PRIVACY LAW FAQs
These answers to frequently asked questions are general guidelines only and do not constitute legal advice. Please consult directly with an attorney for advice that applies to you.
Privacy law involves multiple legal frameworks. The term “right to privacy” did not even enter the American vernacular until 1890 when law partners Samuel D. Warren and Louis D. Brandeis (the future Supreme Court Justice) wrote an exceptionally forward-thinking Harvard Law Review article, appropriately titled “The Right to Privacy.” While not official law, the article helped to develop a foundation for the right to be let alone and other similar concepts like the right of public figures to control their images. However, no single U.S. law provides an all-encompassing right to privacy. If one asserts such a right, it depends entirely on the facts, the individual asserting the right, the category of information the individual seeks to protect and other considerations.
A. First, the Constitution may play a role in preventing unwanted search and seizure by government entities via the Fourth Amendment or protecting allegedly private information that was publicized as free speech via the First Amendment. In other instances, the Fourteenth Amendment right to due process has been invoked to protect a general right to privacy in marital affairs, child-rearing and a few other intimate relationships.
Further, some federal statutes particular to certain agencies or industries will protect the privacy of information to an extent. Many of these laws depend on whether an entity is disclosing personally identifiable information (“PII”), which is generally information that may identify or be linked to a specific individual, either by itself or when aggregated with other information. While the language of some privacy statutes may differ slightly, the identifiability factor is most widely applied as a trigger for protection. Additionally, some federal laws are only intended to give standing to particular categories of individuals. For example, the Children’s Online Privacy Protection Act (COPPA) provides for the protection of PII for children under the age of thirteen.
Residency is sometimes another determinant for standing in both the domestic and international contexts. Several U.S. states have passed their own statutes governing privacy, many of which provide more protection than similar federal laws and, in some instances, may preempt them. For instance, the California Consumer Privacy Act (CCPA) is the most protective privacy law, requiring online companies to provide Californians with more transparency and autonomy around the use of their personal data. While the law is specific to California residents, many of the ubiquitous “Big Tech” companies interact with those individuals and continue to implement more comprehensive data protection precautions for all users. Accordingly, the CCPA is often considered the most far-reaching privacy law overall. Regardless, this patchwork of state and federal laws contributes to significant confusion and uncertainty in novel situations, and most states have yet to establish their own laws in the absence of a comprehensive federal privacy law framework.
There are also four generally recognized “privacy torts,” the application of which varies state by state: 1) intrusion upon seclusion, 2) public disclosure of private facts, 3) false light and 4) appropriation of name, image or likeness. These torts are frequently in tension with the First Amendment.
A. The right of publicity is typically reserved for widely known figures like celebrities, whereas a right to privacy may be invoked more broadly to include average citizens. For example, the Estate of Dr. Martin Luther King, Jr. required licensing fees from the Alpha Phi Alpha Fraternity, Inc. to use his name and likeness on his monument in Washington, D.C. More specifically, the right to privacy is implicated by three of the previously mentioned torts.
First, intrusion upon seclusion may be invoked by any individual when information is obtained in an intrusive way that would be considered highly offensive to a reasonable person, like a neighbor sneaking up to another person’s window to listen to a virtual therapy session. Second, public disclosure of private facts permits recovery when a private matter is widely disclosed in a highly offensive manner, so long as that matter is not of legitimate public concern. This could be a reporter publishing an article about an ordinary citizen’s relationship troubles. Finally, false light provides redress for emotional distress caused by knowing or reckless disclosure of a private matter that places the matter in a highly offensive false light. For instance, this may involve a person vengefully posting a photograph of an ex-partner with an egregiously misleading caption on social media.
As for the right of publicity, it is generally encompassed by the tort of appropriation of name, image or likeness, reserving to public figures the opportunity to exploit the value of their reputation. The tort provides such individuals a remedy against entities who use their name, image or likeness without permission for commercial purposes, essentially permitting those individuals to control their public image, which may also include their voice or autograph. In several states, the right of publicity survives death, with varying lifespans of that right of survivorship per state.
Keep in mind, however, that the elements of both privacy and publicity torts vary in each jurisdiction based on common law interpretation.
A. There are several limitations on collecting consumer data, and some sort of notice is always required. Some federal laws govern the privacy of records in specific industries. For example, the Video Privacy Protection Act of 1988 makes providers of audiovisual material liable for disclosing rental or purchase information outside of standard business procedures. Similarly, the Cable Communications Policy Act of 1984 requires that cable operators have a written privacy policy statement and prohibits disclosing personal information without subscribers’ consent.
Given that virtually every company now does business online, Internet privacy is also of paramount concern. As a preliminary matter, the Electronic Communications Privacy Act protects electronically transmitted communications that are either intercepted in the course of conversation or stored on servers. However, this is limited to communication and does not include a broader swath of data. While federal anti-hacking laws like the Computer Fraud and Abuse Act criminalize unauthorized access of computers, civil liability for privacy breaches is typically enforced via privacy policies or notices.
Further, most federal laws are considered the “floor,” or minimum protection, for data privacy, and other state laws may provide additional safeguards. For instance, the California Consumer Privacy Act (CCPA) is considered one of the most stringent state privacy laws, comparable to the broadly sweeping General Data Protection Regulation (GDPR) in the European Union. Notably, on November 3, 2020, Californians voted in favor of the California Privacy Rights and Enforcement Act, expanding the CCPA by increasing restrictions on companies with California consumers, and applying them to most businesses with a significant online presence.
A. Although there is no general law requiring businesses to establish privacy policies, several federal statutes govern the issue in different categories. The Children’s Online Privacy Protection Act (COPPA) requires a privacy policy for any online company that collects information from children under the age of thirteen. The Gramm-Leach-Bliley Act requires financial institutions to list unambiguous statements about how they collect and share information. Most of these laws are enforced by the Federal Trade Commission and require that businesses provide users with the choice to opt out of sharing their information.
A. Users almost never read privacy policies, but they are important! Over the last 20 years, the Federal Trade Commission has been increasingly strict in its enforcement of clear and understandable privacy policies. While the European Union requires that companies obtain consent from users before sharing their information, privacy policies in the U.S. are generally less contractual in nature. Many privacy policies are often now referred to as “privacy notices,” a more appropriate name based on their function.
Therefore, it is crucial for anyone conducting business online to create a robust privacy policy, replete with disclosures about cookies, specific user rights and compliance with federal, state and possibly international laws. For a more comprehensive list of privacy policy recommendations, visit Susan Lutzker’s article here.
A. Cookies are pieces of data and/or metadata that are stored in individuals’ web browsers that serve numerous functions. They may be used to keep users logged in to certain websites without prompting them to enter a username and password. Some are used to track user activity and browser history. Others will automatically populate text boxes requesting information that users have provided before. Cookies from reputable websites are generally encrypted in an effort to maintain security precautions around personally identifiable information (“PII”), and the cookies themselves are not considered PII.
However, third-party cookies have consistently stirred controversy. Typically, cookies are set on the host website’s domain by the owner to track general activity. However, third-party cookies appear when other companies place content, like advertisements, on the host website. If a third-party company sets cookies on multiple websites, it may use browsing information from users who visit both pages and even sell that information to technology companies. This is why you may see the same targeted advertisements on different websites. Although users of most web browsers may alter their settings to decline cookies, most people do not because it would restrict access to the most user-friendly functions of websites. One would have to be “off the grid” in order to avoid tracking altogether.
However, the three most widely used web browsers — Safari, Firefox and Chrome — have either blocked or pledged to block third-party cookies in the future. On the other hand, some experts have opined that eliminating third-party cookies is merely a temporary solution for broader problems regarding online privacy, and companies are already proposing new tracking techniques. Additionally, there are many other ways in which companies may track personal data. For example, web beacons (also known as web bugs, clear GIFs, pixel tags and other synonyms) are used to track interactions on websites and emails. They cannot be declined directly, but they are almost always used in tandem with cookies, which may be blocked.
A. The most important distinctions stem from the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). While personal data involves information relating to any person, PII is more specifically information that can identify that person. Under GPDR, personal data is simply information indirectly or directly relating to a person or, under the CCPA, information reasonably capable of being associated with someone. While a name and address are clearly PII, cookies and IP addresses would be considered personal data. The November 3, 2020 amendments to the CCPA include a new category of “sensitive” personal information, including but not limited to geolocation data and race, that may or may not constitute PII.
A. It depends. Section 5 of the Federal Trade Commission (FTC) Act specifically prohibits commercially “unfair or deceptive acts or practices.” If a company’s privacy policy or notice is unclear as to whether it intends to sell your personal data to third parties, it may be subject to liability if it decides to sell that data under circumstances different from those when it was initially collected. Furthermore, a company may not retroactively change its privacy policy without first notifying consumers. For example, Facebook was forced to reach a settlement with the FTC after it changed its definition of what it considered publicly available information without notifying users.
Interestingly, the California Consumer Privacy Act (CCPA) provides a distinct right to California residents to opt out of the sale of personal data, and the November 3, 2020 amendment requires an opt-out provision for merely sharing that data. The California law requires all covered businesses to post an unambiguous link titled “Do Not Sell My Personal Information” in addition to their privacy policies. This is even more stringent than the General Data Protection Regulation (GDPR), which does not place universal restrictions on the sale of personal data.
A. Somewhat. The Children’s Online Privacy Protection Act (COPPA) provides that any website marketing to children under thirteen is required to post a clear privacy policy and obtain verifiable parental consent before sharing children’s information, among other requirements. There are many ways in which a website can obtain verifiable parental consent to avoid children “cheating” the system, such as a signed written consent form, credit card transaction or photo identification.
It is important to note that this does not apply to information shared by parents themselves. If a parent decides to wish their child a happy birthday on Facebook, that voluntarily shared information will not be subject to COPPA restrictions. However, a business or even a school should avoid sharing such personally identifiable information (“PII”), unless there is a clear and acceptable way of obtaining parental consent. For more information regarding children’s online privacy, see our blogs about parental sharing and education technology.
A. A right to privacy from government surveillance differs from a right to privacy from private action. In the case of government action, the most fundamental protection comes from the Fourth Amendment, which gives citizens a right to be secure from illegal searches and seizures. While Fourth Amendment jurisprudence is rife with complexities, an invasion of privacy is generally found when an individual has a reasonable expectation of privacy. Katz v. United States, 389 U.S. 347, 360 (1967). This standard depends entirely on the activity of the individual claiming the Fourth Amendment right. For example, there is no reasonable expectation of privacy in an area that can be seen from aerial photographs. Dow Chem. Co. v. United States, 476 U.S. 227, 238-39, 106 S. Ct. 1819, 1826–27 (1986). However, tracking cell site location information on a mobile device requires a warrant before surveilling it. Carpenter v. United States, 138 S. Ct. 2206, 2223 (2018). Of course, national security concerns may override these protections in the most exigent circumstances, such as when the government invokes the USA PATRIOT Act.
For private surveillance, such as an investigative reporter using a drone to film a newsworthy scene, the First Amendment right to free speech may outweigh privacy concerns. Regardless, when surveillance by a private party is unwarranted, individuals may rely on the tort of intrusion upon seclusion. For example, it is reasonable for a patron entering a football stadium to expect video surveillance for security purposes, but tracking a patron’s location during the game is a more questionable scenario. Many widely available consumer apps that people have come to depend upon, like Google Maps or keyless entry apps, constitute a form of surveillance. Although users should expect keyless entry apps to track their location when entering an office building, they may not realize they are being tracked elsewhere, and that unwanted intrusion may present justiciable questions of privacy law.
Furthermore, under the Electronic Communications Privacy Act (ECPA), any entity may record a two-sided conversation without permission. ECPA also applies to both the government and private parties, even when there is no reasonable expectation of privacy per the Fourth Amendment. However, state laws may require both parties to consent to recording, so it is important to be aware of the law in each jurisdiction.
A. The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, is the federal law that regulates the privacy of health information. Unless disclosing information to health care providers for treatment of an individual, HIPAA requires that covered entities and their business associates (such as doctors and insurance carriers) make reasonable efforts to limit the disclosure of protected health information (“PHI”) to a minimal amount. This may include (current, past or present) common personally identifiable information (“PII”), test results, medication and other records.
When disclosing PHI outside of treatment, payment or healthcare operations, covered entities and their business associates are required to obtain a patient’s written authorization. However, there are certain exceptions to authorization, such as public health emergencies, reporting spousal abuse and disclosure to law enforcement officials via court order. A covered entity may also be exempt from liability if the patient decides to disclose his or her own electronic health information to an app that is not operated by the covered entity, such as a fitness app. Any apps directed by hospitals or insurance companies still require patient consent prior to disclosure.
In the context of the COVID-19 pandemic, many have wondered if the pandemic itself qualifies as a public health emergency so as to permit disclosure of PHI when certain institutions, like schools or office buildings, deem it necessary. As a preliminary matter, virtually all contact tracing programs will notify individuals when they have come in possible contact with the virus without revealing any PHI. Furthermore, several of those programs also require individuals to opt in and volunteer their information. For a more comprehensive look at student privacy in K-12 schools and universities, see our blog regarding the intersection of HIPAA and the Family Educational Rights and Privacy Act (FERPA).
A. The European Union (EU) has promulgated the General Data Protection Regulation (GDPR), and U.S. companies must adhere to this rule when they collect information from any EU resident. If a French resident decides to provide personally identifiable information (“PII”) to a company based in the U.S, that company must comply with GDPR regardless of whether it markets to EU residents. As long as residents of the EU can access a website, its owner must comply with EU law — the Internet knows no geographic boundaries.
If foreign companies establish subsidiaries in the U.S., they will be subject to the patchwork of U.S. privacy laws.
A. Yes, to an extent. Most individuals are aware of the “Do Not Call List” when it comes to telemarketers. Under the Telephone Consumer Protection Act, not only can individuals claim a right to privacy from marketing communications, but they can also sue for damages. Furthermore, the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM Act) provides that while unsolicited marketing emails are legal, an individual has standing to sue if they opt out or unsubscribe and continue to receive emails.
You may have also heard that credit scores are used to create targeted advertisements, but that is not entirely true. A report published by The Intercept found that Facebook had been aggregating user information outside of credit reports—lists of friends, personal preferences from Facebook settings and information from affiliated applications—to target advertisements to users they believed to be creditworthy based on legally obtained information. However, even this practice is questionable based on the Fair Credit Reporting Act, enforced by the Federal Trade Commission and Consumer Financial Protection Bureau.
A. It would be irrational to expect lending institutions to grant loans without knowing the risks. Therefore, the Fair Credit Reporting Act (FCRA) permits consumer reporting agencies to furnish personally identifiable information (“PII”) in those circumstances. However, reporting agencies are required to maintain reasonable procedures to assure maximum accuracy, respond promptly to complaints of inaccuracies, abide by consumer requests and notify consumers of any adverse actions as a result of furnishing PII. Furthermore, consumers must consent when credit reports are used for employment purposes, and there are limits on including certain information like bankruptcies. Regardless, agencies failing to comply with FCRA requirements may be subject to civil liability.
Similarly, the Gramm-Leach-Bliley Act, a federal law aimed at allowing financial institutions to merge with one another, includes more privacy rules. First, it requires that financial institutions communicate clear privacy notices to consumers and appoint a primary privacy officer within the organization. Additionally, the notices must permit consumers to opt out of sharing financial information with unaffiliated third parties. Although financial institutions seemingly have more flexibility in sharing PII, they are constrained by numerous restrictions.
A. It depends entirely on the information, individual, jurisdiction and surrounding circumstances. For instance, a celebrity does not have a standard expectation of privacy but may be able to recover under theories of defamation, false light or intentional infliction of emotional distress if an entity discloses completely false information. Moreover, some laws offer more protection for particular invasions of privacy, like the Video Voyeurism Prevention Act or anti-paparazzi statutes in California. Most importantly, recovery for a privacy tort specifically hinges on the common law of each jurisdiction. Therefore, average citizens can recover for an invasion of privacy, but they need to review the elements of the torts available in their state.