Privacy law concerns the rights of individuals with respect to their personal affairs. It is a relatively new legal concept.
Actions for invasion of privacy are based on tort law and often closely resemble actions for libel. But, unlike defamation, there is no requirement to prove actual injury. Rather, damages are awarded on a presumptive basis.
Constitution
A person’s right to privacy is protected by the Constitution. The Supreme Court established this right in the landmark case Griswold v. Connecticut in 1965. This decision affirmed that a person has a constitutionally protected zone of privacy that includes the marital bedroom. The Court has also recognized this right in other cases.
Federal privacy laws limit governmental agency misuse of personal data and protect individuals from privacy harms. In addition, the law requires agencies to show individuals any records they maintain on them and prohibits them from using information without the individual’s consent. It also limits how agencies can share personal information with other government and private entities. In addition, it creates a private right of action to sue agencies that violate the act’s provisions.
The Federal Trade Commission Act of 1914 establishes the Federal Trade Commission (FTC) and outlaws unfair competition and deceptive practices in business activities. It has also been used to protect consumer privacy, especially with regard to the use of personal data in targeted advertising. It also provides for a private right of action and does not preempt stronger state privacy laws.
Recent decisions by the Supreme Court may increase the likelihood that limitations on commercial speech resulting from privacy legislation will be challenged on First Amendment grounds. For example, the decision in Sorrell v. IMS Health, which invalidated Vermont’s law that prohibited pharmacies from disclosing information linking doctors with prescriptions to “data miners” for marketing purposes, could be cited in future challenges to privacy legislation.
Federal Trade Commission Act
The Federal Trade Commission Act, passed in 1914, established the FTC as an enforcement agency to police “unfair methods of competition in or affecting commerce.” The Act grants the Commission broad authority to pursue actions against unfair or deceptive acts and practices. In the privacy context, this has led the FTC to fill the gaps in national sectoral privacy laws with its own enforcement.
Using its Section 5 authority, the agency has prosecuted numerous privacy and data security violations by a variety of companies and levied millions in fines. Its enforcement actions have shaped several privacy policies and have helped reshape businesses’ practices and procedures.
To establish a claim, the FTC must show that a business’s acts or practices are unfair because they cause substantial injury to consumers that cannot be readily overcome by countervailing benefits and is not outweighed by any competitive advantage. The unfairness standard, as applied to privacy issues, is a high bar for the FTC and carries significant risk for companies.
In the absence of a comprehensive federal privacy law, Congress could enact legislation that grants the FTC specific rulemaking authority and defines the agency’s scope of jurisdiction. The legislation could also require the Commission to publish a Final Rule accompanied by a statement of basis and purpose. This would help the agency keep pace with changing technology and business models.
Colorado Privacy Act
The Colorado Privacy Act (CPA) is a new privacy law that will affect businesses that store and/or process personal information about residents of the state. Like California’s CCPA and Virginia’s CDPA, the CPA grants consumers certain rights regarding their data. These include the right to opt out of targeted ads, sales of their personal data, and certain types of profiling. The CPA also requires covered entities to provide a user-selected universal opt-out mechanism, though the exact technical specifications of this aren’t yet clear.
The CPA defines a “consumer” as an individual who is a resident of the state acting in a private, household context. This differs from the definition in the CCPA and CDPA, which includes those individuals who are acting in a commercial or employment context or as a job applicant. The CPA applies to any “controller” of personal information who collects, sells, or otherwise uses the personal information of 100,000 or more Colorado consumers per year or derives at least 50% of its annual revenue from the sale of data pertaining to 25,000 or more Colorado residents.
Controllers must also conduct a “data protection assessment” prior to engaging in processing that presents a heightened risk to consumer privacy. These assessments must weigh the benefits to the controller, consumer, and other stakeholders against the potential risks to consumers’ privacy. The assessments must be documented and made available to the Colorado Attorney General upon request.
California Privacy Rights Act
The California Privacy Rights Act (CPRA) is the state’s new data privacy law, and it builds on the California Consumer Protection Act (CCPA). It will provide Californians with more expansive personal information rights and increased business obligations. The CPRA will also introduce sensitive personal information (SPI) as a regulated category, which will be subject to specific disclosure and purpose limitation requirements.
Businesses should monitor CPRA legislative activity to ensure that they are aware of any amendments. They should also expect regulations that have the goal of strengthening consumer privacy, but that take into account legitimate operational interests of businesses.
Generally, the CPRA will require businesses to disclose the categories of personal information that they collect, the purposes for which it is collected, and the third parties with whom the information is shared. The CPRA also provides consumers with the right to request deletion of their personal information from a business’s records. However, this is not available if the information is necessary for a legal obligation or for the conduct of certain kinds of scientific, historical, and statistical research.
The CPRA will limit businesses’ ability to sell or share SPI, and it will create a new category of “contractors,” which must obtain consent for processing PI that is provided to them by a business. This will help to reduce the risk of unauthorized access to SPI and other sensitive data.