure is either necessary to render a service provided by the cable operator to the subscriber or if it is made to a government entity pursuant to a court order.
The Patriot Act of 2001 narrowed the CCPA privacy provisions, clarifying that companies who offer cable-based Internet or telephone service will be subject to the requirements of the Cable Act to notify subscribers of government surveillance requests only when detailed cable viewing information is being sought. Otherwise, cable operators can respond to a government surveillance request under ECPA, which does not require service providers to notify subscribers of requests. [excerpts]
Congress passed the Electronic Communications Privacy Act ("ECPA") to expand the scope of existing federal wiretap laws, such as the Wiretap Act, to include protection for electronic communications. ECPA expanded the privacy protections of the Wiretap Act in five significant ways:
- ECPA broadened the scope of privileged communications to include all forms of electronic transmissions, including video, text, audio, and data.
- ECPA eliminated the requirement that communications be transmitted via common carrier to receive legal protection.
- ECPA maintained restrictions on the interception of messages in transmission and adds a prohibition on access to stored electronic communications.
- ECPA responded to the Supreme Court's ruling in Smith v. Maryland (June 1979) that telephone toll records are not private and restricts law enforcement access to transactional information pertaining to users of electronic communication services.
- ECPA broadened the reach of the Wiretap Act by restricting both government and private access to communications.
The Computer Security Act reaffirmed that the National Institute for Standards and Technology (NIST) is responsible for the security of unclassified, non-military government computer systems. The main purpose of the Act is to protect unclassified information from military intelligence agencies. However, the Act has since been weakened, primarily as a result of the efforts of the National Security Agency. [full text]
The Employee Polygraph Protection Act prohibits most private employers, with the exception of security service firms and pharmaceutical manufacturers, from using lie detector tests either for pre-employment screening or during the course of employment. The law does not apply to federal, local, and state governments. In the cases where polygraph testing is permitted, the testers are subject to numerous strict standards in regards to the length and conduct of the test. [full text]
Congress passed the Video Privacy Protection Act in response to controversy surrounding the release of Judge Robert Bork's video rental records during his failed Supreme Court nomination. The Act prohibits videotape service providers from disclosing customer rental records without the informed, written consent of the consumer. Furthermore, the Act requires video service providers to destroy personally identifiable customer information within a year of the date it is no longer necessary for the purpose for which it was collected. The Act contains several exceptions and limitations. [excerpts]
The Telephone Consumer Protection Act of 1991 ("TCPA") was enacted in response to consumer complaints about the proliferation of intrusive telemarketing practices and concerns about the impact of such practices on consumer privacy. The Act amends Title II of the Communications Act of 1934 and requires the Federal Communications Commission ("FCC" or "Commission") to promulgate rules "to protect residential telephone subscribers' privacy rights." In response to the TCPA, the FCC issued a Report and Order requiring any person or entity engaged in telemarketing to maintain a list of consumers who request not to be called. In 2002, a federal judge ruled that the TCPA's ban on sending unsolicited fax advertisements was an unconstitutional restriction on commercial speech. The decision was reversed on appeal by the 8th Circuit Court. See, State of Missouri v. American Blast Fax Inc. (March 2002) [full text]
Congress passed the Driver's Privacy Protection Act [excerpts] as an amendment to the Omnibus Crime Act of 1994. The Act restricts the public disclosure of personal information contained in state department of motor vehicle ("DMV") records. While the Driver's Privacy Protection Act generally prohibits DMV officials from knowingly disclosing personally identifiable information contained in department records, it delineates several broad exceptions. In January of 2000, the Supreme Court unanimously upheld the Act. The Court held that personal, identifying information from drivers' licenses and motor vehicle registrations is a "thing in interstate commerce" that can be regulated by Congress like any other commodity. Reno v. Condon (January 2000) The Act recognizes that DMVs may use private contractors to carry out governmental functions, such as notifying automobile owners that it is time to renew their vehicle registrations. While permitting such arrangements, the Act makes it clear that contractors must be bound by the same limits on redisclosure that would apply to the records in the hands of the government. See "Public-Private Partnerships, e-Government, and Privacy."
Congress passed the Communications Assistance for Law Enforcement Act ("CALEA", also commonly known as the Digital Telephony Act) to preserve the Government's ability, pursuant to court order or other lawful authorization, to intercept communications over digital networks. The Act requires phone companies to modify their networks to ensure government access to all wire and electronic communications as well as to call-identifying information. Privacy advocates were able to remove provisions from earlier drafts of the legislation that would have required on-line service providers to modify their equipment to ensure government access. The law also included several provisions enhancing privacy, including a section that increased the standard for government access to transactional data.
In the massive Telecommunications Act of 1996, Congress included a provision addressing widespread concern over telephone companies' misuse of personal records, requiring telephone companies to obtain the approval of customers before using information about users' calling patterns (or CPNI) to market new services. While the statute requires telephone companies to obtain approval before using customer's information, Congress did not specify how companies should obtain such approval.
The FCC has responded in an inconsistent manner to several requests from the telecommunications industry on the type of consumer consent needed in order to release location information. The FCC issued an order interpreting the "approval" requirements in February of 1998. Under the FCC's rule, telephone companies must give customers explicit notice of their right to control the use of their CPNI and obtain express written, oral or electronic approval for its use. In August of 1999, the U.S. Court of Appeals for the Tenth Circuit abandoned the FCC privacy regulations regarding use and disclosure of CPNI. FCC's interpretation of consent requirements. U.S. West v. FCC (August 1999) The FCC responded in 2001 by ruling that opt-in consent was not required, and then changed its ruling in 2002, stating that either opt-in or opt-out consent could be used for general CPNI. The FCC also denied the Cellular Telecommunications and Internet Association's (CTIA) request for rulemaking that would have allowed opt-in consent for location information, stating that the legal language on the subject was perfectly clear. In the absence of a clear FCC ruling, the telecommunications industry resorted to self-regulatory measures. The CTIA issued a "consumer code" in September of 2003, which asks companies to abide by their own privacy policies. States have tried to pass opt-in rulings, but the courts have struck them down. [provisions]
Congress created the first guarantee of a federal policy to govern the privacy of health information in electronic form by passing the Kennedy-Kassebaum Health Insurance Portability and Accountability Act. The Act contains a section known as "Administrative Simplification," which mandates the development and adoption of standards for electronic exchanges of health information. It also requires that Congress or the Secretary of Health and Human Services develop privacy rules to govern such electronic exchanges; these rules, however, may not be in place before the electronic system is implemented. Provisions of the Act mandating the speedy development and adoption of standards for electronic exchanges of health information are troublesome given the lack of strong, enforceable laws protecting patient privacy.
In December 2000, Clinton administration provided detailed rules to protect medical information.
In 2002, the Bush administration amended the rules to permit sharing for treatment, payment and health care operations even over a patient's objection and to allow the use of health information for certain marketing purposes. The new rules, which took effect in April 2003, include some important privacy protections. Key elements of the rules include:
- Doctors and hospitals must give patients notice of their rights and explain how they intend to use and disclose their health information.
- Patients have a right to see, copy and correct their health records.
- Those holding medical records must keep them secure.
- Health care plans and providers are barred from disclosing your health information to your employer.
- Patients have the right to opt-out of having their name and health status publicly disclosed in a hospital's directory.
- Patients can request that their records not be shared, but no consent is necessary for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes. A covered entity "is permitted to use or disclose protected health information" for "treatment, payment, or health care operations" without patient consent. Use or disclosure of medical information for certain health related marketing is explicitly permitted.
For complete information, go to http://cdt.org/issue/health-privacy.
In December of 2003, the Fair and Accurate Credit Transactions Act nevertheless limited the sharing of medical information in the credit industry. [full text]
In the mid-1990's, reports from the GAO identified thousands of cases in which IRS employees had inappropriately accessed confidential taxpayer information, and in one high-profile instance, an IRS employee had a conviction for wire and computer fraud thrown out. Congress passed the Taxpayer Browsing Protection Act to criminalize all unauthorized browsing of taxpayer information by federal or state employees and to allow civil damages for such activity.
Congress passed the Children's Online Privacy Protection Act (COPPA) to protect children's personal information from its collection and misuse by commercial Web sites. On October 20, 1999, the Federal Trade Commission issued a Final Rule implementing the Act, which went into effect on April 21, 2000. COPPA requires commercial Web sites and other online services directed at children 12 and under, or which collect information regarding users' age, to provide parents with notice of their information practices and obtain parental consent prior to the collection of personal information from children. The Act further requires that such sites provide parents with the ability to review and correct information about their children collected by such services. [full text]
The Gramm-Leach-Bliley Act (GLB) regulates the privacy of personally identifiable, nonpublic financial information disclosed to non-affiliated third parties by financial institutions. The Act requires written or electronic notice of the categories of personal information collected, categories of people the information will be disclosed to, the consumer's opt-out rights, and the company's confidentiality policy. The Act also requires administrative, technical, and physical safeguards to protect the security and privacy of information.
GLB allows states to pass stronger consumer privacy protections. In August 2003, California passed SB 1, which required prior consumer approval before a bank could share information even with an affiliate (opt-in). The financial industry challenged SB 1, claiming that it was preempted by federal law, but the courts rejected the argument and SB 1 took effect in July, 2004.
The Wireless Communication and Public Safety Act was created primarily in response to the rise in use of mobile devices. The Act required all mobile telephones created after 2000 to have the capability to map the user's location through the use of global positioning systems. The primary benefit of such a system is that it enables 9-11 operators to locate callers in distress. However, such systems also raise major privacy concerns since they allow mobile telephone users to be located at any time. The Act clarified that telephone companies' must obtain the customer's opt-in consent to collect location information in any non-emergency situation. The Act only applies to mobile telephones, and courts have not issued any ruling about other mobile devices. [full text]
The E-Government Act expands e-government initiatives in the executive branch. The Act contains privacy protections, such as prohibitions on the secondary disclosure of information obtained for statistical purposes. Federal agencies are required to post machine-readable privacy policies located on their websites and to perform privacy impact assessments (PIAs) on all new collections of 10 or more persons. The Office of Management and Budget is also given authority to provide guidance to agencies on how to implement the electronic government under the Privacy Act, the Government Paperwork Elimination Act, and the Federal Information Security Management Act of 2002 and to require an agency to perform a PIA on any system. [full text]
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (commonly referred to as CAN-SPAM Act) requires that senders of unsolicited commercial email messages label them as such, and include the sender's physical address as well as instructions about how recipients of the message can opt-out from future mailings. The use of false headers and deceptive subject lines are clearly prohibited. The Act also calls for the FCC, with guidance from the FTC, to create rules that deal with unwanted mobile service commercial messages. To find out more about CDT's position on the CAN-SPAM Act, look at http://www.cdt.org/speech/spam/ [full text]
The Fair and Accurate Credit Transaction Act of 2003 (commonly known as FACTA) is designed to combat the growing problem of identity theft. It allows consumers to get a free credit report from each of the three major consumer credit reporting agencies (Equifax, Experian, and TransUnion) every 12 months, and to place alerts on their credit histories under certain circumstances. The law also sets standards for the masking, sharing, and disposal of sensitive financial data, such as credit card numbers and Social Security numbers. In response to FACTA, several federal agencies crafted joint regulations that require financial institutions to adopt identity theft prevention programs and take precautionary measures when dealing with identity theft "red flags," such as changes of address.
The Do-Not-Call Implementation Act of 2003 establishes a National Do Not Call Registry maintained by the FTC that allows individuals to opt out of telemarketing calls. The law applies only to residential phone lines, not businesses, and makes exceptions for callers such as political groups and charities. Although registry members were originally required to re-enroll every five years, consumers now only need to sign up once due to the Do-Not-Call Improvement Act of 2007. The FCC has also created detailed complaint procedures for suspected violations of the law. The law has faced court challenges, but Congress has passed specialized legislation to address problems, and the U.S. Court of Appeals has since upheld the constitutionality of the registry.