What is LawBrain?
It's a living legal community making laws accessible and interactive. Click Here to get Started »

U.S. Privacy Law

From lawbrain.com

U.S. privacy law is concerned with the protection and preservation of the privacy rights of its citizens.



The United States (U.S.) does not currently have an overarching privacy law. The privacy laws of the U.S. follows a sectoral approach.  Laws are developed and enforced for a specific industry sector and protect only certain types of information.  Additionally, many of the privacy codes of practice that are followed are not developed by the government, but instead by companies or industry bodies.

Recent Developments

August 2010 - The Defense Advanced Research Projects Agency (DARPA),[1] the research and development office for the U.S. Department of Defense, unveiled a new set privacy principles.[2]  The principles will help to address various privacy implications that arise during the research and development at DARPA of new technologies.  An internal privacy ombudsman will be assigned for the agency and an independent privacy review panel will be created.

April 2010 - The Federal Trade Commission (FTC) announced that it plans to develop guidelines specific to internet privacy. This comes after much pressure from privacy advocates and lawmakers. They have demanded that consumer information needs to be protected against the abuses of social networks, search engines and location tracking on cellphones.[3]

Information Privacy Principles

In the U.S., the Federal Trade Commission (FTC) has established a set of fair information practice principles, compiled from both national and international guidelines and model codes.  These principles are provided so organizations have guidance when developing a policy on personal data collection and use. 

The information privacy principles of the FTC include:

  • Principle 1: Notice/Awareness
  • Principle 2: Choice/Consent
  • Principle 3: Access/Participation
  • Principle 4: Integrity/Security
  • Principle 5: Enforcement/Redress
  •   5a: Self-Regulation
  •   5b: Private Remedies
  •   5c: Government Enforcement

The FTC designates children's personal information as a special set of information that must be handled in a separate manner. 

The information privacy principles with regard to children's personal data includes:

  • Principle 1: Parental Notice/Awareness and Parental Choice/Consent
  • Principle 2: Access/Participation and Integrity/Security

Cross-Border Data Flow

  • U.S. - EU Safe Harbor Framework[4]

Under the EU Data Protection Directive (95/46/EC), EU member states cannot transfer data to those countries that do not meet "adequate" data protection requirements.  The U.S. is one of these countries that does not meet this requirement.  In order to get around this requirement, the U.S. Department of Commerce with the European Commission developed a Safe Harbor framework.  The Safe Harbor Framework principles require U.S. organizations to offer specific rights to their European data subjects.  These rights include being informed about the purpose of the data collection; ability to access, change or delete inaccurate information; and, ability to opt-out of third-party disclosure or used for purposes other than the original collection purpose.  These requirements are based on fair information practices. Those U.S. organizations following Safe Harbor Framework must self-certify annually with the Department of Commerce.

Oversight: Federal Trade Commission (FTC), Department of Transportation (DOT), Department of Commerce.

  • U.S. - Switzerland Safe Harbor Framework[5]

The Department of Commerce and the Federal Data Protection and Information Commission of Switzerland established a data protection framework in order for Switzerland to transfer data to the U.S.  Self-certification with regard to the U.S.-Swiss Safe Harbor Framework is identical to those steps taken in the U.S.-EU Safe Harbor Framework.


U.S. Constitution

There is no explicit right to privacy in the United States Constitution.[7]

Bill of Rights, Amendment 1, 3, 4, 5 & 9

  • 1st Amendment: privacy of beliefs[8]
  • 3rd Amendment: privacy of home against demand of use by soliders
  • 4th Amendment: privacy of person, home, papers from unreasonable search & seizure
  • 5th Amendment: privacy of personal information with regard to self-incrimination [see Boyd v. U S, 116 U.S. 616 (1886)][9]
  • 9th Amendment: privacy not covered by other Amendments [see Griswold v. Connecticut, 381 U.S. 479 (1965)][10]

Federal Law

Health Care

Health Insurance Portability and Accountability Act (HIPAA)

An amendment to the Employee Retirement Income Security Act of 1974 (ERISA), Health Insurance Portability and Accountability Act (HIPAA)[11] specifically addresses the privacy of health information. It requires U.S. Department of Health and Human Services (HHS) to adopt national standards (known as HIPAA Rules) specific to electronic health care information transactions.  HIPAA establishes a minimum standard, whereas states are able to develop more rigorous requirements, as long as they are in compliance with HIPAA.

Oversight: U.S. Department of Health & Human Services (HHS), state attorneys general

Health Information Technology for Economic and Clinical Health Act (HITECH)

The Health Information Technology for Economic and Clinical Health Act (HITECH)[12] is part of the American Recovery and Reinvestment Act of 2009 (ARRA).  HITECH broadens the scope of privacy and security protections already available under the Health Insurance Portability and Accountability Act (HIPAA).  This law also increases the potential legal liability for non-compliance and provides for more enforcement. HITECH requires data breach notification for unauthorized uses and disclosures of "unsecured PHI" (unencrypted).  These breach notification requirements are similar to most state data breach laws related to personally identifiable information.  For those health providers with an electronic health record (EHR) system in place, patients have a right to access their electronic personal health information (ePHI).  The patient can also have their records be sent to a third-party for a fee that is equal to the labor cost to produce.  Additionally, HITECH has changed it so that business associates (e.g. accounting firms, billing agencies, law firms) of those organizations subject to HIPAA (e.g. health care providers, pharmacies) are now subject to the same data privacy and security requirements, including the civil and criminal penalties, as those HIPAA-regulated organizations they work with.

Genetics Research

Genetic privacy has been a issue in recent years. Cloning, a form of genetic engineering, is a process by which cells are isolated from an organism through a biopsy and cultured under laboratory conditions. They grow and divide, producing new cells identical to the original cells. With the exception of sperm and egg cells, cloning from even a single cell of a mammal is possible because every cell in the organism contains a complete set of genes necessary to make an identical copy. Unlike artificial fertilization and other modern methods of conception, cloning requires just one parent. In July 2001, the House of Representatives passed the Weldon-Stupak bill, which criminalizes cloning in humans, whether for reproductive or research purposes. This bill was introduced in the Senate as the Brownback-Landrieu bill and was endorsed by President George H.W.Bush. Senator Sam Brownback (R-KS) reintroduced legislation in 2003 that would ban all human cloning, including somatic cell nuclear transfer, also known as therapeutic cloning. The Human Cloning Prohibition Act of 2003[13] reintroduced language from Brownback's prior bill that ended in a Senate stalemate in the 107th Congress.  Another version, Human Cloning Prohibition Act of 2009, was introduced and was last referred to the House Subcommittee on Crime, Terrorism and Homeland Security.[14]

The privacy issues associated with genetics have led to various legal disputes. The lawsuits over genetic research and testing concern matters such as the taking of the blood or tissue; the use of the blood or tissue; the distribution of the blood or tissue; the use of previously acquired samples of blood or tissue to conduct new tests; and whether a gene can receive patent protection. One of the more emotional issues associated with genetic testing is the testing of persons without their consent. In Norman-Bloodsaw v. Lawrence Berkeley Laboratory, a research lab under the U.S. Department Of Energy was sued for secretly testing certain employees.

Norman-Bloodsaw began in 1994 when Marya Norman-Bloodsaw, a forty-one-year-old clerk in the accounting department of Lawrence Berkeley Laboratory, asked to see her medical records. When she inspected her records, Norman-Bloodsaw recognized the code for syphilis testing. Norman-Bloodsaw did not recall being told that she was being tested for syphilis, nor did she recall requesting such testing. At Norman-Bloodsaw's urging, several other employees consulted their own medical files and found that they too had been tested for genetic defects and other medical conditions without their knowledge or consent.

The secret testing seemed to establish a pattern of discrimination. Although the lab had tested all new employees for syphilis, African Americans and Latinos were re-tested for the disease. The lab also tested and re-tested its African American employees for sickle cell anemia, and women were tested regularly for pregnancy. White men were not re-tested for any diseases, except for white men who were married to black women who secretly tested for syphilis.

The lab testing by Lawrence Berkeley Laboratory allegedly constituted illegal discrimination and the violation of privacy rights. Vertis Ellis, a 47-year-old African American woman, for example, had been tested for sickle cell anemia and for pregnancy, but she had never requested the tests, authorized the tests, or received results from the tests. "I felt so violated," Ellis told U.S. News & World Report. "I thought, 'Oh, my God. Do they think all black women are nasty and sleep around?'" Norman-Bloodsaw, Ellis, and five other employees of Lawrence Berkeley Laboratories filed a class action suit against the lab, alleging violations of privacy and civil rights.

Lawrence Berkeley Laboratory, the oldest research lab in the country, argued that it was not liable because the employees had all agreed to receive comprehensive physical examinations. A defendant in the case, Thomas Budinger, a former medical director of the lab, defended the testing of African-Americans for syphilis. "[T]hat's where the prevalence of the disease is," Budinger explained to Hawkins. "How come only people over a certain age would get an EKG? See the logic?" The laboratory also denied that the testing was done in secret. According to attorney Douglas Barton, the lab posted test results on a wall in the exam room. The plaintiffs in the case disputed that assertion, and they argued that they had not agreed to repeated testing without their consent, but the federal district court in San Francisco dismissed the case. According to Judge Vaughn Walker of the federal trial court in San Francisco, the tests were administered as part of a comprehensive medical examination to which [the employees] had consented.

The plaintiffs appealed the dismissal of the case to the Ninth Circuit Court of Appeals. In February 1998, the federal appeals court reversed the ruling and remanded the case for trial. Norman-Bloodsaw v. Lawrence Berkeley Laboratory,[15] 135 F.3d 1260 (9th Cir. 1998). According to the appeals court, the testing violated constitutional privacy rights if the employees had not given their consent and there were no reasonable medical or public health needs that justified the testing. The testing also violated Title VII of the Civil Rights Act Of 1964 if the testing was conducted based on race and gender-specific traits. The appeals court put a stop to the testing and ordered the lab to delete all of the secret test results from the personnel files of the employees.

The Norman-Bloodsaw decision is important because it places some limits on the use of genetic testing of employees. Every year, genetic researchers are discovering new genetic predictors for diseases, and insurance companies may begin to base eligibility for their medical and life insurance policies on a person's genetic predisposition to diseases. If, for example, a person seeking insurance is genetically tested and found to have a predisposition for a fatal disease, the insurance company may wish to deny coverage.

DNA Identification Act (1994)

The DNA Identification Act[16] is a rider of the Violent Crime Control and Law Enforcement Act of 1994[17] which authorized the creation of the Combined DNA Index System (CODIS), a database controlled by the Federal Bureau of Investigation (FBI).  Genetic data creates privacy issues because it can serve as an identifier and can also convey sensitive personal information about the individual and his or her family.

Newborn Screening Saves Lives Act (2007)

Newborn Screening Saves Lives Act[18] was enacted to amend the Public Health Service Act and to establish grant programs to provide for education and outreach on newborn screening and coordinated followup care once newborn screening has been conducted.  Essentially, this Act creates a national databank of newborn DNA.

Genetic Information Nondiscrimination Act (GINA)(2008)

Genetic Information Nondiscrimination Act (GINA)[19] is a law that prohibits discrimination during employer hiring or insurance companies from denying coverage or charging higher premiums based on the results of genetic tests.  It also prevents the disclosure of genetic information, with some exceptions.


Alcohol and other drug testing is a form of employee surveillance that raises privacy questions in both the public and private sectors. Many legislators consider drug testing by urinalysis to be intrusive, and the practice has been regulated in at least 18 states. Three states require employers to demonstrate probable cause of illegal drug use before they can compel an employee to submit to urinalysis. Six states specify that employers can instigate drug testing only if they have reason to suspect an employee of illegal drug use. In general, however, no pervasive public policy against mandatory employee drug testing exists in either the public or private sector.

Drug testing in the workplace gained momentum in 1986 following a presidential commission report on drug abuse (America's Habit: Drug Abuse, Drug Trafficking, and Organized Crime). The commission recommended drug testing in both the public and private employment sectors. Based on this recommendation, President Ronald Reagan ordered drug testing for federal employees in positions that require a high degree of trust and confidence (Exec. Order No. 12,564, 3 C.F.R. 224 [1986][20]). Guidelines promulgated by the Department Of Health And Human Services established scientific and technical requirements concerning specimen collection, laboratory analysis, and interpretation of test results for the federal drug-testing program.

In response to this federal impetus, employers have dramatically increased drug testing of employees. Many state laws now encourage private employers to periodically test their employees for illegal drug use, and many private employers have asked their state legislatures to pass drug-testing laws. In the public sector, however, the U.S. Supreme Court has ruled that random drug testing of government employees constitutes a "search" that must comply with the requirements of the Fourth Amendment before it may be deemed legal (National Treasury Employees Union v. Von Raab, 489 U.S. 656, 109 S. Ct. 1384, 103 L. Ed. 2d 685 [1989]).

Children's Online Privacy Protection Act (COPPA)

Children's Online Privacy Protection Act (COPPA)[21] applies specifically to operators of commercial websites and online services and their collection of personal information from children under the age of 13.  In addition to posting a privacy policy on the website about their collection practices, parental consent is also required for these operators to collect children's personal information.  If consent is given, parents then have a right to access, change, delete or opt-out of third-party disclosure of their children's personal information.

Oversight: Federal Trade Commission (FTC), state attorneys general

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)

Controlling the Assualt of Non-Solicited Pornography and Marketing Act (CAN-SPAM)[22] applies to anyone who advertises products or services via electronic mail.  The act prohibits false or misleading headers, deceptive subject lines and sending message to individuals who requested not to receive future emails.  It also requires an opt-out function for future emails and that emails warn when sexually-oriented materials are found in the message.

Oversight: Federal Trade Commission (FTC)

Financial Sector

Gramm-Leach-Bliley Act (GLBA)

Gramm-Leach-Bliley Act (GLBA)[23] applies to U.S. financial institutions and protects non-public financial information (e.g. personally identifiable financial information).  The law requires personal financial information to be stored securely, notice to be given regarding the policy of sharing and to give consumers the option to opt-out of certain sharing of their personal financial information.

Oversight: Federal Trade Commission (FTC), state attorneys general

Fair Credit Reporting Act (FCRA)(1970)

Congress passed the Fair Credit Reporting Act of 1970 (FCRA)[24] (15 U.S.C.A. § 1681 et seq.) to prevent unreasonable and careless invasions of consumer privacy. The law permits employers, lenders, and other persons to obtain a copy of an individual's credit report for a legitimate business purpose. However, businesses may not request a credit report unless it is related to a transaction initiated by the consumer, such as a job interview or bank loan.

Commercial entities may not use credit reports for the purpose of marketing. Nor may a person or entity obtain a credit report through the use of false pretenses, fraud, or misrepresentation. The statute requires accurate and relevant data collection by organizations that compile consumer reports. It also authorizes consumers to review the information contained in their own credit reports and challenge inaccuracies. Credit bureaus have an obligation to correct any inaccuracies within a reasonable amount of time after learning of them.

Oversight: Federal Trade Commission (FTC), state attorneys general

Right to Financial Privacy Act (1978)

The Right to Financial Privacy Act of 1978[25] (12 U.S.C.A. § 3401 et seq.) entitles bank customers to a limited expectation of privacy in their financial records by requiring that law enforcement officials follow certain procedures before information can be disclosed. Unless a customer consents in writing to the disclosure of his financial records, a bank may not produce such records for government inspection unless ordered to do so by an administrative or judicial subpoena or a lawfully executed search warrant. Other formal written requests for bank records may be granted if they are made for a legitimate law enforcement purpose. The Right to Financial Privacy Act applies to credit unions, trust companies, and savings and loan institutions.


Family Educational Rights and Privacy Act (FERPA)

In 1974, Congress enacted the Family Educational Rights and Privacy Act (FERPA)[26] (20 U.S.C.A. § 1232g), which protects the privacy of student education records and gives parents the right to examine the scholastic records of their minor children (rights are transferred to the student when they turn 18 or attend college). Additionally, they can correct information in the record that is either inaccurate or misleading. The act broadly defines scholastic records to include all records, files, documents, and other materials containing information directly related to a student that are maintained by an educational agency or institution. FERPA permits only certain individuals to have access to student records, including other institution officials who have a legitimate scholastic interest in the records, such as teachers, principals, and student loan officers. Otherwise, a school must obtain written consent from the student or parent before disclosing any information contained in an educational record, although there are a few exceptions (e.g. subpoena request). The Family Educational Rights and Privacy Act applies to all public schools, including colleges and universities, and to private schools that receive federal funding from the U.S. Department of Education.

Oversight: U.S. Department of Education

Law Enforcement

Omnibus Crime Control and Safe Streets Act (1968)

The Omnibus Crime Control and Safe Streets Act of 1968[27] (18 U.S.C.A. § 2510 et seq.) governs the use of electronic surveillance in both the public and private sectors. In the public sector, the act outlines detailed procedures the federal government must follow before conducting any form of electronic surveillance. Pursuant to authorization by the U.S. attorney general or a specially designated assistant, federal law enforcement agents must make a sworn written application to a federal judge that specifically describes the location where the communications will be intercepted, the reasons for the interception, the expected duration of the surveillance, and the identity of those persons whose conversations will be monitored. The judge must then review the surveillance application to ensure that it satisfies each of the statutory requirements and establishes probable cause to justify electronic eavesdropping.

The Omnibus Crime Control and Safe Streets Act governs the use of electronic surveillance in the private sector as well. The act prohibits any person from intentionally using or disclosing information that has been knowingly intercepted by electronic or mechanical means without the consent of the interested person. Nearly 70 percent of all reported wiretapping involves divorce cases and child custody battles. Often, divorcing spouses, attempting to obtain embarrassing or discrediting information against one another, plant recording and listening devices throughout the marital home. Although most federal courts have ruled that the Omnibus Crime Control and Safe Streets Act applies to interspousal electronic surveillance, some courts have created a spousal immunity from civil liability under the act in an effort to preserve any remaining remnants of marital harmony.

This act also governs the use of electronic surveillance in the area of employment. A number of employers videotape employee movement throughout the workplace, search employees' computer files, monitor their telephone calls, and read their electronic mail. Courts have generally permitted employers to engage in such surreptitious snooping so long as it serves a legitimate and significant business purpose.

In the rest of the private sector, the Omnibus Crime Control and Safe Streets Act applies to information intercepted from telephone satellite unscrambling devices, cellular telephones, and pagers, as well as from traditional forms of electronic surveillance, such as telephone taps, microphones, and other bugging devices. However, the act does not cover information intercepted from pen registers, which record the telephone numbers of outgoing calls, or caller identification devices, which display the telephone numbers of incoming calls, because neither captures conversations of any sort. In addition, the act does not apply to information intercepted by videotape. In a 2001 decision, Commonwealth v. Rekasie,[28] 778 A.2d 624 (Pa. 2001), a Pennsylvania court held in a 4–3 decision that a defendant does not have a reasonable expectation of privacy in a telephone conversation from his home with a confidential police informant; therefore, the Commonwealth was not required to obtain a determination of probable cause before tape recording the conversation.

Electronic Communications Privacy Act (EPCA)(1986)

Electronic Communications Privacy Act (EPCA)[29] (18 U.S.C. §2510-22) amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968[30] (the “Wiretap Act”) to restrict wiretapping of electronic data transmissions, as well as, telephone communication.  ECPA prohibits employers from intercepting electronic communications and unauthorized access to communications that are stored.  However, there are exemptions: (1) provider authorization and (2) employee consent.  Most companies use the provider authorization exemption to get around EPCA.  If the business provides the wire or electronic communication service, then they potentially have the "right" to access the communications transmitted and stored on such systems.  There are some states that do require notice to their employees of their electronic monitoring practices.

National Security

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) (2001)

The The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act),[31] Pub. L. 107-54, 115 Stat. 272, introduced a plethora of legislative changes which significantly increased the surveillance and investigative powers of law enforcement agencies in the United States. The law even allowed financial institutions to share information with one another in order to identify and report activities involving money laundering and terrorist activities. The act does not, however, provide for the system of checks and balances that traditionally safeguards civil liberties in the face of such legislation. Legislative proposals in response to the terrorist attacks of September 11, 2001, were introduced less than a week after the attacks. President George W. Bush signed the final bill, the USA PATRIOT Act, into law on October 26, 2001. The act was a compromise version of the Anti-Terrorism Act of 2001 (ATA),[32] a far-reaching legislative package intended to strengthen the nation's defense against terrorism. The ATA contained several provisions vastly expanding the authority of law enforcement and intelligence agencies to monitor private communications and access personal information. The USA PATRIOT Act retains provisions appreciably expanding government investigative authority, especially with respect to the Internet. Those provisions address issues that are complex and implicate fundamental constitutional protections of individual liberty, including the appropriate procedures for interception of information transmitted over the Internet and other rapidly evolving technologies. The American Civil Liberties Union and various library and booksellers' organizations filed suit in October 2002 under the Freedom of Information Act (FOIA) seeking the disclosure of information concerning implementation of the controversial USA PATRIOT Act. The lawsuit covered some of the information the Justice Department withheld from the House Judiciary Committee in response to a set of detailed questions. A court ordered compliance with the FOIA; however, the government withheld many documents claiming national security interests.

Total Information Awareness (TIA) Program (2002)

The Total Information Awareness (TIA) program[33] was a federal program sponsored by the Department of Defense (DoD) designed to detect, classify, and identify foreign terrorists—and decipher their plans—and thereby enable the United States to take timely action to successfully preempt and defeat terrorist acts. To that end, the TIA program stated its objective as creating a counter-terrorism information system that: (1) increases information coverage by an order of magnitude and affords easy future scaling; (2) provides focused warnings within an hour after a triggering event occurs or an evidence threshold is passed; (3) can automatically queue analysts based on partial pattern matches and has patterns that cover 90% of all previously known foreign terrorist attacks; and (4) supports collaboration, analytical reasoning, and information sharing so that analysts can hypothesize, test, and propose theories and mitigating strategies about possible futures, so decision-makers can effectively evaluate the impact of current or future policies and prospective courses of action.

Critics of this program were outraged that the government implemented it. The DoD claimed to recognize American citizens' concerns about privacy invasions and that it had certain safeguards in place to prevent this and to ensure that data was protected and used only for lawful purposes. Funds for this program was stopped by Congress in 2003.[34] [35] [36] [37]

REAL ID Act (2005)

The REAL ID Act[38] was tacked on as a rider to the Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief in 2005.[39] The REAL ID Act creates a de facto national identification card for the U.S.  The act established new national standards, both technological and verification procedures, for state-issued driver's licenses and non-driver identification cards to be accepted by the federal government for official purposes, such as boarding commercially-operated airline flights, entering federal buildings and nuclear power plants.

There is a division between state governments whether to adhere to the REAL ID Act or not.[40]  Certain statutes have been passed in states to prohibit the enactment of REAL ID.[41]


Freedom of Information Act (FOIA)(1966)

The Freedom of Information Act (FOIA)[42] (5 U.S.C.A. § 552 [1996]) contains limitations on the disclosure of agency information when such disclosure would constitute a "clearly unwarranted invasion of personal privacy." In most other instances, FOIA guarantees the right of Americans to request a copy of any reasonably identifiable record kept by a federal agency. However, the U.S. government may refuse to disclose certain sensitive information that relates to national security, foreign policy, or other classified areas. Persons who have requested information and been denied may challenge the decision in court. FOIA serves the twin purposes of protecting private and classified documents from disclosure while requiring the uninhibited exchange of all other information that is consistent with an open society and a democratic government.  This law covers all government records held by the Executive Branch of government, not just those that contain personal information.  FOIA does not apply to Legislative or Judicial records.  FOIA also does not apply to state or local governments, however almost all state governments have their own FOIA statute in place.

The Drivers Privacy Protection Act (DPPA)(1994)

State departments of motor vehicles (DMVs) require drivers and automobile owners to provide personal information, which may include a person's name, address, telephone number, vehicle description, Social Security number, medical information, and photograph, as a condition of obtaining a driver's license or registering an automobile. Finding that many States sell this information to individuals and businesses for significant revenues, Congress enacted the Driver's Privacy Protection Act of 1994 (DPPA),[43] a rider of the Violent Crime Control and Law Enforcement Act,[44] which establishes a regulatory scheme that restricts the States' ability to disclose or use a driver's personal information without the driver's consent. States are required to get permission (opt-in) from individuals before their personal information is sold or released to third-party marketers by the DMV. Each state has adopted its own version of DPPA. In Reno v. Condon,[45] 528 U.S. 141 (2000), South Carolina and its attorney general brought suit alleging that the DPPA violates the Tenth and Eleventh Amendments to the U.S. Constitution. Concluding that the DPPA is incompatible with the principles of federalism inherent in the Constitution's division of power between the States and the federal government, the district court granted summary judgment for the State and permanently enjoined the DPPA enforcement against the State and its officers. The Fourth Circuit affirmed, concluding that the Act violates constitutional principles of federalism. The Supreme Court ruled that the DPPA is a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause, U.S. Const., Art. I, §8, cl. 3. The motor vehicle information which the States have historically sold is used by insurers, manufacturers, direct marketers, and others engaged in interstate commerce to contact drivers with customized solicitations. The information is also used in the stream of interstate commerce by various public and private entities for matters related to interstate motoring. Because drivers' personal, identifying information is, in this context, an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation.

Oversight: state attorneys general

Critical Infrastructure Information Act (1978)

Privacy Act of 1974 (1974)

The Privacy Act of 1974[46] (5 U.S.C.A. § 522a) regulates the federal government's use of computerized databases containing information about U.S. citizens and legal residents.  The law requires the federal government to use fair information practices in the collection and use of information about U.S. citizens and is designed to prevent federal agencies from disclosing certain personal information contained in their records. In general, federal agencies may not release government records without first obtaining consent from the persons who are referred to in the records. Every individual maintains the right to inspect federal agency records, correct mistakes, and add important details. In the event that an individual's right is infringed under this law, he or she can sue the federal government for money damages or a court order directing the agency to obey the law.  There is an exemption with regard to law enforcement agencies and their activities with regard to citizen data. According to FindLaw.com, in 1905, Georgia became the first state to establish the tort of invasion of privacy. Now, the vast majority of U.S. jurisdictions allow civil actions for this claim.[47]

Oversight: U.S. Office of Management & Budget (OMB) develops guidelines agencies must use for implementation.

The Media

Restatement (Second) of Torts (1977)

Four privacy torts were inspired by “The Right to Privacy”[48](1890). In 1960, William L. Prosser, Dean of the College of Law at UC Berkeley, published an article, "Privacy"[49], in the California Law Review. In the article, Prosser stated that the invasion-of-privacy tort was actually comprised of four distinct, but related, torts: intrusion, public disclosure of private facts, false light and appropriation of a person's name or image for commercial use. Prosser was the Reporter of the the Restatement (Second) of Torts[50] which summarizes the general principles of tort law and was issued by the American Law Institute[51], a group of legal professionals that work together in order to help clarify, modernize, and improve the law.

New York Civil Rights Law §§50-51 (1903)

New York passed the first privacy statute, New York Civil Rights Law §§50-51,[52] in the U.S. in 1903. This law was passed in response to Louis D. Brandeis and Samuel D. Warren's 1890 article called “The Right to Privacy”.[53] This statute prohibited the unauthorized use of an individual's name or picture for advertising or trade purposes.

California Anti-Paparazzi Act (1998)

The California Anti-Paparazzi Act[54] was sparked by Princess Diana’s death. It was the first anti-paparazzi in U.S. and the statute includes restrictions of both physical and constructive invasions of privacy.

State Law


  1. http://www.darpa.mil/index.html
  2. http://www.darpa.mil/principles.html
  3. http://voices.washingtonpost.com/posttech/2010/04/ftc_says_it_is_creating_intern.html
  4. http://www.export.gov/safeharbor/eu/eg_main_018365.asp
  5. http://www.export.gov/safeharbor/swiss/eg_main_018498.asp
  6. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559478
  7. http://www.archives.gov/exhibits/charters/constitution_transcript.html
  8. http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html
  9. http://laws.findlaw.com/us/116/616.html
  10. http://laws.findlaw.com/us/381/479.html
  11. http://hdl.loc.gov/loc.uscongress/legislation.104hr3103
  12. http://hdl.loc.gov/loc.uscongress/legislation.111hr1
  13. http://hdl.loc.gov/loc.uscongress/legislation.108s245
  14. http://hdl.loc.gov/loc.uscongress/legislation.111hr1050
  15. http://caselaw.findlaw.com/us-9th-circuit/1221888.html
  16. http://hdl.loc.gov/loc.uscongress/legislation.103hr3355
  17. http://hdl.loc.gov/loc.uscongress/legislation.103hr3355
  18. http://hdl.loc.gov/loc.uscongress/legislation.110s1858
  19. http://hdl.loc.gov/loc.uscongress/legislation.110hr493
  20. http://www.archives.gov/federal-register/codification/executive-order/12564.html
  21. http://www.ftc.gov/ogc/coppa1.htm
  22. http://hdl.loc.gov/loc.uscongress/legislation.108s877
  23. http://hdl.loc.gov/loc.uscongress/legislation.106s900
  24. http://www.ftc.gov/os/statutes/031224fcra.pdf
  25. http://caselaw.lp.findlaw.com/casecode/uscodes/12/chapters/35/toc.html
  26. http://www.law.cornell.edu/uscode/20/1232g.html
  27. http://www.fcc.gov/Bureaus/OSEC/library/legislative_histories/1615.pdf
  28. http://caselaw.findlaw.com/pa-supreme-court/1236820.html
  29. http://www.law.cornell.edu/uscode/18/usc_sup_01_18_10_I_20_119.html
  30. http://www.fcc.gov/Bureaus/OSEC/library/legislative_histories/1615.pdf
  31. http://hdl.loc.gov/loc.uscongress/legislation.107hr3162
  32. http://thomas.loc.gov/home/terrorleg.htm
  33. http://www.fas.org/irp/crs/RL31730.pdf
  34. http://w2.eff.org/Privacy/TIA/
  35. http://epic.org/privacy/profiling/tia/
  36. http://www.aclu.org/national-security/aclu-statement-terrorist-information-awareness-department-defense-technology-and-p
  37. http://www.aclu.org/technology-and-liberty/stunning-new-report-domestic-nsa-dragnet-spying-confirms-aclu-surveillance-wa
  38. http://hdl.loc.gov/loc.uscongress/legislation.109hr1268
  39. http://hdl.loc.gov/loc.uscongress/legislation.109hr1268
  40. http://www.ncsl.org/?tabid=13574
  41. http://www.realnightmare.org/news/105/
  42. http://www.justice.gov/oip/amended-foia-redlined-2010.pdf
  43. http://hdl.loc.gov/loc.uscongress/legislation.103hr3355
  44. http://hdl.loc.gov/loc.uscongress/legislation.103hr3355
  45. http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=000&invol=98-1464
  46. http://www.justice.gov/opcl/privstat.htm
  47. http://injury.findlaw.com/personal-injury/personal-injury-a-z/invasion-of-privacy.html
  48. http://www.spywarewarrior.com/uiuc/w-b.htm
  49. http://www.californialawreview.org/assets/pdfs/misc/prosser_privacy.pdf
  50. http://www.tomwbell.com/NetLaw/Ch05/R2ndTorts.html
  51. http://www.ali.org/
  52. http://books.google.com/books?id=AYUaAAAAYAAJ&pg=PA806#v=onepage&q=New%20York%20Civil%20Rights%20Law%20%C2%A7%C2%A750-51&f=false
  53. http://www.spywarewarrior.com/uiuc/w-b.htm
  54. http://codes.lp.findlaw.com/cacode/CIV/5/d3/3/s1708.8

External Links

Related Content on FindLaw

Cross-Border Data Flow

Health Care





Law Enforcement



Children Online

Related Blogs on FindLaw

Failed to load RSS feed from http://search.yahooapis.com/WebSearchService/rss/webSearch.xml?appid=yahoosearchwebrss&query=US+privacy+law%20site:blogs.findlaw.com!

                                                                            Web Services by Yahoo!

See Also


FindLaw AHK, FindLaw Michelle, FindLaw Nira