Almost every time we go online, using our computers or mobile devices, each of us produces data in some form. This data may contain only oblique information about who we are and what we are doing, but when enough of it is aggregated, facts about us which we believed were private has the potential to become known to and used by others.
Many people are surprised to learn that data about their online habits, including the web sites and services they visit, are being collected and shared by marketers in order to target advertising. While such targeted advertising may provide more relevant information to consumers on which they can base their purchasing decisions, and while online advertising supports free online content for consumers, the lack of transparency about these practices has led to consumer apprehension and government concern.
As policy makers, regulators and consumer advocates press for significant reforms , there is an urgent need for companies using online technologies to demonstrate that they respect consumers’ right to privacy and their right to control the collection of information about them. Consumers need to feel confident that what is happening online is being done for them and not to them.
- There is no across-the-board privacy law in the United States.
Instead, the U.S. has a “sectoral” approach comprised of multiple statutes that aim to protect privacy in specific industries. Accordingly, persons or entities that collect, use, share and or/retain personal information are subject to various privacy laws at both federal and state levels, including those that apply based on the nature of the data involved, such as financial, health or children’s data.
Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. § 45(a), prohibits and makes unlawful “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” The FTC enforces against companies that make privacy promises in privacy policies, but fail to keep those promises. That is, the companies collect, use, share or retain personal information in a way that is inconsistent with the representations they made in their privacy policies. The FTC has also enforced against companies whose privacy policies do not adequately inform consumers about the company’s actual practices.
- There is a range of various federal laws governing the privacy of specific kinds of personal information.
The federal Health Insurance Portability and Accountability Act (HIPAA) governing health data collected by covered entities, the Gramm-Leach-Bliley Act (GLBA) covering financial data, and the Children’s Online Privacy Protection Act (COPPA) covering data collected by children under 13 are examples of laws applicable to specific kinds of data.
- In addition to law enacted at the federal level, states also have privacy and data security laws.
Most states have so-called “mini-FTC Acts” under which they have authority similar to that of the FTC to take enforcement actions in response to unfair or deceptive trade practices. This could include tracking consumers without proper notice or when a promise has been made not to track consumer behavior. A number of state attorneys general have been vigilant in enforcing against entities collecting personal information from consumers.
Forty-six states also have data security breach notification laws that require entities holding personal data to provide notices in the event of breaches of the security of that data, and those laws apply regardless of how the data may have been collected, meaning that data that is collected is subject to a security breach will trigger notification obligations. Certain states have specific data security obligations, as well.
*This material is not intended as legal advice and may not be relied on as such. It is presented here to outline the privacy laws aimed to protect consumers in the U.S.