Full of Holes: Federal Law Leaves Americans’ Personal Data Exposed

Today, the House Energy & Commerce Subcommittee on Innovation, Data, and Commerce will hold a hearing on how a federal privacy law would fill gaps to protect Americans’ personal information. 

Those gaps are massive. There is no comprehensive federal law in the US governing the collection and use of personal data. Instead, some types and uses of data are regulated by sector-specific laws such as the Health Insurance Portability and Accounting Act (HIPAA), the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA) and others, while many types of data are not protected at all. There are three overarching problems with this approach:

1. A sectoral approach leaves huge gaps in protections that have allowed the expansion of data collection and abuse across many different sectors, most notably online services;
2. The protections in the existing sectoral laws are actually quite narrow and limited, so even the types of data that are covered by these laws do not have adequate protection – many are based on an outdated notice-and-choice framework;
3. A sectoral approach leads to confusion by the public about what types of personal data are protected. For example, many people assume that HIPAA covers their health information generally, when in fact most of the health data collected outside of the doctor/patient or insurance relationship is not covered by HIPAA. 

In order to fill some of the gaps left by federal sectoral privacy laws, the Federal Trade Commission (FTC) has used its authority under the FTC Act, passed in 1914. The FTC’s mandate includes the power to prohibit unfair and deceptive trade practices, including the unfair and deceptive collection, use, or transfer of personal data. The Commission is also responsible for combatting unfair methods of competition and has specific authority to enforce and issue rules under several targeted privacy laws. However, the FTC does not have sufficient regulatory or penalty authorities to address the privacy threats posed by modern internet services. And there are significant limitations in the patchwork of data protection authorities at the FTC’s disposal. For example, the procedures by which the FTC can define unfair and deceptive practices are unnecessarily onerous, and the Commission is limited in its ability to penalize first- time data protection offenders. 

The US needs a comprehensive, coherent approach to privacy and data protection. A recent study from the Irish Council for Civil Liberties (ICCL) found that the Real-Time Bidding (RTB) market, which is the engine that tracks and shares what people view online and their location in order to drive targeted advertising, alone exposes the average American’s data 747 times per day. This means U.S. Internet users’ online activity and location is being tracked and disclosed 107 trillion times per year. ICCL cited some dangerous examples of the use of this data:

There is no way to restrict the use of RTB data after it is broadcast. Data brokers used it to profile Black Lives Matter protestors. The US Department of Homeland Security and other agencies used it for warrant-less phone tracking. It was implicated in the outing of a gay Catholic priest through his use of Grindr. ICCL uncovered the sale of RTB data revealing likely survivors of sexual abuse.

Last year, in a significant step towards changing these harmful business practices, bipartisan leaders on the House Energy & Commerce Committee and Senate Commerce Committee proposed the American Data Privacy and Protection Act (ADPPA). The bill went through extensive negotiations between members of Congress of both parties, industry, civil rights groups, and consumer protection and privacy groups. ADPPA received overwhelming bipartisan support in the House Energy & Commerce Committee, where it was favorably approved on a 53-2 vote. 

The ADPPA would impose data minimization obligations on companies, non-profits, and other entities that collect and use any type of personal information – it contains a baseline requirement that companies must limit their data collection to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the individual.  This takes the burden off individuals to manage their privacy online and instead requires entities to better align their data practices with consumer expectations. The ADPPA goes even further in its explicit restriction on the collection, use, and transfer of sensitive covered data (such as biometrics and geolocation), which is only permitted when strictly necessary and not permitted at all for advertising purposes.

Privacy is a fundamental right, and it is past time for Congress to enact comprehensive privacy rights of all Americans. Existing sectoral federal laws leave most of Americans’ personal data exposed. The bipartisan American Data Privacy and Protection Act presents Congress with the best opportunity it has had in decades to fill those gaps and stop the very real data abuses and privacy harms that are happening every minute of every day, and we hope it will be reintroduced in this Congress and signed into law. We need comprehensive data protection legislation, robust enforcement, and ample resources to ensure privacy, equality, and security in our online world. 

Sectoral U.S. Privacy Laws

Children’s Privacy

Children’s Online Privacy Protection Act (1998)

• Who must comply: Operator of a website or online service directed to children, or any operator having actual knowledge that it is collecting personal information from a child
• Types of data covered: Personal information collected by a covered operator from children under the age of 13 
• Required protections: COPPA requires covered operators to provide notice of their data practices to parents and obtain verifiable parental consent before colleting personal information online from children. Parents must be given the option to prohibit the disclosure of their child’s data to third parties, and must be given access to their child’s information and the opportunity to delete it.  

Communications Privacy

Telecommunications Act (1996) 

• Who must comply: Providers of telecommunications services
• Types of data covered: Consumer Proprietary Network Information (CPNI) – calling patterns, billing records, unlisted telephone numbers, home addresses of service subscribers 
• Required protections: Carriers are required to protect the confidentiality of CPNI. Carriers receiving CPNI in connection with providing services can use the information only for that purpose and not for their own marketing purposes. Carriers may only use, disclose, and permit access to individually identifiable CPNI when directed by the consumer or in connection with providing services for the consumer.

Cable Communications Policy Act (1984) 

• Who must comply: Cable operators
• Types of data covered: Subscribers’ personal information. 
• Required protections: Cable operators must disclose information about the collection of personal information, as well as provide subscribers with the right to access, correct and delete data collected about them. Cable operators may not disclose your cable subscriber records without your written consent. 

Communications Act (1934) 

• Who must comply: Any person receiving or sending foreign or domestic wire communications
• Types of data covered: Wire communications
• Required protections: Section 605 provides a clear prohibition against the interception and subsequent publication of a wire communication.

Consumer Privacy

Federal Trade Commission Act (1914)

• Who must comply: Any person, partnership or corporation (certain banks and financial institutions are exempt) 
• Types of data covered: Section 5 of the FTC Act declares that “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce” are unlawful.
• Required protections: Section 5 does not provide the FTC specific authority to protect privacy, but this broad authority has been used to rein in business activities that threaten consumer privacy if they are unlawful under Section 5.

Financial Privacy

Gramm-Leach-Bliley Act (1999) 

• Who must comply: Financial institutions
• Types of data covered: Nonpublic financial information
• Required protections: Financial institutions are required give notice to their customers of their data practices and provide a right to opt out of the disclosure of  personal information to nonaffiliated third parties.

Right to Financial Privacy Act (1978)

• Who must comply: Financial institutions, when disclosing personal information to the federal government
• Types of data covered: Financial information from bank records
• Required protections: The Act establishes procedures that federal agencies must follow in order to obtain a customer’s financial records from a financial institution. These procedures include obtaining subpoenas, notice to the consumer, and providing the consumer with an opportunity to object. 

Fair Credit Reporting Act (1970)

• Who must comply: Credit reporting agencies (CRA)
• Types of data covered: Personal information collected by CRAs
• Required protections: The Act’s primary protection requires that CRAs follow “reasonable procedures” to protect the confidentiality, accuracy, and relevance of credit information. To do so, the FCRA establishes a framework of Fair Information Practices for personal information that include rights of data quality (right to access and correct), data security, use limitations, requirements for data destruction, notice, user participation (consent), and accountability. CRAs may only disclose personal information to persons whom they have reason to believe intend to use the information to evaluate an application for credit, employment, insurance, license, or governmental benefit. 

Health Privacy

Health Information Technology for Clinical And Economic Health (HITECH) Act (2009) 

• Who must comply: HIPAA covered entities, including healthcare providers
• Types of data covered: Personal health information  
• Required protections: The Act sets restrictions on the sale or disclosure of patient health information and it requires covered entities to report data breaches to HHS and affected individuals

Genetic Information Nondiscrimination Act (2008)

• Who must comply: Employers and labor organization
• Types of data covered: Genetic information
• Required protections: The Act prohibits employers and health insurance providers from discriminating based on genetic information in health coverage and employment.

Health Insurance Portability and Accountability Act (1996)

• Who must comply: HIPPA covered entities are limited to health care providers, health plans, business associates, and healthcare clearinghouses.
• Types of data covered: Protected health information includes individually identifiable health information related to past, present and future health conditions and provisions of healthcare.
• Required protections: The HIPAA privacy rule limits the circumstances where a covered entity can use or disclose protected health information. A covered entity is required to disclose protected health information upon the request of the individual (or their representative), or to the Department of Health and Human Services during a compliance investigation, review, or enforcement action. Without an individual’s authorization, a covered entity is only permitted to use and disclose an individual’s protected health information in a limited number of situations, like disclosure to the individual and for health care operations like treatment and payment.

Government Records and Privacy

Driver’s Privacy Protection Act (1994)

• Who must comply: State departments of motor vehicles (or any officer, employee, or contractor thereof).
• Types of data covered: Personal information assembled by the DMV. 
• Required protections: Originally prohibited the release or use of motor vehicle records, but was amended to allow states to get permission from individuals to sell or release personal motor vehicle records to third-party marketers. 

Privacy Act (1974) 

• Who must comply: Federal government agencies
• Types of data covered: “Systems of records” – any group of records where information is retrieved by the name of the individual or by an individual identifier.
• Required protections: Requires agencies to publish notice of its systems of records in the Federal Register (known as “SORNs”). Restricts the sharing of information between government agencies. Requires agencies to maintain in its records only the minimum amount of information “relevant and necessary” to accomplish its purposes. Requires that individuals have access to records about them. 

Student Privacy

Family Educational Rights and Privacy Act (1974)    

• Who must comply: Primary, secondary, and post-secondary educational institutions
• Types of data covered: Student educational records
• Required protections: Educational institutions shall not disclose any information from those records without the written consent of the student, or, if the student is a minor, without the written consent of his or her parents.

Misc.

Video Privacy Protection Act (1988) 

• Who must comply: Anyone who rent, sells, or delivers “prerecorded video cassette tapes or similar audio visual materials.” 
• Types of data covered: VHS or “similar audiovisual material” rental records 
• Required protections: Personal information about video rental records may not be disclosed without express, written consent.