There is no single overarching federal statute governing the acquisition, use, and handling of someone's personal information by any and all businesses and institutions; however, laws applicable to certain types of information or institutions, including Federal government agencies, do exist. Some of these follow.
Find the text of these statutes and regulations in the Federal Digital System at http://www.gpo.gov/fdsys/browse/collectionUScode.action?collectionCode=USCODE (for the United States Code) and http://www.gpo.gov/fdsys/browse/collectionCfr.action?collectionCode=CFR (for the Code of Federal Regulations).
Children's Online Privacy Protection Act (COPPA) and Rule - 15 USC §§ 6501-6506 and 16 CFR Part 312 – “Applies to operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.” Requires privacy policies and notice and parental consent before collection of personal information from children. Personal information includes, for example, name, address, email address, user name, phone number, SSN, photos, videos, and audiofiles. See http://business.ftc.gov/privacy-and-security/children's-online-privacy and http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions#General%20Questions.
Driver's Privacy Protection Act of 1994 - 18 USC §§ 2721-2725 - Limits disclosure of personal information in state motor vehicle records. Personal information includes a driver’s license number, name, address, and telephone number, but not accidents, violations, or status as a driver.
Electronic Communications Privacy Act - 18 USC §§ 2510-2522, 2701-2712, 3121-3127, 1367 – Prohibits interception of wire, oral, or electronic communications, including emails, and prohibits disclosure of such information obtained illegally. Also prohibits intentional access to stored communications, such as emails on a server. The level of protection given depends on a number of factors. Exceptions include consent and law enforcement purposes, and with respect to employee and employer relationships, the consent is often given in a blanket. In general, employers can often access their employees’ communications on employer-provided devices. See http://it.ojp.gov/default.aspx?area=privacy&page=1285, https://www.privacyrights.org/fs/fs18-cyb.htm, and https://www.privacyrights.org/workplace-privacy-and-employee-monitoring.
Fair Credit Reporting Act (FCRA) – 15 USC §§ 1681-1693r - regulates how consumer reporting companies can collect, use and disseminate information about consumers. See http://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf and http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act.
Family Educational Rights and Privacy Act of 1974 (FERPA) - 20 USC § 1232g - regulations at 34 CFR Part 99 - prohibits educational institutions receiving federal funding from disclosing student personally identifiable information absent written parental consent. Information such as a name, address, and telephone number may be disclosed if the institution provides notice of the type of such information it may publish, and permits a parent or student to opt-out of publication. See http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
Federal Privacy Act of 1974 - 5 USC § 552a - regulates how federal agencies handle records containing personally identifying information (like names, photographs, and SSNs of individuals), prohibits disclosure of such records without consent (with some exceptions), and permits individuals to access and request correction of records containing their personal information. See http://www.justice.gov/opcl/privacy-act-1974.
Freedom of Information Act (FOIA) – 5 USC § 552 – mandates disclosure of Federal government records upon request, absent an exemption or exclusion. One of the exemptions consists of “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” See http://www.foia.gov/about.html and http://www.justice.gov/oip/exemption6.htm.
Gramm-Leach-Bliley Act (GLBA) – 15 USC §§ 6801-6809 - regulations regarding privacy and safegurads at 12 CFR Parts 313, 314, and 364 App. B - limits financial institutions’ ability to share a person’s personal financial information and describes how financial institutions must respond to data security breaches. See http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) - Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic Protected Health Information - 45 CFR Parts 160 & 164 - protects the security and confidentiality of individually identifiable health information. Covers health plans, health care clearinghouse and health care providers who conduct certain financial and administrative transactions electronically. Requires notice of privacy policies and security breaches. See http://www.hhs.gov/ocr/privacy/.
Section 5 of the Federal Trade Commission Act – 15 USC § 45 - prohibits unfair or deceptive acts or practices. Failure to provide adequate security for sensitive customer information and a resulting security breach causing harm could constitute a violation of the Act. See http://www.ftc.gov/enforcement/statutes/federal-trade-commission-act. See page 24 of the FTC report titled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, available at http://www.ftc.gov/news-events/press-releases/2012/03/ftc-issues-final-commission-report-protecting-consumer-privacy.
This summary was prepared by librarians for informational purposes only, and is not intended to provide legal advice.
PO Box 110571
Juneau AK 99811-0571
395 Whittier Street
Juneau AK 99801