What is information privacy?
Over a century ago, Justices Louis Brandeis and Samuel Warren introduced the concept of a right to privacy in a famous law review article. Brandeis is often quoted, characterizing the right to privacy as “the right to be left alone -- the most comprehensive of rights, and the right most valued by a free people.” Information privacy issues arise anywhere personal information is collected and stored. It concerns an individual’s right to control his/her personal information held by others. Various forms of personal information include those involving lifestyle, finances, health, politics, and information revealed on the Internet.
Internet Privacy Issues
Internet privacy issues exist when personal information is captured from a website visitor, compiled by website operators, and transmitted to others. Personal information is also collected by software that is covertly installed on a user’s computer, called spyware. The question of data security also encompasses the monitoring of email and website usage by email service providers, employers, government, and law enforcement.
After the September 11th terrorist attacks, the passage of the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” (“USA Patriot Act”) intensified the privacy debate. The Patriot Act expands the authority of law enforcement agencies to monitor Internet activities, telephone communications, medical, and financial records.
Regulations Governing Information Privacy Online
Information privacy in the U.S. is not uniformly regulated under a single comprehensive body of law. Rather, its regulations are a rapidly evolving “patchwork” of laws that address the protection of privacy issue by issue. The Federal Trade Commission Act (the “FTC Act”) may be the most inclusive protection of privacy rights. It addresses privacy issues under its general prohibition against “unfair or deceptive trade practices.” Many actions against spyware companies have been enforced under the “unfair practices” provision.
The Children’s Online Privacy Protection Act (COPPA) mandates that commercial websites , which direct online services to children under 13, or that knowingly collect information from them, inform parents of their information practices, and obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
The Health Insurance Portability and Accountability Act (HIPAA) protects how an individual’s health information is used by organizations and disclosed to others. All health care providers, insurance companies, employer-sponsored health plans and HMOs are the covered entities, which must comply with this privacy rule’s guidelines. The covered entities of HIPAA are one of the most extensively regulated niches, regarding information privacy.
The FTC Act, COPPA, and HIPAA are only a few, of many, statutes that aim to protect information privacy. There is a flood of new laws designed to address the complexity of information privacy.
Risks to U.S. Companies Posed by EU Information Privacy Laws
U.S. companies should be particularly cautious with e-commerce, because the European Union (EU) has far stricter privacy regulations, which can affect U.S. companies. The EU Data Privacy Directive prohibits EU organizations from transferring personal data to countries where privacy protection is not deemed adequate. To prevent the interruption of data transfers from the EU to the U.S., the EU approved a “safe harbor.” The safe harbor permits U.S. companies that voluntarily abide by the safe harbor principles to continue data transfers with the EU member states. U.S. companies within the safe harbor are presumed to provide adequate privacy protection.
The new European Union Law, called General Data Protection Regulation (GDPR), came into effect May 25, 2018. The GDPR is the European Union’s latest, overarching privacy law and is aimed at giving consumers more control over their personal data in an effort to force companies to provide more transparency over what information they collect as well as to ensure that the personal data collected is well cared-for and adequately protected. The GDPR affects any organization that collects data on users within the European Union (“EU”), regardless of where the actual service provider is located. As such, as long as a Silicon Valley company is collecting any sort of personal data from users in the EU, that company becomes subject to the GDPR.
See our post What you need to know about the GDPR? for more information.
Technology & Data Legal Services
Our technology and data law team provides technology & data counseling services on a broad range of issues, including:
See our Legal FAQs page for the answers to more intellectual property law questions.