Federal Data Protection Laws

*Federal Data Protection Laws *
While the Supreme Court has interpreted the Constitution to provide individuals with a right to privacy, this right generally guards only against government intrusions. Given the limitations in constitutional law, Congress has enacted a number of federal laws designed to provide statutory protections of individuals’ personal information. However, these statutory protections are not comprehensive in nature and primarily regulate specific industries and subcategories of data. These laws, which differ based on their scope, who enforces them, and their associated penalties, include:

• Children’s Online Privacy Protection Act: provides data protection requirements for children’s information collected by online operators.
• Communications Act of 1934: includes data protection provisions for common carriers, cable operators, and satellite carriers.
• Computer Fraud and Abuse Act: prohibits the unauthorized access of protected computers.
• Consumer Financial Protection Act: regulates unfair, deceptive, or abusive acts in connection with consumer financial products or services.
• Electronic Communications Privacy Act: prohibits the unauthorized access or interception of electronic communications in storage or transit.
• Fair Credit Reporting Act: covers the collection and use of data contained in consumer reports.
• Federal Securities Laws: may require data security controls and data breach reporting responsibilities.
• Federal Trade Commission (FTC) Act: prohibits “unfair or deceptive acts or practices.”
• Gramm-Leach-Bliley Act: regulates financial institutions’ use of nonpublic personal information.
• Health Insurance Portability and Accountability Act: regulates health care providers’ collection and disclosure of protected health information.
• Video Privacy Protection Act: provides privacy protections related to video rental and streaming.
  

Of these laws, the FTC Act’s prohibition of “unfair or deceptive trade practices” (UDAPs) is especially important in the context of data protection. The FTC has brought hundreds of enforcement actions based on the allegation that companies’ data protection practices violated this prohibition. One of the well-settled principles in FTC practice is that companies are bound by their data privacy and data security promises. The FTC has taken the position that companies act deceptively when they handle personal information in a way that contradicts their posted privacy policy or other statements, or when they fail to adequately protect personal information from unauthorized access despite promises that they would do so. In addition to broken promises, the FTC has maintained that specific data protection practices are unfair, such as when companies have default privacy settings that are difficult to change or when companies retroactively apply a revised privacy policy. However, while the FTC’s enforcement of the UDAP prohibition fills in some statutory gaps in federal data protection law, its authority has limits. In contrast to many of the sector-specific data protection laws, the FTC Act does not require companies to abide by specific data protection policies or practices and generally does not reach entities that have not made explicit promises concerning data protection.