Abstract
The United States did not elaborate any uniform federal legislation to ensure the privacy and protection of personal data. Instead, data protection in the United States is constructed out of a combination of sector-specific federal and state laws, and administrative and industrial regulations. Although in some areas American privacy protection framework may be deemed as less robust in comparison with the European one, in the other areas it provides even greater protection than in Europe.
Individual legislative acts evolved over years from a number of specific instruments addressing issues of the private use of the electronic means of communication and data storage, with a special attention to the collection and use of information collected from children under the age of 13. Relatively fewer privacy rights are secured in case of employees in the workplace. Most notably, federal laws provide for lawful exceptions from prohibited monitoring and interception of the employees’ communication, but they are stricter on monitoring and sharing the content posted on social media.
The laws on national security and defense purposes foresee a considerably broader spectrum of provisions regarding interception and forensic examination of the data and communication, especially in wake of the 9/11 events, as stipulated in the USA Patriot Act. Although the USA Freedom Act curbed and amended those provisions substantially, legal problems arising from these laws are still acute and widely discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Terry (2017), pp. 19–27 at 21.
- 2.
Swire and Kennedy-Mayo (2017), pp. 617 and 642. Swire and Kennedy-Mayo argue that U.S. protections are stricter in seven ways:
1) oversight of searches by independent judicial officers; (2) probable cause of a crime as a relatively strict requirement for both physical and digital searches; (3) even stricter requirements for government use of telephone wiretaps and other real-time interception; (4) the exclusionary rule, preventing prosecutors’ use of evidence that was illegally obtained, is supplemented by civil suits; (5) other legal standards that are relatively strict for government access in many non-search situations, such as the judge-supervised “reasonable and articulable suspicion” standard under ECPA; (6) transparency requirements, such as notice to the service provider of the legal basis for a request; (7) lack of data retention requirements for internet communications; and (8) lack of limits on use of strong encryption.
- 3.
Although European states commonly use the term “data protection”, the phrase “data privacy” is more common in the United States. Swire and Ahmad (2012), p. 4.
- 4.
Title VI of Pub.L. 91-508, 84 Stat. 1114, enacted October 26, 1970.
- 5.
15 U.S.C. § 1681 et seq.
- 6.
Cobb (2016), p. 2.
- 7.
Id. at 3.
- 8.
Id.
- 9.
Id.
- 10.
5 U.S.C. § 552.
- 11.
Ware (1973), p. 5.
- 12.
5 U.S.C. § 551(a).
- 13.
Raul et al. (2014), pp. 268–294 at 269.
- 14.
5 U.S.C. § 552a(a)(5).
- 15.
McGeveran (2016), pp. 959 and 961.
- 16.
The Federal Trade Commission Act (15 U.S.C. §§41–58) (FTC Act).
- 17.
Sotto and Simpson (2014), p. 191.
- 18.
Jolly (2016).
- 19.
15 U.S.C §1601.
- 20.
15 U.S.C. §7704.
- 21.
15 U.S.C. §§6501–6506 (restricts the online collection of personal information from children under the age of 13).
- 22.
15 U.S.C. § 1691.
- 23.
15 U.S.C. § 1681 (regulates the use and disclosure of “consumer reports” by consumer reporting agencies).
- 24.
15 U.S.C. § 1692.
- 25.
15 U.S.C. § 6101–6108 (protects consumers from invasive and fraudulent telemarketing practices).
- 26.
18 U.S.C. § 1028.
- 27.
The legislative enactments in this chart are not based on sector specific protections rather than on broad rights to personal data protection as exist in the European Union.
- 28.
15 U.S. Code §6809(4).
- 29.
- 30.
“(2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g (a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as employer.” See §160.103.
- 31.
Individually identifiable health information includes demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. See 45 CFR 160.103.
- 32.
Specifically, covered entities must: “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.” See https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
- 33.
Eisenhauer (2007), p. 2.
- 34.
15 U.S.C. §§7701–7713.
- 35.
“CAN-SPAM Act: A Compliance Guide for Business”, Federal Trade Commission. Available at: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business.
- 36.
15 U.S.C. § 1681(d)(1).
- 37.
15 U.S.C. § 1681e (2013).
- 38.
15 U.S.C. § 1681i (a)(5)(A) (2013).
- 39.
Doyle (2012), p. i.
- 40.
Id. at. 9.
- 41.
18 U.S.C. 2510(8).
- 42.
18 U.S.C. § 1030.
- 43.
18 U.S.C. § 1030(e)(6).
- 44.
18 U.S.C. § 1030(e)(2).
- 45.
18 U.S.C. §1030(a)(5).
- 46.
See Sect. I(B).
- 47.
Brill (2012).
- 48.
Raul et al. (2014), p. 284.
- 49.
Privacy Enforcement and Safe Harbor: Comments of FTC Staff to European Commission Review of the U.S.-EU Safe Harbor Framework (November 12, 2013). Available online at: https://www.ftc.gov/sites/default/files/documents/public_statements/privacy-enforcement-safe-harbor-comments-ftc-staff-european-commission-review-u.s.eu-safe-harbor-framework/131112europeancommissionsafeharbor.pdf.
- 50.
Jolly (2016), Sect. 25.
- 51.
Solove and Hartzog (2014), p. 583.
- 52.
Id. at pp. 611–627.
- 53.
Jolly (2016), Sect. 25.
- 54.
Id.
- 55.
Raul et al. (2014), p. 284.
- 56.
Federal Trade Commission, Privacy & Data Security Update (2016). Available online at: https://www.ftc.gov/reports/privacy-data-security-update-2016.
- 57.
Id.
- 58.
Id.
- 59.
Id.
- 60.
“Enforcement”, Network Advertising Initiative (April 2016). Available at https: www.networkadvertising.org/code-enforcement/enforcement.
- 61.
Id.
- 62.
Id.
- 63.
Listokin (2017), pp. 92–95 at 94.
- 64.
Digital Advert. All., Self-Regulatory Principles for Online Behavioral Advertising 12, 14–15, 17 (2009), http://digitaladvertisingalliance.org/sites/digital.daaoperations.org/files/DAA_files/seven-principles-07-01-09.pdf.
- 65.
Rich (2015), p. 2.
- 66.
Federal Trade Commission, “Cross-Device Tracking an FTC Staff Report”, January 2017 at 1, citing Digital Advert. All., Self-Regulatory Principles For Online Behavioral Advertising 12, 14–15, 17 (2009), http://digitaladvertisingalliance.org/sites/digital.daaoperations.org/files/DAA_files/seven-principles-07-01-09.pdf.
- 67.
Listokin (2017), p. 94.
- 68.
Id.
- 69.
Castro (2011), p. 8.
- 70.
Pub. L. No. 108–159, 117 Stat. 1952, codified to 15 U.S.C. §§ 1681–1681x.
- 71.
Braverman (2013).
- 72.
Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016).
- 73.
47 U.S.C. §551.
- 74.
18 U.S.C. §§2710–2711.
- 75.
47 U.S.C. §551(b)(1).
- 76.
47 U.S.C. §551(e).
- 77.
18 U.S.C. §§2710(2)(B). Pursuant to the Amendments Act of 2012, a videotape service provider may obtain a consumer’s consent through the internet. 18 U.S.C. §2710.
- 78.
Eichenberger v. ESPN, Inc., No. C14-463 TSZ, 2015 WL 7252985 (W.D. Wash. May 7, 2015).
- 79.
Robinson v. Disney Online, 152 F.Supp.3d 176 (S.D.N.Y. 2015).
- 80.
Toner (2017).
- 81.
See, e.g., “State Laws Related to Internet Privacy”, National Conference of State Legislatures. Available online at: http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx.
- 82.
Calif. Bus. & Prof. Code § 22575–22578 (CalOPPA).
- 83.
These states include: Arizona, California, Delaware, and Missouri.
- 84.
Sotto and Simpson (2014) (Gideon Roberton (2014)). P. 192. Pp. 191–198. Available online at: https://www.hunton.com/files/Publication/1f767bed-fe08-42bf-94e0-0bd03bf8b74b/Presentation/PublicationAttachment/b167028d-1065-4899-87a9-125700da0133/United_States_GTDT_Data_Protection_and_Privacy_2014.pdf.
- 85.
15 U.S.C. §§ 7701–7713.
- 86.
“CAN-SPAM Act: A Compliance Guide for Business”, Federal Trade Commission Website. Available at: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business. Last accessed on 17 July 2017.
- 87.
See 15 U.S.C. § 7702(2)(A).
- 88.
Id.
- 89.
Brennan (2016).
- 90.
Brennan (2016).
- 91.
Lazarus (2016).
- 92.
Id.
- 93.
Id.
- 94.
Id.
- 95.
Singer (2013).
- 96.
See, infra, Sect. 1.5.
- 97.
Jolly (2016), Sect. 7.
- 98.
Under the Act commercial messages are defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an internet web site operated for a commercial purpose).” 15 U.S.C. 7702(2)(A).
- 99.
15 U.S.C. § 7704.
- 100.
“CAN-SPAM Act: A Compliance Guide for Business”, Federal Trade Commission Website. Available at: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business. Last accessed on 17 July 2017 [hereinafter Compliance Guide].
- 101.
Id.
- 102.
See 47 C.F.R. § 64.3100(b)(1), (6).
- 103.
Compliance Guide for Business, supra note 100.
- 104.
Brennan (2016).
- 105.
“Managing Workplace Monitoring and Surveillance”, Society for Human Resource Management, 18 February 2016. Available online at: https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/workplaceprivacy.aspx.
- 106.
18 U.S.C.S. § 2510(4).
- 107.
18 U.S.C.S. § 2510(5)(a).
- 108.
See Williams v. Poulos, 11 F.3d 271, 280 (1st Cir. 1993).
- 109.
“Privacy in the Workplace: Overview”, FINDLAW, Available online at: http://employment.findlaw.com/workplace-privacy/privacy-in-the-workplace-overview.html. Last accessed on 18 July 2017.
- 110.
Id.
- 111.
Id.
- 112.
“Privacy in the Workplace: Overview”, Findlaw, Available online at: http://employment.findlaw.com/workplace-privacy/privacy-in-the-workplace-overview.html Last accessed on 18 July 2017.
- 113.
Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), aff’g 816 F. Supp. 432 (W.D. Tex. 1993).
- 114.
Caragozian and Warner Jr (2000).
- 115.
18 U.S.C. § 2511(2)(d).
- 116.
Caterine (2009).
- 117.
Gray Plant Mooty & the Minnesota Department of Employment and Economic Development, A Legal Guide to Privacy and Data Security (2017). P. 68. Available online at: https://mn.gov/deed/assets/legal-guide-to-privacy-and-data-security_tcm1045-133708.pdf.
- 118.
480 US 709 (1987).
- 119.
480 U. S. 714–719.
- 120.
480 U.S. 719–726.
- 121.
“Workplace Privacy”, Epic.Org, Electronic Privacy Information Center. Available online at: https://www.epic.org/privacy/workplace/.
- 122.
Gray Plant Mooty & the Minnesota Department of Employment and Economic Development, A Legal Guide to Privacy and Data Security (2017). p. 66. Available online at: https://mn.gov/deed/assets/legal-guide-to-privacy-and-data-security_tcm1045-133708.pdf.
- 123.
See, e.g., Minn. Stat. §626A.02 Subd. 1.
- 124.
G.L. 214 §1B.
- 125.
Litwin (2006).
- 126.
G.L. 214 §1B.
- 127.
Bratt v. Int’l Bus. Machs. Corp., 392 Mass. 508, 521 (1984).
- 128.
29 U.S.C. § 151–169.
- 129.
Section 8(a)(1).
- 130.
“Jurisdictional Standards”, National Labor Relations Board. Available online at: https://www.nlrb.gov/rights-we-protect/jurisdictional-standards.
- 131.
18 U.S.C. § § 2701–11.
- 132.
Hamilton (2016).
- 133.
18 U.S.C.S. § 2511(2)(g)(i).
- 134.
18 U.S.C.S. § 2511(2)(g)(i).
- 135.
961 F. Supp. 2d 659 (D. New Jersey 2013).
- 136.
961 F. Supp. 2d 669–670.
- 137.
Id., citing 18 U.S.C. § 2701(c)(2).
- 138.
Crane (2012), pp. 639 and 642 citing Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 991 (C.D. Cal. 2010).
- 139.
Grosdidier (2013).
- 140.
29 U.S.C. §§ 157.
- 141.
Grosdidier (2013).
- 142.
“State Social Media Privacy Laws”, National Conference of State Legislatures, 5 May 2017. Available online at: http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-prohibiting-access-to-social-media-usernames-and-passwords.aspx.
- 143.
Id.
- 144.
Wis. Stat. § 995.55(4).
- 145.
McGinnis (2014).
- 146.
Id.
- 147.
Stevens (2010), p. 1.
- 148.
Id.
- 149.
Id.
- 150.
Health Breach Notification Rule, 16 C.F.R. 318.
- 151.
Stevens (2010), p. 8.
- 152.
The Veterans Benefits, Health Care, and Information Technology Act of 2006, P.L. 109–461 (December 22, 2006); 38 U.S.C. §§ 5722 et seq.
- 153.
38 U.S. C. § 5724(a)(1).
- 154.
38 U.S.C. § 5724(a)(2).
- 155.
VA Handbook 6500.2, Section 4(c), p. 48. July 28, 2016. Available online at: https://www.va.gov/vapubs/viewPublication.asp?Pub_ID=843&FType=2.
- 156.
See “Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice”, Federal Deposit Insurance Program, 1 April 2005. Available online at: https://www.fdic.gov/news/news/financial/2005/fil2705.html.
- 157.
Saikali (2012).
- 158.
FACTA includes a “truncation” requirement that applies to anyone who accepts credit or debit cards as a form of payment. According to this requirement, the business entity may not print a receipt that contains more than the last five digits of the card number or print the card’s expiration date on any receipt given the customer at the point of the transaction. Transactions where the consumer enters the account number by handwriting or the business uses an imprint of the card are not bound by this requirement. Under the provisions of the Act, any person who negligently violates the truncation requirement may be required to pay actual damages and attorneys’ fees. See 15 U.S.C. §§ 1681o(a) and 1681n(a).
- 159.
15 U.S. Code § 1681c–1.
- 160.
“The Fair Credit Reporting Act (FCRA) and the Privacy of Your Credit Report”, Epic.org. Available online at: https://epic.org/privacy/fcra/.
- 161.
Id.
- 162.
Id.
- 163.
18 U.S.C. § 2510-22. The ECPA also includes the Stored Wire Electronic Communications Act.
- 164.
“Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22”, Justice Information Sharing, U.S. Dept. of Justice, Office of Justice Programs, Bureau of Justice Assistance, last updated on: 30 July 2013. Available online at: https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285 Last accessed on 13 August 2017 [hereinafter ECPA 1986].
- 165.
Pursuant to 18 U.S.C. § 2510(1), a “‘wire communication’ means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce.”
- 166.
“Oral communications” are typically intercepted through bugs or other recording and transmitting devices and consist of “any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation, but such term does not include any electronic communication.” See 18 U.S.C. § 2510(2).
- 167.
Pursuant to 18 U.S.C. § 2510(12), “electronic communication” means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include—
-
(A)
any wire or oral communication;
-
(B)
any communication made through a tone-only paging device;
-
(C)
any communication from a tracking device (as defined in section 3117 of this title); or
-
(D)
electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds.”
-
(A)
- 168.
ECPA 1986, supra note 164.
- 169.
Id.
- 170.
Id.
- 171.
Id.
- 172.
See United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008) (holding that individuals retain no Fourth Amendment privacy interest in subscriber information and transactional records).
- 173.
ECPA 1986, supra note 164.
- 174.
Solove and Hartzog (2014), p. 178.
- 175.
77 F.Supp.3d 836, 848 (N.D. Cal. 2014).
- 176.
18 U.S.C. §§2510–3127.
- 177.
The amendments include: Communications Assistance to Law Enforcement Act (CALEA) (1994), the USA Patriot Act (2001), the USA Patriot reauthorization acts (2006), and the FISA Amendments Act (2008).
- 178.
334 F. Supp. 2d 471 (S.D.N.Y. 2004).
- 179.
“Modernizing the Electronic Communications Privacy Act (ECPA)”, ACLU, Available online at: https://www.aclu.org/feature/modernizing-electronic-communications-privacy-act-ecpa Last accessed on 13 August 2017.
- 180.
Title 1 includes “The Wiretap Act”, 18 U.S.C. §§2510–2522.
- 181.
18 U.S.C. §§2701–2711.
- 182.
“Electronic Communications Privacy Act”, University of Cincinnati IT@UC Office of Information Security, Available online at: http://www.uc.edu/infosec/compliance/ecpa.html.
- 183.
“CALEA: The Communications Assistance for Law Enforcement Act (CALEA) of 1994”, Electronic Frontier Foundation. Available online at: https://www.eff.org/issues/calea.
- 184.
Zetter (2014).
- 185.
47 U.S.C. § 1002(a)(4)(A).
- 186.
Zetter (2014).
- 187.
This includes customer data such as the name, address, length of service, and means of payment. See 18 U.S.C. §2703(c).
- 188.
18 U.S.C. §§3121–3127. “Electronic Communications Privacy Act”, University of Cincinnati IT@UC Office of Information Security, Available online at: http://www.uc.edu/infosec/compliance/ecpa.html.
- 189.
18 U.S.C. §3123(a)(1).
- 190.
18 U.S.C. 2511(2)(i(I). Pursuant to 18 U.S.C. 2510(21), a computer trespasser is a person who: (A) “accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer; and (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.”
- 191.
Doyle (2012), p. 18.
- 192.
Id. at 19.
- 193.
Id.
- 194.
Gorelick et al. (1989), pp. 255–256.
- 195.
Stanger (2005), p. 13 citing United States v. Hudson, 11 U.S. (7 Cranch) 32, 34 (1812). Available online at: http://blj.ucdavis.edu/archives/vol-5-no-2/document-destruction-after-enron.html.
- 196.
18 U.S.C. § 1519.
- 197.
Leahy and Gilchrist, 126 Am. Jur. Proof of Facts 3d 1, Sanctions for Spoliation of Electronic Evidence § 12, p. 13 (2012) (citing numerous cases).
- 198.
Young (2001).
- 199.
Pub. L. 107–204, title VIII, § 802(a), July 30, 2002, 116 Stat. 800).
- 200.
515 U.S. 593, 598–599 (1995).
- 201.
Stanger (2005).
- 202.
Id.
- 203.
See, e.g., U.S. v. Wise, 221 F.3d 140 (5th Cir. 2000).
- 204.
See, e.g., U.S. v. Wise, 221 F.3d 140 (5th Cir. 2000).
- 205.
50 U.S.C. §§ 1801–11, 1821–29, 1841–46, 1861–62, 1871.
- 206.
50 U.S.C. § 1804(a)(6)(B) &§1823 (a)(6)(B).
- 207.
“Privacy & Civil Liberties: The Foreign Intelligence Surveillance Act of 1978”, U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Information Sharing. Available online at: https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286.
- 208.
Goitein and Patel (2015), p. 13.
- 209.
50 U.S.C. § 1801(f)(2).
- 210.
Solove and Hartzog (2014), p. 86.
- 211.
Id.
- 212.
Id. citing 50 U.S.C. § 1801.
- 213.
50 U.S.C. § 1804.
- 214.
Solove and Hartzog (2014), citing 50 U.S.C. § 1801(b)(2)(A)–(B).
- 215.
Perez (2013).
- 216.
“The Foreign Intelligence Surveillance Act of 1978 (FISA)”, U.S. Dept. of Justice, Justice Information Sharing. Available online at: https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286, citing 50 U.S.C. § 1802.
- 217.
Goitein and Patel (2015), p. 21.
- 218.
Mann (2014).
- 219.
18 U.S.C. §2709 [The Stored Communications Act].
- 220.
12 U.S.C. §3414(a)(5)(A). [The Right to Financial Privacy Act of 1978].
- 221.
15 U.S.C. §1681u. [The Fair Credit Reporting Act of 1970].
- 222.
Id.
- 223.
Solove and Hartzog (2014), p. 88.
- 224.
“National Security Letters”, ACLU Website. Available online at: https://www.aclu.org/other/national-security-letters [hereinafter National Security Letters].
- 225.
Lynch and Flint (2017).
- 226.
“National Security Letters”, supra note 224.
- 227.
H.R. 2048, Pub.L. 114–23.
- 228.
Solove and Hartzog (2014), p. 87.
- 229.
Liu (2015).
- 230.
H.R. 3361 § 101 (amending 50 U.S.C. § 1861(b)).
- 231.
Id.
- 232.
“USA Freedom Act Reinstates Expired USA PATRIOT Act Provisions but Limits Bulk Collection”, CRS Legal Sidebar, 4 June 2015. Available online at: https://fas.org/sgp/crs/intel/usaf-rein.pdf.
- 233.
Id.
- 234.
Id.
- 235.
Ombres (2015), pp. 27–58 at 43–44.
- 236.
149 F. Supp. 3d 341 (E.D.N.Y. 2016).
- 237.
In Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, (2016 WL 618401) (2016 U.S. Dist. LEXIS 20543) (C.D. Cal. Feb. 16, 2016).
- 238.
“Everything We Know So Far About the San Bernardino Shooting”, Los Angeles Times, 14 December 2015. Available online at: http://www.latimes.com/local/california/la-me-san-bernardino-shooting-terror-investigation-htmlstory.html.
- 239.
Apple Inc.’s Mot. to Vacate Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance entered February 25, 2016, Case No. 5:16-cm-00010-SP.
- 240.
Id.
- 241.
Kang (2016).
- 242.
An act or practice is unfair where it (1) causes or is likely to cause substantial injury to consumers, (2) cannot be reasonably avoided by consumers; and (3) is not outweighed by countervailing benefits to consumers or to competition. See “Consumer Compliance Handbook: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices”, Federal Reserve Supervisor’s Handbook, at 7. Available online at: https://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf.
- 243.
“A representation, omission, or practice is deceptive if it is likely to mislead a consumer acting reasonably under the circumstances and is likely to affect a consumer’s conduct or decision regarding a product or service” Id. at 7.
- 244.
Title V, 15 U.S.C. §§6801–6809.
- 245.
Fair (2016). The Federal Trade Commission (“FTC”) may bring an administrative hearing against an individual or entity, suspected of unfair or deceptive trade practices and subsequently issue an order to cease and desist. If the individual or entity subject to the order violates that order, the FTC may impose an administrative fine.
- 246.
Solove and Hartzog (2014), p. 159.
- 247.
Id.
- 248.
Tosi et al. (2016).
- 249.
“CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, Consumer Financial Protection Bureau, 2 March 2016. Available online at: https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.
- 250.
In the Matter of Dwolla, Inc. Consent Order, United States of America Consumer Financial Protection Bureau, Administrative Proceeding File No. 2016-CFPB-0007, 03/02/2016. Available online at: http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.
- 251.
15 USC §6823(A).
- 252.
15 USC §6823(B).
- 253.
Surette n.d..
- 254.
799 F.3d 236, 2015 U.S. App. LEXIS 14839 (3rd Cir. 2015).
- 255.
799 F.3d At 245–46.
- 256.
799 F.3d At 247.
- 257.
15 USC § 6501 et. seq. COPPA also gives states and certain other federal agencies authority to enforce compliance. Because COPAA violations are considered to be unfair or deceptive trade practices and are therefore subject to the same administrative penalties as set forth under the FTC Act.
- 258.
15 U.S.C. §1681.
- 259.
16 U.S.C. §310.
- 260.
“The Enforcers”, Federal Trade Commission Website. Available online at: https://www.ftc.gov/tips-advice/competition-guidance/guide-antitrust-laws/enforcers.
- 261.
“A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority”, Federal Trade Commission Website (July 2008). Available online at: https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority#N_1_ [hereinafter “A Brief Overview”].
- 262.
Id.
- 263.
“Privacy & Data Security Update (2016)”, FTC Website. Available online at: https://www.ftc.gov/reports/privacy-data-security-update-2016.
- 264.
15 U.S.C. § 53(b).
- 265.
A Brief Overview, supra note 261.
- 266.
CEs include healthcare providers, health plans, healthcare clearinghouses and all other CEs—including Business Associates (BAs) of CEs.
- 267.
42 U.S. Code § 1320d–5.
- 268.
Terry (2017), p. 22.
- 269.
Id.
- 270.
Section 13410(D) of the HITECH Act.
- 271.
42 U.S.C. § 1320d-6.
- 272.
Tosi et al. (2016).
- 273.
See, e.g., Whalen v. Michael Stores Inc., --- F. Supp. 3d ---, 2017 U.S. App. Lexis 7717; In re Zappos.com, Inc., 108 F. Supp. 3d 949 (D. Nev. 2016); and Schwartz v. HSBC Bank USA, N.A., --- F. Supp. 3d --, U.S. Dist. Lexis 94019 (2017).
- 274.
Tosi et al. (2016).
- 275.
18 U.S.C. § 1037(a)(1).
- 276.
18 U.S.C. § 1037(a)(2).
- 277.
18 U.S.C. § 1037(a)(3).
- 278.
18 U.S.C. § 1037(a)(4).
- 279.
18 U.S.C. § 1037(a)(5).
- 280.
18 U.S.C. § 1037.
- 281.
18 U.S.C. 1030(a)(3).
- 282.
18 U.S.C. 1030(a)(2).
- 283.
18 U.S.C. 1030(a)(5).
- 284.
18 U.S.C. 1030(a)(4).
- 285.
18 U.S.C. 1030(a)(7).
- 286.
18 U.S.C. 1030(a)(6).
- 287.
18 U.S.C. 1030(a)(1).
- 288.
Doyle (2014).
- 289.
15 U.S.C. §1681q.
- 290.
Id.
- 291.
50 U.S.C. §1809(c).
- 292.
50 U.S.C. §1827 (a).
- 293.
50 U.S.C. §1827(c).
- 294.
15 U.S.C. §6821(a).
- 295.
15 U.S.C. §6823(a).
- 296.
15 U.S.C. §6823(b).
- 297.
18 U.S.C. §3121(a).
- 298.
18 U.S.C. §3121(d).
- 299.
5 U.S.C. Sec. 552a(i).
- 300.
5 U.S.C. §552a(i).
- 301.
18 U.S.C. §2701(a)(1).
- 302.
18 U.S.C. §2701(a)(2).
- 303.
18 U.S.C. §2701(b).
- 304.
Brown et al. (2017).
- 305.
Raul et al. (2014), p. 286.
- 306.
Pub. L. No. 109–455, 120 Stat. 3372, extended by Pub. L. No. 112–203, 126 Stat. 1484, codified at 15 U.S.C. §§ 41 et seq.
- 307.
Id. at §3.
- 308.
Jolly (2016).
- 309.
Id.
- 310.
“Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)” (Washington, DC: Defense Acquisition Regulations System, Department of Defense, August 26, 2015), https://www.federalregister.gov/documents/2015/08/26/2015-20870/defense-federal-acquisitionregulation-supplement-network-penetration-reporting-and-contracting-for.
- 311.
Jolly (2016), p. 22.
- 312.
Jolly (2016), p. 22.
- 313.
“Privacy Shield Framework”, U.S. Department of Commerce—International Trade Administration. Available online at: https://www.privacyshield.gov/Program-Overview.
- 314.
Id.
- 315.
Id.
- 316.
Id.
- 317.
For example, “[p]ersonal information cannot be collected without consumers’ permission, and they have the right to review the data and correct inaccuracies; [c]ompanies that process data must register their activities with the government; [e]mployers cannot read workers’ private e-mail;[and] personal information cannot be shared by companies or across borders without express permission from the data subject.” See Bob Sullivan, “La difference is Stark in E.U., U.S. Privacy Laws”, NBCNEWS.COM, 19 October 2006. Available online at: http://www.nbcnews.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws/#.WanIt7pFy00.
- 318.
Id.
References
Braverman B (2013) Fear FACTA: beware the truncation requirement of the Fair and Accurate Credit Transactions Act. http://www.dwt.com/Fear-FACTA-Beware-the-Truncation-Requirement-of-the-Fair-and-Accurate-Credit-Transactions-Act-12-04-2013
Brennan W (2016) Complying with the CAN-SPAM Act. Lexis Pract Advis J. https://www.lexisnexis.com/lexis-practice-advisor/the-journal/b/lpa/archive/2016/11/08/complying-with-the-can-spam-act.aspx. Last accessed 18 July 2017
Brill J (2012) Privacy, consumer protection, and competition. Loyola University Chicago School of Law. www.ftc.gov/speeches/brill/120427loyolasymposium.pdf
Brown CT, Raul AC, Spencer AL, McNicholas ER (2017) Collection, storage and transfer of data in the United States. Lexology. https://www.lexology.com/library/detail.aspx?g=44b4db4a-6111-48a1-badf-87f8e2a73e67
Caragozian JS, Warner DE Jr (2000) Privacy rights of employees using workplace computers in California. Privacy Rights Clearinghouse. https://www.privacyrights.org/blog/privacy-rights-employees-using-workplace-computers-california
Castro D (2011) Benefits and limitations of industry self-regulation for online behavioral advertising. The Information Technology & Innovation Foundation. http://www.itif.org/files/2011-self-regulation-online-behavioral-advertising.pdf
Caterine MJ (2009) Privacy of electronic communications. American Bar Association. https://www.americanbar.org/content/dam/aba/administrative/labor_law/meetings/2009/2009_err_008.authcheckdam.pdf
Cobb S (2016) Data Privacy and Data Protection: U.S. Law and Legislation, ESET. https://www.welivesecurity.com/wp-content/uploads/2016/04/US-data-privacy-legislation-white-paper.pdf
Crane C (2012) Social networking v. the employment-at-will doctrine: a potential defense for employees fired for Facebooking, terminated for Twittering, booted for blogging, and sacked for social networking. Wash Univ Law Rev 89:639
Doyle C (2012) Privacy: an overview of the Electronic Communications Privacy Act. Congressional Research Service, p i. https://www.hsdl.org/?view&did=725508
Doyle C (2014) Cybercrime: an overview of the federal computer fraud and abuse statute and related federal criminal laws. Congressional Research Service, “Summary”. https://fas.org/sgp/crs/misc/97-1025.pdf
Eisenhauer MP (2007) Managing your data processors: legal requirements and practical solutions. BNAI’s World Data Protection Report. http://www.privacystudio.com/Links%20posted%20to%20web/BNAI%20-%20Managing%20Data%20Processors%20Aug%2007.pdf
Fair A (2016) Civil penalties undergo inflation recalculation. Federal Trade Commission. https://www.ftc.gov/news-events/blogs/business-blog/2016/06/civil-penalties-undergo-inflation-recalculation
Goitein E, Patel F (2015) What went wrong with the FISA Court. Brennan Center for Justice 13. https://www.scribd.com/document/259083922/What-Went-Wrong-With-the-FISA-Court
Gorelick JS, Marzen S, Solum LB (1989) Destruction of evidence. Aspen Law and Business, Aspen, Co. 255
Grosdidier P (2013) Choose your friends — and privacy settings — wisely. LAW 360. https://www.law360.com/articles/477202/choose-your-friends-and-privacy-settings-wisely
Hamilton MD (2016) Social media privacy issues in workplace investigations. LAW 360. https://www.law360.com/articles/812907/social-media-privacy-issues-in-workplace-investigations
Jolly I (2016) Data protection in the United States: overview. Thompson Reuters Practical Law. https://content.next.westlaw.com/6-502-0467?transitionType=Default&contextData=(sc.Default)&__lrTS=20170522004900131&firstPage=true&bhcp=1
Kang YP (2016) DOJ Hacks Shooter’s iPhone, Drops Apple Suit. Law 360. http://www.law360.com/articles/777150
Lazarus D (2016) Column: FTC is falling short in protecting consumers’ data used by big business. Los Angeles Times. http://www.latimes.com/business/la-fi-lazarus-20160112-column.html
Listokin S (2017) Does industry self-regulation of consumer data privacy work? IEEE Security & Privacy, 92
Litwin S (2006) Employees’ right to privacy in the workplace. Massachusetts Continuing Education Program. http://www.kcslegal.com/assets/MCLE_Right_to_Privacy_Article_Dec_2006.pdf
Liu J (2015) So what does the USA Freedom Act do anyway? Lawfare. https://www.lawfareblog.com/so-what-does-usa-freedom-act-do-anyway
Lynch C, Flint L (2017) The USA Freedom Act turns two. Lawfare. https://www.lawfareblog.com/usa-freedom-act-turns-two
Mann SF (2014) Fact sheet: Section 215 of the USA PATRIOT Act. Center for Strategic and International Studies. https://www.csis.org/analysis/fact-sheet-section-215-usa-patriot-act
McGeveran W (2016) Friending the privacy regulators. Ariz Law Rev 58:959, 961
McGinnis K (2014) The ever expanding scope of employee privacy protections. Moore & Van Allen Blog. http://www.mvalaw.com/news-publications-373.html
Ombres D (2015) NSA domestic surveillance from the Patriot Act to the Freedom Act: the underlying history, constitutional basis, and the efforts at reform. Seton Hall Leg J 39(1):27–58
Perez E (2013) Secret court’s oversight gets scrutiny. Wall Street Journal. http://online.wsj.com/news/articles/SB10001424127887324904004578535670310514616
Raul CA, Manoranjan TD, Mohan V (2014) United States. In: Raul AC (ed) The privacy, data protection, and cybersecurity law review. Law Business Research Ltd, London, p 268
Rich J (2015) Beyond cookies: privacy lessons for online advertising. AdExchanger Industry Preview. https://www.ftc.gov/public-statements/2015/01/beyond-cookies-privacy-lessons-online-advertising-adexchanger-industry
Saikali A (2012) Federal data breach notification laws. Data Security Law Journal. http://www.datasecuritylawjournal.com/2012/05/06/federal-data-breach-notification-laws/
Singer N (2013) Data protection laws, an ocean apart. New York Times. http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?mcubz=0
Solove DJ, Hartzog W (2014) The FTC and the new common law of privacy. Columbia Law Rev 114:583
Sotto LJ, Simpson AP (2014) United States. In: Jay RP (ed) Data protection & privacy in 26 jurisdictions worldwide, 2nd edn. Gideon Roberton 191. https://www.hunton.com/files/Publication/1f767bed-fe08-42bf-94e0-0bd03bf8b74b/Presentation/PublicationAttachment/b167028d-1065-4899-87a9-125700da0133/United_States_GTDT_Data_Protection_and_Privacy_2014.pdfMark
Stanger AJ (2005) Document destruction after Enron: interpreting the New Sarbanes-Oxley Obstruction Statutes. U.C. Davis Bus Law J 5:13. http://blj.ucdavis.edu/archives/vol-5-no-2/document-destruction-after-enron.html
Stevens G (2010) Federal Information Security and Data Breach Notification Laws, Congressional Research Service. https://fas.org/sgp/crs/secrecy/RL34120.pdf
Surette EC. Liability of business to governments and consumers for breach of data security for consumers information. 1 A.L.R. 7th 2
Swire PP, Ahmad K (2012) Foundations of information privacy and data protection. International Association of Privacy Professionals, Portsmouth, p 4
Swire P, Kennedy-Mayo D (2017) How both the EU and the U.S. are “Stricter than Each Other for the Privacy of Government Requests for Information”. Emory Law J 55:617
Terry N (2017) Existential challenges for health care data protection in the United States. Ethics Med Public Health 3:19
Toner A (2017) With new browser tech. Apple preserves privacy and Google preserves trackers. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2017/06/with-new-browser-tech-apple-preserves-privacy-google-preserves-trackers
Tosi RM, Bishop LS, Allensworth RB (2016) Proactive protection of consumers or premature penalty? Consumer Financial Protection Bureau bucks the trend in data security breach cases. K&L Gates Blog. http://www.klgates.com/proactive-protection-of-consumers-or-premature-penalty%2D%2D-consumer-financial-protection-bureau-bucks-the-trend-in-data-security-breach-cases
Ware WH (1973) Records, computers, and the rights of citizens. RAND. https://www.rand.org/content/dam/rand/pubs/papers/2008/P5077.pdf
Young DR (2001) Advising the corporate client on the duty to preserve electronic evidence. Farella Braun. http://www.fbm.com/files/Publication/523409e0-08a9-4ca6-8699-7ac3fa6b9e29/Presentation/PublicationAttachment/64095eae-b207-4ace-963c-7adb25385948/E4C58E30-9D15-4950-9AC8-30CCB4BE9A72_document.pdf
Zetter K (2014) The Feds cut a deal with in-flight Wi-Fi providers and privacy groups are worried. WIRED. https://www.wired.com/2014/04/gogo-collaboration-feds
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Boyne, S.M. (2020). Data Protection in the United States: U.S. National Report. In: Moura Vicente, D., de Vasconcelos Casimiro, S. (eds) Data Protection in the Internet. Ius Comparatum - Global Studies in Comparative Law, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-28049-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-28049-9_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28048-2
Online ISBN: 978-3-030-28049-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)