Info & Data Privacy Protection
The monetization of information and data obtained from consumers in the United States alone is a multi-billion industry. Antiquated regulations are rapidly evolving, giving a legislative call for transparency in how information and data are monetized by companies and accountability by companies that fail to safeguard or improperly use such information and data. It is essential for companies to know their responsibilities in emerging regulations and for consumers to know their rights regarding the information and data they share with or are otherwise collected by companies, historically often without a consumer’s actual knowledge with data privacy protection.
Current U.S. Federal Laws Governing Information and Data
The Federal Trade Commission Act (“FTC Act”)
The FTC Act is the principal federal statute that addresses consumer protection in the United States. The FTC Act attempts to protect consumers from deceptive or unfair acts or practices by a company that fails to protect consumers’ information. While it does not expressly require a company to draft or publish a Privacy Policy, once a company subject to the FTC Act does publish a Privacy Policy, the FTC Act can have varying degrees of impact on a company’s data and information practices. Many companies fail to realize the importance of a properly drafted and published Privacy Policy and the ramifications for not following such Privacy Policy or properly notifying consumers of changes to such Privacy Policy. Violations of the FTC Act by a company subject to the FTC Act may result in varying degrees of consequences typically imposed by the federal government. While consumers in nearly all known circumstances have no private right of action (ability to file a lawsuit) against a company under the FTC Act, many states have passed laws that parallel the FTC Act and provide for a private right of action.
The Children’s Online Privacy Protection Act (“COPPA”)
COPPA applies to commercial websites, mobile applications, and other online services concerning information and data collected from children under 13. Many companies fail to include an appropriate COPPA provision in their Privacy Policy when and where applicable. Violations of COPPA by a company subject to COPPA may result in varying degrees of consequences typically imposed by the federal government. In addition, while consumers in nearly all known circumstances have no private right of action (ability to file a lawsuit) against a company under COPPA, legal causes of action under some state laws and common laws, including, but not limited to, various state consumer protection laws or through the tort of intrusion upon seclusion, if applicable, may expose a company to a private cause of action by an individual.
The Health Insurance Portability and Accountability Act (“HIPAA”)
HIPPA, which many consumers are familiar with as to its existence, applies to health-related industries concerning a consumer’s, often a patient’s, individually identifiable health information and data privacy protection, which while not expressly used under HIPPA, is often termed, as applicable, Personal or Protected Health Information (“PHI”) or Personally Identifiable Information (“PII”), given other compliance regulations. Violations of HIPPA by a company subject to HIPPA may result in varying degrees of consequences typically imposed by the federal government. In addition, while consumers in nearly all known circumstances have no private right of action (ability to file a lawsuit) against a company under HIPPA, legal causes of action under some state laws and common laws, such as negligence, breach of contract, breach of confidentiality, and breach of an implied contract, may still expose a company to a lawsuit by a private individual in some states.
The Fair Credit Reporting Act (“FCRA”), as amended by the Fair and Accurate Credit Transactions Act (“FACTA”)
The FCRA limits the ways consumer reports and credit card account numbers may be used and disclosed with data privacy protection. Violations of the FCRA by a company subject to the FCRA may have varying degrees of consequences typically imposed by the federal government. Moreover, consumers are afforded a private cause of action under the FCRA for specific violations in some circumstances.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”)
Most companies and consumers in the U.S. are familiar with spam email. The CAN-SPAM Act attempts to regulate the collection and use of email addresses for commercial purposes, typically related to marketing. Violations of the CAN-SPAM Act by a company subject to the CAN-SPAM Act may result in varying degrees of consequences typically imposed by the federal government. While consumers in most circumstances have no private right of action (ability to file a lawsuit) against a company under the CAN-SPAM Act, a company may have exposure for a private right of action from another company deemed an internet access service provider. In addition, some consumer protection acts in various states may permit a private cause of action for certain violations of the CAN-SPAM Act.
The Gramm-Leach-Bliley Act (“GLBA”)
The GLBA impacts financial institutions for its customers’ Nonpublic Personal Information (“NPI”). Violations of the GBLA by a company subject to the GBLA may result in varying degrees of consequences typically imposed by the federal government. In addition, while consumers in most circumstances have no private right of action (ability to file a lawsuit) against a company under the GBLA, many states have passed laws that provide for a private right of action for improper disclosure of NPI.
Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”)
The Dodd-Frank Act relates to financial privacy, its authority derived under the GBLA, and seeks to protect consumers that use financial products and services from unfair, deceptive, and abusive practices. Violations of the Dodd-Frank Act by a company subject to the Dodd-Frank Act may result in varying degrees of consequences typically imposed by the federal government. While consumers in most circumstances have no private right of action (ability to file a lawsuit) against a company under the Dodd-Frank Act, whistleblower employees in the financial industry do have a private cause of action who suffer retaliation, typically in the form of termination of employment, an employer subject to the Dodd-Frank Act for disclosing information regarding unlawful conduct of their employer, as applicable, regarding certain financial products and services.