Existing U.S. Federal Laws Concerning Information Practices and Privacy
A number of U.S. laws address various information practices and the privacy of consumers’ personally identifiable information, in both the online and the offline worlds. These laws provide a solid legal framework through which agencies, such as the Federal Trade Commission, take enforcement actions to ensure that companies accurately represent their information management practices and that consumers’ personal information is not misused.(9) The following list generally describes some of the statutes that pertain to privacy in the United States.(10)
The Federal Trade Commission Act
The Federal Trade Commission Act, 15 U.S.C. § 41, et seq., empowers the FTC to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. Pursuant to this mandate, the FTC can take action against companies that fail to comply with their own privacy policies or otherwise misrepresent their information management practices. The FTC also can address unfair misuse of personal information where the practice (a) inflicts substantial harm on consumers that they cannot reasonably avoid and (b) does not offer offsetting benefits to consumers or competition. 15 U.S.C. § 45(n).
Title V of the Gramm-Leach-Bliley Act (GLBA)
Section A of Title V of the GLBA, 15 U.S.C. § 6801, et seq., enacted in 1999, contains privacy provisions relating to consumers’ personal financial information.(11) These provisions restrict when financial institutions may disclose a consumer’s personal financial information to nonaffiliated third parties. Financial institutions are required to provide notices to their customers about their information-collection and information-sharing practices. Financial institutions also must provide consumers with an opportunity to “opt-out,” i.e., to stop the financial institution from sharing information with nonaffiliated third parties.(12) The GLBA also prohibits financial institutions from disclosing consumers’ account numbers to nonaffiliated third parties for use in marketing (unless the disclosure falls within certain specific exceptions). In addition, the Act prohibits any person from using false pretenses to obtain customer information from either the financial institution or the consumer — an abusive practice referred to as “pretexting.”
The Children’s Online Privacy Protection Act (COPPA)
The COPPA, 15 U.S.C. § 6501, et seq., was enacted in 1998 to protect the personal information of children under the age of 13 that is collected online.(13) The Act applies to operators of commercial websites if the site is directed to children under the age of 13 or if the operators knowingly collect information from children under the age of 13. The Act prohibits website operators from collecting, using, or disclosing a child’s personally identifiable information without first providing notice to the parent and obtaining verifiable parental consent. Upon request, website operators must provide parents with access to specific personal information collected from their children and an opportunity to prevent the further use of that personal information or the future collection of information from their children.
Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act)
The Identity Theft Act, 18 U.S.C. § 1028, 1028(a)(7) made it a federal crime to knowingly transfer or use, “without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.” Federal law enforcement agencies, including the U.S. Secret Service, FBI, U.S. Postal Inspection Service, and Social Security Administration’s Inspector General, investigate violations of the Act. The U.S. Department of Justice prosecutes federal identity theft cases.
The Act directed the FTC to establish the federal government’s primary database to collect consumer/victim reports on identity theft.(14) The FTC collects victim complaints and refers them to the appropriate law enforcement agencies for further action. The FTC also provides information to victims to assist them in resolving financial and other problems that result from this crime. In addition, the FTC develops and disseminates consumer education materials for victims of identity theft and those concerned with preventing this crime.(15)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The HIPAA, 42 U.S.C. § 1320d, et seq., and regulations issued by the Department of Health and Human Services (HHS) create standards to protect the privacy of individuals’ personal health information.(16) The regulations apply to health plans, health care clearinghouses, and health care providers who transmit health information in electronic transactions. With certain exceptions, covered entities are required to provide notice to individuals of all uses and disclosures of personally identifiable health information, obtain consent before using or disclosing that information, and provide individuals with access to the health information that has been collected about them.
The Cable Communications Policy Act of 1984
The Cable Communications Policy Act of 1984, 47 U.S.C. § 551, restricts the collection, maintenance, and dissemination of subscriber information. More specifically, the Act restricts cable operators from using the system to collect personally identifiable information from consumers without prior notice and consent, which must be granted either electronically or in a written format. The Act also prohibits disclosure of personally identifiable information to third parties without consent (except for government requests pursuant to court order, or disclosures necessary for the fulfillment of cable services). Cable subscribers retain the right to inspect and correct errors in the database.
The Fair Credit Reporting Act (FCRA)
The FCRA, 15 U.S.C. § 1681, et seq., first enacted in 1970 and most recently amended in 1996, is designed to promote the accuracy and ensure the privacy of the sensitive financial information contained in consumer credit reports. The FCRA applies to credit reporting agencies, as well as furnishers and users of credit data. The Act allows credit bureaus to disclose consumer credit reports only to entities that have permissible purposes. The FCRA also provides consumers with the ability to access and correct information in their credit reports. In addition, consumers may opt-out of receiving prescreened offers (i.e., firm, pre-approved offers of credit that are made based on information contained in their consumer reports).
The Federal Videotape Privacy Protection Act
The Federal Videotape Privacy Protection Act, 18 U.S.C. § 2710, enacted in 1988, addresses information about consumers= videotape purchases and rentals. The Act requires companies that sell or rent videotapes to obtain written consent from consumers to disclose the consumers’ personally-identifiable information (i.e., information that identifies the consumer as having requested or obtained specific video material or services). Companies may disclose lists of consumer names and addresses only if they first give consumers an opportunity to opt-out of such information disclosure.