Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age

Privacy laws, federal

by Charles E. MacLean

A hodgepodge of federal statutes strewn throughout the U.S. Code, each controlling or protecting private data on individuals held by different agencies or for different purposes. Federal privacy laws are not the single monolith one might expect.

The predominant federal protector of consumer privacy, both on- and offline, is the Federal Trade Commission (FTC). This essay will not attempt to synthesize all of the various federal privacy laws into a contrived single body of laws; instead, this essay identifies and briefly discusses a number of the key federal privacy laws most relevant to data in the digital age; the laws are presented in alphabetical order based on the acronym for each. Note that, although these are all federal privacy laws, many apply to state and even private actors depending on the circumstances. This essay does not address the many state-level privacy laws that endeavor to protect privacy within a state's boundaries.

CAN-SPAM The Controlling the Assault of Non-Solicited Pornography and Marketing Act restricts collection and use of email addresses to disseminate or market unsolicited pornography and other products and services. CAN-SPAM forbids marketers from transmitting former subscriber information once that subscriber has opted out and forbids email address harvesting.

CFAA The Computer Fraud and Abuse Act criminalizes acts whereby persons or entities gain unauthorized access without consent to protected data and share those data with others. The CFAA also criminalizes distribution of malicious code, denial-of-service attacks, and trafficking in passwords and related nonpublic user information.

CIPA The Children's Internet Protection Act requires schools and libraries to take precautions to prevent minors' access to harmful materials online and to take active steps to prevent unauthorized disclosure, use, or dissemination of personal information on minors. CIPA also requires covered entities to ensure the safety and security of children when using the entities' computers.

COPPA The Children's Online Privacy Protection Act prohibits and penalizes certain online collection of private data on children under thirteen years of age, requires such data-gatherers to secure parental permissions before obtaining the data, and requires them to disclose to parents that they have gathered private data on the parents' children. The protected private data on children include name, address, email address, telephone number, and any other information enabling one to identify or contact a particular child. Private data on children that are tied to individually identifiable information are also protected, including children's hobbies, interests, and other information commonly collected on computer users by way of cookies.

ECPA The Electronic Communications Privacy Act controls the privacy of electronic communications and prohibits interception of electronic communications unless the interceptor meets the requirements in the act. The act provides a range of protections for electronic communications, with some available subject to a mere subpoena, some available pursuant to a special court order, and others protected to the greatest degree by requiring a search warrant supported by probable cause. Under the ECPA, most, but not all, interceptions of electronic communications must be disclosed to the parties whose communications were intercepted.

FCRA The Fair Credit Reporting Act limits the manner and circumstances in which persons or entities can collect, disseminate, and use private consumer information, including consumer credit information, rental history information, check-writing information, and certain medical records. The FCRA also requires that those holding private consumer information, including credit bureaus and credit reporting agencies, inform the subject if data they hold is used against the subject, inform the subject the contents of the agencies' files, provide a credit score (where applicable), correct or delete inaccurate or incomplete data, provide a procedure for the subject to challenge the data, provide data to only a limited list of entities, have the subject's consent before releasing data to employers, and so on.

FERPA The Family Educational Rights and Privacy Act controls student data, including grades, submitted work products, attendance records, and the like. All educational institutions that receive any federal funds are required to adhere to FERPA's student data protection requirements. Teachers and staff members at covered educational institutions cannot share private student data with anyone except the student; with the student's written consent, another teacher or staff person at the same institution for an educational purpose; or to law enforcement or others in an emergency.

FISA The Foreign Intelligence Surveillance Act authorizes electronic surveillance, physical searches, pen registers, trap-trace devices, access to business and banking records in investigations involving foreign intelligence when and to the degree approved by the FISA court, a separate and quite secretive court created by the FISA statute.

FOIA The Freedom of Information Act provides a path through which citizens and others can obtain data held or created by the government. Certain data held by the government are not accessible through FOIA, particularly to the extent they are relevant to ongoing national security interests or where disclosure would disseminate private data on individuals.

FTCA The Federal Trade Commission Act authorizes the FTC to prosecute and punish or fine entities that have inadequate consumer data protection or data security policies, permit unauthorized dissemination of personal data, or fail to adhere to their posted privacy policies. In its role as lead federal watchdog agency over consumer data privacy, the FTC has found all the following data security practices wanting: transporting unencrypted data, retaining data in vulnerable formats, failing to restrict data access to employees with a “need to know,” failing to monitor unauthorized computer system intrusions, and failing to destroy or purge personal data no longer needed for bona fide business purposes.

GLBA The Gramm-Leach-Bliley Act regulates the dissemination by banks, insurance companies, brokerages, and other financial entities of nonpublic data on individuals. The GLBA also requires, in many instances, that such companies prominently disclose their privacy and data dissemination policies, and take extensive precautions to prevent improper and nonconsensual disclosure of private data on individuals.

HIPAA The Health Information Portability and Accountability Act controls medical, psychiatric, psychological, pharmaceutical, and dental patient records and information. In essence, HIPAA provides that private patient data cannot be released except to the patient or to others with the patient's express written consent. Given the immense growth in the percentage of patient data held electronically, and the susceptibility of much of that data to hackers, new data protections are likely to be imposed on those who hold such information by requiring them to take certain data safety precautions to avoid accidental dissemination and intentional hacking.

HITECH Act The Health Information Technology for Economic and Clinical Health Act expanded incentives for healthcare providers to migrate patient data to digital platforms. Appreciating the enhanced risk to data privacy in that migration, the HITECH Act also dramatically increased the data privacy protections that had been codified in HIPAA and requires healthcare providers and their associates to notify patients promptly of any data breach.

PPA The Privacy Protection Act prevents law enforcement officers from obtaining certain material from “publishers” who possess work products or documentary materials. Under the PPA, the investigator would have to give notice of intent to seize such materials prior to seizing them so that the publisher could interpose a motion to quash the request for disclosing those protected materials.

SCA The Stored Communications Act, which is a subpart of the ECPA, protects electronic communications and other personal data, including IP addresses, subscriber names, and billing records, that are stored on service providers' equipment.

T3 Title III of the Omnibus Crime Control and Safe Street Act of 1968 drastically curtails government interception of wire, oral, and electronic communications, frequently in the form of wiretaps. Title III provides an exhaustive and detailed procedure that prosecutors and investigators must follow before and after installing a wiretap on a subject's telephone or other communications device.

TPA The Privacy Act is a wide-ranging act controlling federal surveillance and investigation of individuals. The act was a reaction to the growth in the sheer volume of private data on individuals that were maintained by federal agencies, particularly private data that was tracked by a common identifier, such as the subjects' Social Security numbers. The TPA prohibits dissemination of most private data on individuals without a signed consent from the subject.

USA FREEDOM Act The Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act was adopted in 2015 in response to concerns about the National Security Agency's (NSA's) cellular telephony metadata program that gathered phone call data involving over 200 million Americans over a period of several years.

USA PATRIOT Act The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act modified the ECPA, T3, and FISA with respect to gathering electronic communications and other private data on individuals during the so-called War on Terror. It was supplanted in 2015 by the USA FREEDOM Act, which, among other things, transferred storage of seized telephone call data from the NSA to the individual private service providers.

Further Reading

1 

Allen, Anita L. Unpopular Privacy: What Must We Hide? Oxford: Oxford University Press, 2011.

2 

Cate, Fred H. Privacy in the Information Age. Washington, DC: Brookings Institution Press, 1997.

3 

Craig, Terence, and Mary Ludloff. Privacy and Big Data. Sebastopol, CA: O'Reilly Media, 2011.

4 

Habte, M. “Federal and State Data Privacy Laws and Their Implications for the Creation and Use of Health Information Databases.” Big Data: A Business and Legal Guide. 2014, 55–78.

5 

The Information Privacy Law Sourcebook. Chicago, IL: American Bar Association, 2012.

6 

Jones, Virginia A. “Protecting Information Privacy per U.S. Federal Law.” Information Management 48, no. 2 (2014): 18.

7 

Meyer, John. “First Federal Net Privacy Law Approved.” Computers & Security: 719.

8 

“Right to Privacy: Statutes: Partial Invalidity.” Michigan Law Review 7, (1909): 83.

9 

Samuels, A. “The Rights of Privacy and Freedom of Expression: The Drafting Challenge.” Statute Law Review 00, no. 00 (1999): 66–73.

10 

Strahilevitz, Lior Jacob. “Toward a Positive Theory of Privacy Law.” Harvard Law Review (2013).

11 

Woodward, Beverly. “Federal Privacy Legislation.” The Journal of Law, Medicine & Ethics 26, no. 1 (1998): 80–81.

See also: Children's Online Privacy Protection Act (COPPA); Computer Fraud and Abuse Act (CFA); Data harvesting; Data Protection Regimes; Electronic Communications Privacy Act (ECPA); Fair Credit Reporting Act (FCRA); Family Educational Rights and Privacy Act (FERPA); Federal Trade Commission (FTC); Foreign Intelligence Surveillance Act (FISA); Freedom of Information Act (FOIA); Fourth Amendment to the U.S. Constitution; Gramm-Leach-Bliley Act; Health Information Portability and Accountability Act (HIPAA); Privacy Laws, State; Privacy Protection Act; Stored Communications Act (SCA); USA Freedom Act; USA PATRIOT Act

Citation Types

MLA 9th
MacLean, Charles E. "Privacy Laws, Federal." Privacy Rights in the Digital Age, edited by Christopher T. Anglim & JD, Salem Press, 2016. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA_0167.
APA 7th
MacLean, C. E. (2016). Privacy laws, federal. In C. Anglim & JD (Ed.), Privacy Rights in the Digital Age. Salem Press. online.salempress.com.
CMOS 17th
MacLean, Charles E. "Privacy Laws, Federal." Edited by Christopher T. Anglim & JD. Privacy Rights in the Digital Age. Hackensack: Salem Press, 2016. Accessed May 30, 2026. online.salempress.com.