6.4.1: Information Privacy in the U.S.

Last updated
Save as PDF

Page ID: 89381

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

U.S. Privacy Laws

The United States is notable for not having adopted a comprehensive information privacy law, but rather having adopted limited sectoral laws in some areas like the California Consumer Privacy Act (CCPA).^[3]

These laws are based on fair information practice guidelines developed by the U.S. Department for Health, Education and Welfare (HEW) (later renamed Department of Health & Human Services (HHS)), by a Special Advisory Committee on Automated Personal Data Systems, under the chairmanship of computer pioneer and privacy pioneer Willis H. Ware. The report submitted by the Chair to the HHS Secretary titled "Records, Computers and Rights of Citizens (07/01/1973)",^[4]^[5] proposes universal principles for the privacy and protection of consumer and citizen data:

For all data collected, there should be a stated purpose.
Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual.
Records kept on an individual should be accurate and up to date.
There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting.
Data should be deleted when it is no longer needed for the stated purpose.
Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited.
Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion).

Data privacy is not highly legislated or regulated in the U.S.^[20] In the United States, access to private data contained in, for example, third-party credit reports may be sought when seeking employment or medical care, or making automobile, housing, or other purchases on credit terms. Although partial regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data was collected without permission, except to any extent regulated by laws and rules such as the federal Communications Act's provisions, and implementing rules from the Federal Communications Commission, regulating use of customer proprietary network information (CPNI). For instance, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Children's Online Privacy Protection Act of 1998 (COPPA), and the Fair and Accurate Credit Transactions Act of 2003 (FACTA), are all examples of U.S. federal laws with provisions which tend to promote information flow efficiencies.

The Supreme Court interpreted the Constitution to grant a right of privacy to individuals in Griswold v. Connecticut.^[21] Very few states, however, recognize an individual's right to privacy, a notable exception being California. An inalienable right to privacy is enshrined in the California Constitution's article 1, section 1, and the California legislature has enacted several pieces of legislation aimed at protecting this right. The California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy.

The safe harbor arrangement was developed by the United States Department of Commerce in order to provide a means for U.S. companies to demonstrate compliance with European Commission directives and thus to simplify relations between them and European businesses.^[22]

Recently, lawmakers in several states have proposed legislations to change the way online businesses handle user information. Among those generating significant attention are several Do Not Track legislations and the Right to Know Act (California Bill AB 1291). The California Right to Know Act, if passed, would require every business which keeps user information to provide its user a copy of stored information when requested.^[23] The bill faced heavy oppositions from trade groups representing companies such as Google, Microsoft, and Facebook, and failed to pass.^[24]

On June 28, 2018 California legislature passed AB 375, the California Consumer Privacy Act of 2018, effective January 1, 2020.^[25] If the law is not amended before it becomes effective, The California Consumer Privacy Act, AB. 375 — gives California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.

Adapted from:
"Information privacy law" by Multiple Contributors, Wikipedia is licensed under CC BY-SA 3.0