Privacy Laws

U.S. Privacy Laws


EPIC provides this resource on U.S. privacy laws for students, attorneys, and policymakers interested in privacy law in the United States.














42 U.S.C.  § 300jj et seq., § 17901 et seq. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 and sought to promote and expand the adoption of health information technology. The HITECH Act requires entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to report data breaches to affected individuals and to the U.S. Department of Health and Human Services. The Act also sets restrictions on the sale or disclosure of patient health information, and establishes rules on how regulated entities must account for such disclosures. 

Genetic Information Nondiscrimination Act  (2008)

42 U.S.C. § 2000ff

The Genetic Information Nondiscrimination Act prohibits discrimination on the basis of genetic information with respect to health insurance and employment. 


18 U.S.C. § 1028A, § 641. 

The Identity Theft Penalty Enhancement Act of 2004 strengthens the criminal punishments for identity theft. The Act creates a five-year sentence for identity theft committed in relation to terrorism and a two-year sentence for identity theft committed in relation to felonies such as fraud and immigration violations. The Act also prohibits judicial alteration of these sentences or conversion to probation. 


18 U.S.C. § 1801. 

The Video Voyeurism Prevention Act of 2004 was passed in response to the growing popularity of miniature spy cameras. The Act is very limited in scope: it only covers voyeuristic acts performed on federal lands such as federal parks. 

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) (2003)

15 U.S.C. § 7701 et seq.

In December 2003, Congress passed 108 S. 877, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, known as the “CAN-SPAM” Act. The Act creates new penalties for sending deceptive spam advertising, but does not “can” truthful unsolicited commercial e-mail.

The Act defines spam as any message where the “primary purpose” is the “commercial advertisement or promotion of a commercial product or service.” Under CAN-SPAM, unsolicited commercial messages must include notice that the message is an advertisement or solicitation, an opt-out notice, and a valid postal address of the sender.


15 U.S.C. § 6151 et seq. 

In 2002, the Federal Trade Commission proposed the creation of a national “do-not-call” registry. The rule establishes a presumption that telemarketers may not contact people on the list, unless the telemarketer has either express written authorization or an existing business relationship with the person. 

There are three main pieces of law that make up the Do-Not-Call registry. The FTC’s regulation, 16 C.F.R. 310.4(b)(iii)(B), establishes the registry itself and the related prohibitions on telemarketing. Public Law 108-10 authorizes the FTC to collect fees to operate the registry and requires the FTC to report on the progress of the registry. Public Law 108-82 granted statutory authority to the FTC to operate the registry. 

Learn more about the Do-Not-Call Act

Fair and Accurate Credit Transactions Act (2003)

Public Law 108-159

In 2003 Congress enacted the Fair and Accurate Credit Transactions Act (FACTA), which substantially amended much of the FCRA. The Act establishes remedial rights for identity theft victims, but does little to actually prevent the crime.  For example, the FACTA requires merchants to truncate credit and debit card numbers printed on receipts, it gives individuals the right to free annual credit reports, it requires credit agencies to block credit information that was recorded as a result of identity theft, and it creates new document destruction procedures for personal information. The FACTA also preempts state laws that would provide greater privacy safeguards.   For example, the FACTA provides that credit agencies must disclose credit scores to individuals for a “reasonable fee”; the states would not be permitted to grant consumers the right to free credit score disclosures.


44 U.S.C. § 3501 note. 

Enacted in December 2002, the E-Government Act was intended to make federal agencies more accessible to the public by electronic means. Among other things, the Act created an Office of Electronic Government within the Office of Management and Budget, and requires that regulatory proceedings and other material appear on agency web sites. The Act also requires agencies to perform Privacy Impact Assessments (PIAs) whenever procuring an information system, or initiating a new collection of personal information.  


6 U.S.C. § 671 et seq. 

In the wake of 9/11, Congress passed the Department of Homeland Security Act in 2002, combining 22 agencies for the purpose of securing the United States from threats. Many provisions of the bill implicate privacy. First, the Act broadly exempts “critical infrastructure information” voluntarily submitted to the Department of Homeland Security (DHS) from the Freedom of Information Act.  Second, the Act creates a privacy officer for DHS.  Third, the Act prohibits all federal agencies from implementing the Terrorism Information and Prevention System (TIPS). Fourth, the Act prohibits the new agency from developing a national identification system or card. The Act also makes certain changes to the Electronic Communications Privacy Act (ECPA).  


20 U.S.C. § 1232h 

Congress passed the No Child Left Behind Act in December 2001, making significant amendments to the General Education Provisions Act to protect students’ privacy. The amendments require educational agencies to give parents annual notice of and access to certain surveys and examinations administered students. Notice is required for student surveys that are performed for marketing purposes, for surveys that collect sensitive information, and for non-emergency invasive physical examinations. Stricter state laws are not preempted by the privacy amendments. 

Learn more about the No Child Left Behind Act


16 U.S.C. §6801 et seq. 

Information that many would consider private—including bank balances and account numbers—is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses. 

The GLBA primarily sought to “modernize” financial services–that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. 


18 U.S.C. § 1028 

Congress passed the Identity Theft and Assumption Deterrence Act in 1998 to address the increasing problem of identity theft. The Act specifically made it a federal crime to “knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.” 


15 U.S.C. § 6501 et seq. 

The Children’s Online Privacy Protection Act of 1998 (“COPPA”) prohibits an operator of a website or online service directed to children, or any operator having actual knowledge that it is doing so, from collecting personal information from a child in a manner that violates regulations which are designed to protect such children from unlawful and deceptive practices in the collection of personal information. The Act provides an exception for information disclosed to a child’s parent. The Federal Trade Commission is charged with enforcing COPPA. 

Learn more about Children’s Privacy


47 U.S.C. §222 et seq. 

The Telecommunications Act of 1996 amends the 1934 Communications Act. Section 222 of the Act provides that telecommunications carriers must protect the confidentiality of Consumer Proprietary Network Information (CPNI). CPNI includes calling patterns, billing records, unlisted telephone numbers and home addresses of service subscribers. The Act further provides that carriers receiving CPNI in connection with providing services can use the information only for that purpose and not for their own marketing purposes. Moreover, the Act allows carriers to use, disclose, and permit access to individually identifiable CPNI only when directed by the consumer or in connection with providing services for the consumer. 

Learn more about communications privacy

Health Insurance Portability and Accountability Act (HIPAA) (1996)

Public Law 104-191

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the “federal floor” of privacy protection for health information in the United States, while allowing more protective state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation. 

The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. However, HIPAA only applies to health care providers, health plans, and health care clearinghouses.

Learn more about Health Privacy


18 U.S.C. § 2721 et seq. 

The Driver’s Privacy Protection Act requires all States to protect the privacy of personal information contained in an individual’s motor vehicle record. 

Learn more about the Driver’s Privacy Protection Act


47 U.S.C. § 227 

The Telephone Consumer Protection Act of 1991 (TCPA) prohibits any person within the U.S. from using an automatic telephone dialing system to make a call to any emergency telephone line or to any telephone number for which the called party is charged for the call without the consent of the called party, with specified exceptions. The Act directs the Federal Communications Commission (FCC) to issue regulations to implement these requirements, and provides for a private right of action and the recovery of damages with respect to violations of such requirements. 

Learn more about the TCPA and Robocalls


29 U.S.C. § 2001 et seq. 

The Employee Polygraph Protection Act of 1988 prohibits any employer from: (1) requiring or suggesting that an employee or prospective employee take a lie detector test; (2) using lie detector test results; or (3) taking employment action against an employee or prospective employee who refuses to take a lie detector test or institutes or testifies in a proceeding under or related to this Act. The law includes a private right of action, allowing employees and prospective employees to bring civil actions against any employer who violates its provisions. 

Learn more about Workplace Privacy


18 U.S.C. § 2710 

The Video Privacy Protection Act of 1988 (codified at 18 U.S.C. § 2710 (2002)) was passed in reaction to the disclosure of Supreme Court nominee Robert Bork’s video rental records in a newspaper. The Act is not often invoked, but stands as one of the strongest protections of consumer privacy against a specific form of data collection. Generally, it prevents disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audio visual material.” The VPPA includes a private right of action and does not preempt stronger state laws.  


18 U.S.C. § 2510 et seq. 

The Electronic Communications Privacy Act (“ECPA”) was passed in 1986 to expand and revise federal wiretapping and electronic eavesdropping provisions. It was enacted to create promote “the privacy expectations of citizens and the legitimate needs of law enforcement.” Congress also sought to support the creation of new technologies by assuring consumers that their personal information would remain safe. The ECPA includes a private right of action. The United States itself cannot be sued under ECPA, but evidence that is gathered illegally cannot be introduced in court. 

Learn more about the ECPA


47 U.S.C. § 551 et seq. 

The Cable Communications Policy Act of 1984 provides a strong statutory framework for the protection of cable subscribers’ personal information and incorporates the privacy principles set out in the OECD Privacy Guidelines of 1980. The Act grants cable subscribers the right to access the data collected about them and to correct any errors. It also provides for the destruction of personally identifiable information if that information is no longer necessary. Finally, it sets out a private right of action including actual and punitive damages, attorney’s fees and litigation costs for violations of any of its provisions. State and local cable privacy laws are not preempted by the Act. 


42 U.S.C. § 2000aa et seq. 

The Privacy Protection Act of 1980 was passed in response to Zurcher v. Stanford Daily, 436 U.S. 547 (1978), which upheld broad law enforcement access to a newspaper’s files. The Act establishes procedures for law enforcement seeking access to records and other information from the offices and employees of a media organization. In general, the Act prohibits both federal and state officers and employees from searching or seizing journalists’ “work product” or the “documentary materials” in their possession. Under the Act, in order to gain access to journalists’ information, law enforcement must obtain a court subpoena, rather than a simple search warrant. Although the statute specifically provides that its violation is not grounds to suppress evidence, it does provide a civil remedy in Federal court against either the government entity or individual officers involved in the search where a search warrant, rather than a subpoena, is used contrary to the Act’s provisions. 


12 U.S.C. § 3401 et seq. 

The Right to Financial Privacy Act of 1978 protects the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The Act was essentially a reaction to the U.S. Supreme Court’s 1976 ruling in United States v. Miller, where the Court found that bank customers had no legal right to privacy in financial information held by financial institutions. 425 U.S. 435 (1976). Generally, the RFPA requires that federal government agencies provide individuals with a notice and an opportunity to object before a bank or other specified institution can disclose personal financial information to a federal government agency, often for law enforcement purposes. The RFPA includes a private right of action.  

Learn more about the Right to Financial Privacy Act


50 U.S.C. § 1801 et seq. 

Congress enacted the Foreign Intelligence Surveillance Act (FISA) in 1978 to establish a legal regime for “foreign intelligence” information gathering in the United States, independent from the rules that govern surveillance for ordinary law enforcement.  Under the Fourth Amendment, a search warrant must be based on probable cause to believe that a crime has been or is being committed. This is not the general rule under FISA: surveillance under FISA is permitted based on a finding of probable cause that the surveillance target is a foreign power or an agent of a foreign power, irrespective of whether the target is suspected of engaging in criminal activity. However, if the target is a “U.S. person,” there must be probable cause to believe that the U.S. person’s activities may involve espionage or other similar conduct in violation of the criminal statutes of the United States. FISA’s reach was continually expanded over its history. The USA Patriot Act in particular represented a significant shift in U.S. foreign intelligence. However, in 2015, the USA Freedom Act was passed, rolling back some FISA surveillance for the first time.  

Learn more about the Foreign Intelligence Surveillance Act


26 U.S.C. § 6103 

In the aftermath of President Richard M. Nixon’s resignation, Congress enacted the Tax Reform Act of 1976 to strengthen the accountability of the IRS. Senator Lowell Weicker (R-CT) described the law as a “legislative remedy to the flaws of Government exposed by the chain of abuses we call Watergate.” 

To ensure the “integrity and fairness [of the IRS] in administering the tax laws,” one provision of the Act—§ 6103(k)(3)—permits the IRS Commissioner to “disclose such return information or any other information with respect to any specific taxpayer to the extent necessary for tax administration purposes to correct a misstatement of fact published or disclosed with respect to such taxpayer’s return or any transaction of the taxpayer with the Internal Revenue Service.” The provision requires the Commissioner to obtain the approval of the Joint Committee on Taxation. 


20 U.S.C. § 1232g 

The Family Educational Rights and Privacy Act (FERPA) protects the confidentiality of student educational records. It states that educational institutions shall not disclose any information from those records without the written consent of the student, or, if the student is a minor, without the written consent of his or her parents. Under the Act, students have the right to inspect and review their own educational records, request corrections, stop the release of personally identifiable information, and obtain a copy of the institutional policy concerning access to educational records. The Act applies to primary, secondary, and post-secondary educational institutions. Schools that fail to comply with FERPA risk losing federal funding. 

Learn more about FERPA


5 U.S.C. § 552a 

The Privacy Act of 1974, Public Law 93-579, was created in response to concerns about how the creation and use of computerized databases might impact individuals’ privacy rights. It safeguards privacy through creating four procedural and substantive rights in personal data. First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called “fair information practices,” when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual’s data with other people and agencies. Fourth and finally, it includes a private right of action, allowing individuals to sue the government for violating the Privacy Act’s provisions. 

There are, however, several exceptions to the Privacy Act. For one thing, government agencies that are engaged in law enforcement can excuse themselves from the Act’s rules. Agencies have also circumvented information sharing rules by exploiting a “routine use” exemption. 

Learn more about the Privacy Act


15 U.S.C. § 1681 

Congress passed the Fair Credit Reporting Act of 1970 to protect individuals from the misuse of personal information by Credit Reporting Agencies, or CRAs. Under the Act, CRAs may only disclose personal information to persons whom they have reason to believe intend to use the information to evaluate an application for credit, employment, insurance, license, or governmental benefit. Notice must be given to an individual when the CRA is asked to procure extensive information on the individual’s character and habits, if this information is being procured to evaluate initial eligibility for a benefit. Individuals are entitled to a copy of their credit report, and if errors or discrepancies are found, the CRA must investigate and correct them. The Federal Trade Commission is charged with enforcement of the Act. In 2003, Congress enacted the Fair and Accurate Credit Transactions Act (FACTA), which substantially amended much of the FCRA.

Learn more about the Fair Credit Reporting Act


47 U.S.C. § 605 

Section 605 of the Communications Act followed from the dissent of Justice Brandeis in Olmstead v. U.S. (1928). The provision established a clear prohibition against the interception and subsequent publication of a wire communication. 


15 U.S.C. § 45 et seq. 

The Federal Trade Commission’s (FTC) primary enforcement authority with regards to privacy is derived from section 5 of the Federal Trade Commission Act (FTC Act), which was enacted in 1914.  Section 5 of the FTC Act allows the FTC to investigate “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.”1  Although this law does not grant the FTC specific authority to protect privacy, over the last number of years it has been used to bring public attention to significant privacy issues and to provide a legal basis so as to reform business activities that threaten consumer privacy. 

Learn more about enforcement of privacy laws

Recent Documents on U.S. Privacy Laws

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.