Privacy Legislation Grid
◈ Last edit: June 5, 2021
◈ 84 Privacy Laws Covered
◈ New Ontology, Links, Research

Unique data. Hand-curated.
Applying Ontology to Privacy Legislation
When privacy professionals talk about privacy laws, we say here’s a law, it has some features. What we have not done often or with much robustness, is to categorize our privacy laws, to put them into discrete buckets that allow us to think about them comparatively.
I’ve used existing and newly created ontologies to categorize laws relevant to US-centric privacy practices and the CIPP/US certification offered by IAPP. This is not meant as a study guide, though I originally started building it for my own study. I see it now as a reference guide that can be used to gain insight into the privacy landscape.
We knew privacy law was a complex patchwork. I’ve highlighted that complexity by categorizing laws in new ways:
|
|
A Searchable Grid of Privacy Legislation
Privacy Legislation | Yr | Juris | Scope | Silo | Sector | Type of Law | Targeted Info | Protects Who? | Regulates Who? | Fed Enforce | St Enforce | Private Right? | Criminal Pen? | Preempt? | DSAR? | Data Security? | Loc Data? | URL1 | URL2 | URL3 | URL4 | URL5 | Quick Sum | Full Legal | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
US Con: 4A | https://www.law.cornell.edu/constitution/fourth_amendment | 1791 | Fourth Amendment: Protection from Unreasonable Searches and Seizures | Federal | Criminal | Territorial Privacy | Law Enforce | Privacy Rights | 👮 Evidence | Citizens | Law Enforce | Courts | Y | Y | https://www.law.cornell.edu/constitution/fourth_amendment | law.cornell.edu | https://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution | wikipedia.org | https://law.justia.com/constitution/us/amendment-04/ | law.justia.com | No Unreasonable Gov Searches | Several English Common Law Cases >> Semayne’s Case (1604): Old English common law - right of a homeowner to defend his/her premises against intrusion. Wilkes v. Wood (1763): General warrants are bad. Entick v. Carrington (1765): Leading case in English law and UK constitutional law establishing the civil liberties of individuals and limiting the scope of executive power. | Fourth Amendment: Protection from Unreasonable Searches and Seizures of 1791 | ||||||||||||||||||
FTC Act | https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter2-subchapter1&edition=prelim | 1914 | Federal Trade Commission Act | Federal | Broad | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | FTC | Y | Y | https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act | ftc.gov | https://en.wikipedia.org/wiki/Federal_Trade_Commission_Act_of_1914 | wikipedia.org | https://epic.org/privacy/internet/ftc/Authority.html | epic.org | https://www.brookings.edu/blog/techtank/2019/08/08/the-ftc-can-rise-to-the-privacy-challenge-but-not-without-help-from-congress/ | brookings.edu | Unfair, deceptive trade practices | The inspiration and motivation for The FTC Act started in 1890, when the Sherman Anti-trust Act was passed. In 1913, President Wilson passed the Federal Trade Commissions Act along with the Clayton Antitrust Act. Congress passed this Act with the hopes of protecting consumers against methods of deception in advertisement, forcing the business to be upfront and truthful about items being sold. - Wikipedia | Federal Trade Commission Act of 1914 | ||||||||||||||||
Federal Comm Act | https://transition.fcc.gov/Reports/1934new.pdf | 1934 | Federal Communications Act | Communications Act | Federal | Sectoral | Comm Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Comms | FCC | Y | Y | Y | Y | https://en.wikipedia.org/wiki/Communications_Act_of_1934 | wikipedia.org | https://www.mtsu.edu/first-amendment/article/1044/communications-act-of-1934 | mtsu.edu | https://www.law.cornell.edu/constitution-conan/amendment-4/federal-communications-act | law.cornell.edu | https://www.cybertelecom.org/notes/communications_act.htm | cybertelecom.org | https://www.law.cornell.edu/uscode/text/47/551 | law.cornell.edu | Combined fed regs: phone, telgrph, radio | Committee created by FDR reported that "the communications service, as far as congressional action is involved, should be regulated by a single body" e.g. FCC. FDR, along with lobbyists and state regulators, wanted comms tech, both wired and wireless, to be monitored in a similar way and influenced Congress to pass the Communications Act of 1934. Goal was telephone and broadcasting regulated with same juris similar to way ICC regulated the railways and interstate commerce. | Federal Communications Act of 1934, AKA Communications Act | |||||||||||
NSLA | https://www.govinfo.gov/content/pkg/USCODE-2011-title42/html/USCODE-2011-title42-chap13.htm | 1946 | National School Lunch Act | Federal | Privacy Benefit | Information Privacy | Education Privacy | Privacy Rights | 🎓 Education Records | Students / Parents | Educators | FNS (USDA) | Y | Y | https://en.wikipedia.org/wiki/National_School_Lunch_Act | wikipedia.org | https://www.fns.usda.gov/richard-b-russell-national-school-lunch-act | fns.usda.gov | https://www.cde.ca.gov/ls/nu/sn/confidential.asp | cde.ca.gov | School Lunch program eligibility | The number of malnourished young men reporting to a national draft call during World War II. The dual purpose of the NSLP was to safeguard the health and well-being of the nation’s children and to encourage the domestic consumption of foods produced in the United States. | National School Lunch Act of 1946 | ||||||||||||||||||
Census Confid Statute | https://www.law.cornell.edu/uscode/text/13/9 | 1954 | Census Confidentiality Statute | Title 13, U.S. Code | Census Act, Title 13 | Federal | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 🇺🇸 Census Data | Citizens | Government | Y | https://definitions.uslegal.com/c/census-confidentiality-statute/ | definitions.uslegal.com | https://www.brennancenter.org/sites/default/files/2019-08/Report_Federal_Laws_Census_Confidentiality.pdf | brennancenter.org | https://cdt.org/insights/testimony-of-deirdre-mulligan-before-the-senate-committee-on-commerce-science-and-transportation-subcommittee-on-communications/#ccs | cdt.org | https://www.census.gov/history/www/reference/privacy_confidentiality/title_13_us_code.html | census.gov | https://www.census.gov/history/pdf/history-privacy-protection102019.pdf | census.gov | Illegal to disclose /share census PII | None found in literature, but safe to assume this was to protect the sanctity of the information and make sure that citizens and businesses continued to provide robust data without fear of reprisal. | Census Confidentiality Statute of 1954, AKA Census Act, Title 13. See: Title 13, U.S. Code | ||||||||||||||
CRA of 1964 | https://www.law.cornell.edu/uscode/text/42/chapter-21 | 1964 | Civil Rights Act | 42 U.S. Code Chapter 21, Pub.L. 88–352, 78 Stat. 241 | Federal | Broad | Information Privacy | National Security | Anti-Discrim Rights | 👤 SPI - Sensitive Personal Information | Citizens | All Controllers | AG, EEOC | Y | Y | Limited | https://en.wikipedia.org/wiki/Civil_Rights_Act_of_1964 | wikipedia.org | https://www.lawfareblog.com/federal-privacy-legislation-should-protect-civil-rights | lawfareblog.com | https://www.supremecourt.gov/opinions/19pdf/17-1618_hfci.pdf | supremecourt.gov | https://www.govinfo.gov/content/pkg/STATUTE-78/pdf/STATUTE-78-Pg241.pdf | govinfo.gov | Can't discrim on race, color, relig, sex, origin | CRA of 1964 was nation's premier civil rights legislation. Outlawed discrimination on basis of race, color, religion, sex, or national origin. Required equal access to public places, employment. Enforced desegregation of schools, right to vote. | Civil Rights Act of 1964. See: 42 U.S. Code Chapter 21, Pub.L. 88–352, 78 Stat. 241 | ||||||||||||||
FOIA | https://www.foia.gov/foia-statute.html | 1966 | Freedom of Information Act | 5 U.S.C. § 552 | Federal | Sectoral | Information Privacy | Government Records | Transparency | 🇺🇸 Gov Data | Citizens | Government | via PA | Y | docs | https://en.wikipedia.org/wiki/Freedom_of_Information_Act_(United_States) | wikipedia.org | https://www.foia.gov/ | foia.gov | https://foiamapper.com/ | foiamapper.com | https://iapp.org/resources/article/foia-v-privacy-act-a-comparison-chart/ | iapp.org | https://www.americanbar.org/content/dam/aba/multimedia/government_public/foia101_prog_recording.mp4 | americanbar.org | Public can request most gov records | U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. Most states have some state level equivalent of FOIA. | Freedom of Information Act of 1966. See: 5 U.S.C. § 552 | |||||||||||||
Wiretap Act | https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119 | 1968 | Federal Wiretap Act | Modified by ECPA Title I | Federal | Sectoral | Comm Privacy | Law Enforce | Surveillance Laws | 📞 Personal Comms | Security | All Controllers | Y | Y | https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act | wikipedia.org | https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285 | it.ojp.gov | https://www.lawyers.com/legal-info/personal-injury/types-of-personal-injury-claims/wiretap-act-privacy.html | lawyers.com | https://www.law.cornell.edu/uscode/text/18/2511 | law.cornell.edu | Wiretaps require super-warrants | Originally passed to prevent unauthorized gov access to private electronic comms and as Wiretap Statute (Title III of the Omnibus Crime Control and Safe Streets Act of 1968). It became the Wiretap Act we know it with the passage of the ECPA. Another impetus for Congressional action: the routine advertisement of scanning receivers promoting eavesdropping on cellular conversations. | Federal Wiretap Act of 1968, AKA Modified by ECPA Title I | ||||||||||||||||
OSHA | https://www.osha.gov/laws-regs/oshact/completeoshact | 1970 | Occupational Safety and Health Act | Federal | Privacy Benefit | Information Privacy | Employment Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Employees | Employers | OSHA | Y | Y | https://www.osha.gov/ | osha.gov | https://en.wikipedia.org/wiki/Occupational_Safety_and_Health_Administration | wikipedia.org | https://www.osha.gov/Publications/all_about_OSHA.pdf | osha.gov | Protect worker safety. Recordkeeping. | In 1969, 14K Americans killed in the Vietnam War. Another 14K were killed on the job. 50x that were maimed and disfigured. OSHA was passed to remedy that. | Occupational Safety and Health Act of 1970 | ||||||||||||||||||
FCRA | https://www.law.cornell.edu/uscode/text/15/chapter-41/subchapter-III | 1970 | Fair Credit Reporting Act | Federal | Sectoral | Information Privacy | Financial Privacy | Privacy Rights | $ Consumer Reports | Consumers | Financial Orgs | CFPB, FTC | StAG | Y | Y | Y | Y | Y | https://codes.findlaw.com/us/title-15-commerce-and-trade/15-usc-sect-1681.html | codes.findlaw.com | https://www.investopedia.com/terms/f/fair-credit-reporting-act-fcra.asp | investopedia.com | https://en.wikipedia.org/wiki/Fair_Credit_Reporting_Act | wikipedia.org | https://www.lexingtonlaw.com/credit/what-is-the-fair-credit-reporting-act | lexingtonlaw.com | https://epic.org/privacy/fcra/ | epic.org | Regulation of Credit Reports, Bureaus | Inadequate safeguards existed to protect consumers from credit reporting agencies. In the 1960s, significant controversy surrounded CRAs. Reports were sometimes used to deny services/opportunities. Individuals had no right to see what was in their file. There was abuse in the industry, incl. reqs that investigators fill quotas of neg info on data subjects. Fabricated neg info. "Lifestyle" info on data subjects, incl. sexual orientation, marital status, drinking habits, cleanliness. Outdated info. | Fair Credit Reporting Act of 1970 | ||||||||||
Bank Secrecy Act | https://www.fdic.gov/regulations/safety/manual/section8-1.pdf | 1970 | Bank Secrecy Act | BSA, Currency and Foreign Transactions Reporting Act | Federal | Criminal | Information Privacy | Financial Privacy | Transparency | $ Financial Records | Security | Financial Orgs | OCC, FinCEN | Y | https://www.occ.treas.gov/topics/supervision-and-examination/bsa/index-bsa.html | occ.treas.gov | https://www.investopedia.com/terms/b/bank_secrecy_act.asp | investopedia.com | https://scholarship.law.wm.edu/cgi/viewcontent.cgi?article=2643&context=wmlr | law.wm.edu | Anti-money laundering rules | Concerns about piles of cash coming into the country from the drug trade | Bank Secrecy Act of 1970, AKA BSA, Currency and Foreign Transactions Reporting Act | ||||||||||||||||||
Privacy Act | https://www.law.cornell.edu/uscode/text/5/552a | 1974 | Privacy Act | Federal | Sectoral | Information Privacy | Government Records | Privacy Rights | 🇺🇸 Gov Data | Citizens | Government | Y | Y | Y | Y | https://en.wikipedia.org/wiki/Privacy_Act_of_1974 | wikipedia.org | https://www.justice.gov/opcl/privacy-act-1974 | justice.gov | https://epic.org/privacy/1974act/ | epic.org | https://www.ftc.gov/about-ftc/foia | ftc.gov | https://www.archives.gov/about/laws/privacy-act-1974.html | archives.gov | Citizen rights and gov record handling | Triggered by the 1973 report published by the HEW which recommended the first FIPP (“Code of Fair Information Practices”) to be followed by all federal agencies | Privacy Act of 1974 | |||||||||||||
FERPA | https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33 | 1974 | Family Education Rights and Privacy Act | 20 USC. § 1232g | Buckley Amendment | Federal | Sectoral | Information Privacy | Education Privacy | Privacy Rights | 🎓 Education Records | Students / Parents | Educators | Dept Ed | Partial | Y | Y | https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html | ed.gov | https://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act | wikipedia.org | https://epic.org/privacy/student/ferpa/ | epic.org | https://www.law.cornell.edu/uscode/text/20/1232g | law.cornell.edu | https://nces.ed.gov/pubs97/web/97859.asp | nces.ed.gov | Student data DSAR, sharing limits | Abuses of student personal information. No real congressional debate here - Ford just signed it into law: https://www.stetson.edu/law/academics/highered/home/media/2002/Revisiting_the_Purpose_of_FERPA.pdf | Family Education Rights and Privacy Act of 1974, AKA Buckley Amendment. See: 20 USC. § 1232g | |||||||||||
42 CFR Part 2 | https://www.law.cornell.edu/cfr/text/42/part-2 | 1975 | Confidentiality Of Substance Use Disorder Patient Records | 42 C.F.R. § 2 | Confidentiality of Alcohol and Drug Abuse Patient Records | Federal | Sectoral | Information Privacy | Medical Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Consumers | Healthcare | DOJ, SAMHSA | Y | Partial | Y | https://www.law.cornell.edu/uscode/text/42/290dd-2 | law.cornell.edu | https://www.ncsc.org/sitecore/content/microsites/future-trends-2012/home/privacy-and-technology/substance-abuse.aspx | ncsc.org | http://www.healthinfolaw.org/federal-law/42-cfr-part-2 | healthinfolaw.org | http://www.health-law.com/newsroom-advisories-HHS-Finalizes-Transitional-Changes-to-42-CFR-Part-2-Regulations.html | health-law.com | Protects fed-funded substance abuse records | To address concerns about the potential use of Substance Use Disorder (SUD) info in non-treatment based settings (such as administrative or criminal hearings related to the patient.) Part 2 is intended to ensure that a patient receiving treatment for a SUD in a Part 2 Program does not face adverse consequences in relation to issues such as criminal proceedings and domestic proceedings such as those related to child custody, divorce or employment. | Confidentiality Of Substance Use Disorder Patient Records of 1975, AKA Confidentiality of Alcohol and Drug Abuse Patient Records. See: 42 C.F.R. § 2 | |||||||||||||
IDEA | https://uscode.house.gov/view.xhtml?path=/prelim@title20/chapter33/subchapter1&edition=prelim | 1975 | Individuals with Disabilities Education Act | 20 USC Chapter 33 | Federal | Privacy Benefit | Information Privacy | Education Privacy | Privacy Rights | 🎓 Education Records | Students / Parents | Educators | OCR | Y | Unclear | Y | Y | https://en.wikipedia.org/wiki/Individuals_with_Disabilities_Education_Act | wikipedia.org | https://sites.ed.gov/idea/ | sites.ed.gov | https://sites.ed.gov/idea/about-idea/ | sites.ed.gov | https://www.understood.org/en/school-learning/your-childs-rights/basics-about-childs-rights/individuals-with-disabilities-education-act-idea-what-you-need-to-know | understood.org | https://www.ncld.org/wp-content/uploads/2014/11/IDEA-Parent-Guide1.pdf | ncld.org | Educational rights of the disabled | PARC and Mills rulings in 1971 prompted Congressional inquiry. Found 2.5 million students receiving substandard education and 1.75 million weren't in school. https://educationonline.ku.edu/community/idea-timeline | Individuals with Disabilities Education Act of 1975. See: 20 USC Chapter 33 | |||||||||||
FISA | https://www.law.cornell.edu/uscode/text/50/chapter-36 | 1978 | Foreign Intelligence Surveillance Act | Federal | Sectoral | Comm Privacy | National Security | Surveillance Laws | 🇺🇸 FII - Foreign Intell | Security | Law Enforce | FISC | Y | Y | https://www.fisc.uscourts.gov/about-foreign-intelligence-surveillance-court | fisc.uscourts.gov | https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act | wikipedia.org | https://epic.org/privacy/surveillance/fisa/ | epic.org | https://fas.org/irp/agency/doj/fisa/ | fas.org | Spying can be OK. Secret courts. | Passed after abuses by Nixon found by Church Committee. Tradeoffs about warrantless domestic wiretapping. | Foreign Intelligence Surveillance Act of 1978 | ||||||||||||||||
Prot of Pupil Rights Amend | https://www.ecfr.gov/cgi-bin/text-idx?SID=c372efef49f7659ea9397da901b0ab0a&mc=true&node=pt34.1.98&rgn=div5 | 1978 | Protection of Pupil Rights Amendment | 49 FR 35321, Sept. 6, 1984 | Hatch Amendment, PPRA | Federal | Sectoral | Information Privacy | Education Privacy | Transparency | 🎓 Education Records | Students / Parents | Educators | Dept Ed | surveys | https://studentprivacy.ed.gov/faq/what-protection-pupil-rights-amendment-ppra | studentprivacy.ed.gov | https://en.wikipedia.org/wiki/Protection_of_Pupil_Rights_Amendment | wikipedia.org | https://www.ascd.org/ASCD/pdf/journals/ed_lead/el_198512_greene.pdf | ascd.org | https://www.law.cornell.edu/uscode/text/20/1232h | law.cornell.edu | https://www.studentprivacymatters.org/ferpa_ppra_coppa/#PPRA | studentprivacymatters | Parental rights over school surveys | FERPA applied only to info stored in ed records. Congress responded to concerns about the collection and disclosure of student information for commercial purposes by amending FERPA in 1978 with the Protection of Pupil Rights Amendment (PPRA). Also, conspiracy-minded parents and Senator Hatch were concerned about liberal educators. https://www.ascd.org/ASCD/pdf/journals/ed_lead/el_198512_greene.pdf | Protection of Pupil Rights Amendment of 1978, AKA Hatch Amendment, PPRA. See: 49 FR 35321, Sept. 6, 1984 | |||||||||||||
Right to Finan Privacy Act | https://www.law.cornell.edu/uscode/text/12/chapter-35 | 1978 | Right to Financial Privacy Act | Federal | Sectoral | Information Privacy | Law Enforce | Privacy Rights | $ Financial Records | Consumers | Financial Orgs | Y | https://www.fdic.gov/regulations/compliance/manual/8/viii-3.1.pdf | fdic.gov | https://epic.org/privacy/rfpa/ | epic.org | https://medium.com/golden-data/federal-right-to-financial-privacy-act-3336b09aaf1b | medium.com | Limits Bank record disclosures | US v Miller was the trigger: In 1976, the Supreme Court held that a bank customer has no constitutionally protected right of privacy in his or her bank records because these records are the "business records of the bank." In 1978, Congress passed the RFPA in direct response to this decision: " The Court did not acknowledge the sensitive nature of these records..." | Right to Financial Privacy Act of 1978 | ||||||||||||||||||||
Privacy Protection Act | https://www.law.cornell.edu/uscode/text/42/2000aa | 1980 | Privacy Protection Act | PPA | Federal | Sectoral | Information Privacy | Media & Privacy | Privacy Rights | 📰 Journalism | Journalists | Government | Y | Unclear | https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980 | wikipedia.org | https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980 | wikipedia.org | https://epic.org/privacy/ppa/ | epic.org | Gov can't raid journalist working on story | Passed in response to Zurcher v. Stanford Daily (1978 Supreme Court case) | Privacy Protection Act of 1980, AKA PPA | ||||||||||||||||||
The Common Rule | https://ecfr.federalregister.gov/current/title-45/subtitle-A/subchapter-A/part-46 | 1981 | The Common Rule | Federal Policy for the Protection of Human Subjects | Federal | Topical | Information Privacy | Medical Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Research subjects | Researchers | ALL | StAG | https://www.research.va.gov/programs/pride/resources/Common_Rule_Flyer.pdf | research.va.gov | https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html | hhs.gov | https://en.wikipedia.org/wiki/Common_Rule | wikipedia.org | https://www.ecfr.gov/cgi-bin/text-idx?SID=300df04ebff09c7b23735d902a3f645a&mc=true&tpl=/ecfrbrowse/Title45/45cfr46_main_02.tpl | ecfr.gov | https://researchcompliance.stanford.edu/panels/hs/common-rule | stanford.edu | Need informed consent, review | A sad history of failed oversight of human research participants, exemplified by the Tuskegee syphilis study, military radiation experiments, provided impetus for federal protections. The 1979 Belmont Report formed the intellectual backdrop for federal research protection, introducing ethical principles of respect for persons, beneficence, and justice. - https://homepage.cs.uiowa.edu/~sriram/5980/spring18/jama_Hodge_2017_vp_170024.pdf | The Common Rule of 1981, AKA Federal Policy for the Protection of Human Subjects | ||||||||||||||
Cable Comm Policy Act | https://www.congress.gov/bill/98th-congress/senate-bill/66 | 1984 | Cable Communications Policy Act | Cable Act of 1984, CCPA | Federal | Sectoral | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Comms | FCC | Y | Y | Y | https://www.congress.gov/bill/98th-congress/senate-bill/66 | congress.gov | https://en.wikipedia.org/wiki/Cable_Communications_Policy_Act_of_1984 | wikipedia.org | https://www.mtsu.edu/first-amendment/article/1057/cable-communications-policy-act-of-1984 | mtsu.edu | https://www.law.cornell.edu/uscode/text/47/551 | law.cornell.edu | https://www.cippguide.org/2013/05/24/cable-communications-privacy-act-of-1984/ | cippguide.org | Deregulated cable TV | Barry Goldwater wanted deregulation. The new law attempted to strike a delicate balance between the FCC, local governments, and marketplace competition, where in the past, each of these entities had vied for dominance. The Cable Act was to be the solution to the ongoing problem of who, or what, should exercise the most power over local cable operations | Cable Communications Policy Act of 1984, AKA Cable Act of 1984, CCPA | ||||||||||||
ECPA | https://content.next.westlaw.com/3-508-5021?transitionType=Default&contextData=(sc.Default)&__lrTS=20200512005853663&firstPage=true | 1986 | Electronic Communications Privacy Act | Pub.L. 99–508 | Federal | Sectoral | Comm Privacy | Law Enforce | Surveillance Laws | 📞 Personal Comms | Security | All Controllers | Y | Y | https://codes.findlaw.com/us/title-18-crimes-and-criminal-procedure/18-usc-sect-2511.html | codes.findlaw.com | https://epic.org/privacy/ecpa/ | epic.org | https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act | wikipedia.org | https://cdt.org/insights/electronic-communications-privacy-act-primer/ | cdt.org | Electronic Spying Bill. Some protections. | With the development of new forms of digital comms (esp email and digital call info) new regs were needed to deal with the data and the potential abuses. ECPA was enacted to create/promote "the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal info would remain safe. https://epic.org/privacy/ecpa/ | Electronic Communications Privacy Act of 1986. See: Pub.L. 99–508 | ||||||||||||||||
Pen Register Act | https://www.law.cornell.edu/uscode/text/18/part-II/chapter-206 | 1986 | Pen Register Act | ECPA Title III | Federal | Sectoral | Comm Privacy | Law Enforce | Surveillance Laws | 📞 Personal Comms | Security | All Controllers | Y | https://www.law.cornell.edu/uscode/text/18/part-II/chapter-206 | law.cornell.edu | https://en.wikipedia.org/wiki/Pen_register#Pen_Register_Act | wikipedia.org | https://cyber.harvard.edu/privacy/Introduction%20to%20Government%20Investigations.htm | cyber.harvard.edu | Easy LEO access to phone metadata | With the development of new forms of digital comms (esp email and digital call info) new regs were needed to deal with the data and the potential abuses. ECPA was enacted to create/promote "the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal info would remain safe. https://epic.org/privacy/ecpa/ | Pen Register Act of 1986, AKA ECPA Title III | |||||||||||||||||||
Stored Comm Act | https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121 | 1986 | Stored Communications Act | ECPA Title II | Federal | Sectoral | Comm Privacy | Law Enforce | Surveillance Laws | 📞 Personal Comms | Security | All Controllers | Y | Y | https://en.wikipedia.org/wiki/Stored_Communications_Act | wikipedia.org | https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121 | law.cornell.edu | https://www.lexisnexis.com/lexis-practice-advisor/the-journal/b/lpa/posts/stored-communications-act-practical-considerations | lexisnexis.com | https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285 | it.ojp.gov | https://fas.org/sgp/crs/misc/R44036.pdf | fas.org | Access to email, ISP history | With the development of new forms of digital comms (esp email and digital call info) new regs were needed to deal with the data and the potential abuses. ECPA was enacted to create/promote "the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal info would remain safe. https://epic.org/privacy/ecpa/ | Stored Communications Act of 1986, AKA ECPA Title II | ||||||||||||||
CFAA | https://www.congress.gov/bill/99th-congress/house-bill/4718 | 1986 | Computer Fraud and Abuse Act | Federal | Criminal | Information Privacy | InfoSec / Breaches | Anti-Crime Policing | 🖥️ Info from a “protected computer” | Security | Illegal Acts | DOJ | Y | Y | https://codes.findlaw.com/us/title-18-crimes-and-criminal-procedure/18-usc-sect-1030.html | codes.findlaw.com | https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act | wikipedia.org | https://www.goodwinlaw.com/-/media/files/publications/10_01-aa-key-issues-in-computer-fraud-and-abuse.pdf | goodwinlaw.com | https://readingroom.law.gsu.edu/cgi/viewcontent.cgi?article=1021&context=lib_student | gsu.edu | https://scholarship.law.uc.edu/cgi/viewcontent.cgi?article=1172&context=uclr | uc.edu | Hacking is a crime. Unauthorized access. | Congress made clear that the impetus behind initial creation of § 1030 was to target hacking activities. The House Report accompanying the statute stressed both governments’ and businesses’ growing reliance on computers and the threat that increased networking would make society more vulnerable to hacking incidents. The “vast potential for significant criminal activity... because the criminal justice system was ill-equipped to deal with changing technology. | Computer Fraud and Abuse Act of 1986 | ||||||||||||||
EPPA | https://finduslaw.com/employee-polygraph-protection-epp-29-us-code-chapter-22 | 1988 | Employee Polygraph Protection Act | 29 U.S. Code Chapter 22 | Federal | Topical | Bodily Privacy | Employment Privacy | Privacy Rights | ⚕️ PBI - Protected Biometric Info | Employees | Employers | Dept Labor | Y | https://www.dol.gov/agencies/whd/polygraph | dol.gov | https://en.wikipedia.org/wiki/Employee_Polygraph_Protection_Act | wikipedia.org | https://www.dol.gov/agencies/whd/fact-sheets/36-eppa | dol.gov | https://www.polygraph.org/employee-polygraph-protection-act-eppa- | polygraph.org | https://www.law.cornell.edu/uscode/text/29/chapter-22 | law.cornell.edu | Limits Employer use of lie detectors | Vast majority of the polygraph examinations given in the US were administered by private sector employers, requiring tests both as pre-employment screening devices, post-employment ID devices for discipline. Use was adversely affecting thousands of innocent workers per year. EPPA was Congressional response to the unfairness of subjecting a worker to discipline or discharge based solely upon the results of the inherently unreliable polygraph test. | Employee Polygraph Protection Act of 1988. See: 29 U.S. Code Chapter 22 | ||||||||||||||
CMPPA 1988 | https://www.federalregister.gov/documents/2015/02/06/2015-02469/computer-matching-and-privacy-protection-act-of-1988-computer-matching-program-between-the-us | 1988 | Computer Matching and Privacy Protection Act | Federal | Topical | Information Privacy | Government Records | Privacy Rights | 🇺🇸 Gov Data | Citizens | Government | OMB | Y | https://www.federalregister.gov/documents/2016/02/17/2016-03164/computer-matching-and-privacy-protection-act-of-1988-report-of-matching-program-corporation-for | federalregister.gov | https://itlaw.wikia.org/wiki/Computer_Matching_and_Privacy_Protection_Act_of_1988 | itlaw.wikia.org | https://aspe.hhs.gov/report/minimizing-disclosure-risk-hhs-open-data-initiatives/2-computer-matching-and-privacy-protection-act-1988-0 | aspe.hhs.gov | https://www.irs.gov/irm/part11/irm_11-003-039 | irs.gov | Gov cant use PII to go fishing | Concern about abuse of PII collected for specific purposes being rerouted to other agencies in violation of Privacy Act. | Computer Matching and Privacy Protection Act of 1988 | |||||||||||||||||
VPPA | https://www.law.cornell.edu/uscode/text/18/2710 | 1988 | Video Privacy Protection Act | 18 U.S. Code § 2710 | Federal | Sectoral | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Video businesses | Y | Y | https://www.law.cornell.edu/uscode/text/18/2710 | law.cornell.edu | https://epic.org/privacy/vppa/ | epic.org | https://www.law.cornell.edu/uscode/text/18/2710 | law.cornell.edu | https://www.insideprivacy.com/tag/vppa/ | insideprivacy.com | Video Rental PII Sharing limits | Judge Bork. The impetus for enacting the VPPA occurred when a weekly newspaper in Washington, DC, published a profile of Judge Robert H. Bork based on the titles of 146 films his family had rented from a video store. At the time, the Senate Judiciary Committee was conducting hearings on Judge Bork's nomination to the Supreme Court. | Video Privacy Protection Act of 1988. See: 18 U.S. Code § 2710 | ||||||||||||||||
ADA | https://www.ada.gov/pubs/adastatute08.htm | 1990 | Americans with Disabilities Act | Federal | Privacy Benefit | Information Privacy | Employment Privacy | Anti-Discrim Rights | ⚕️ PHI - Protected Health Info | Citizens | Employers | EEOC, DOJ | Y | Y | https://www.eeoc.gov/publications/ada-your-employment-rights-individual-disability | eeoc.gov | https://www.dol.gov/general/topic/disability/ada | dol.gov | https://www.mintz.com/insights-center/viewpoints/2226/2020-03-31-updated-eeoc-issues-ada-and-title-vii-guidance-employers | mintz.com | Rights of the disabled | The impetus for ADA grew out of the Civil Rights Movement of the 1960's. Federal legislation to protect civil rights initially focused on the prevention of racial discrimination | Americans with Disabilities Act of 1990 | ||||||||||||||||||
Clery Act | https://www.govinfo.gov/content/pkg/FR-2014-10-20/pdf/2014-24284.pdf#page=33 | 1990 | Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act | Pub.L. 101–54, 220 U.S.C. § 1092(f), 34 CFR 668.46 | Federal | Sectoral | Information Privacy | Education Privacy | Transparency | 👮 Incident Records | Students / Parents | Educators | Dept Ed | crime | https://en.wikipedia.org/wiki/Clery_Act | wikipedia.org | https://fas.org/sgp/crs/misc/IF11277.pdf | fas.org | https://www.knowyourix.org/college-resources/clery-act/ | knowyourix.org | https://www.ewa.org/story-lab/ferpa-and-clery-act-explained | ewa.org | https://www.justice.gov/archives/ovw/page/file/910306/download | justice.gov | Campus crime reporting transparency | 19-year-old Lehigh University student whom Josoph Henry raped and murdered in her campus hall of residence in 1986. Ms. Clery triggered a backlash against unreported crime on campuses across the country | Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act of 1990. See: Pub.L. 101–54, 220 U.S.C. § 1092(f), 34 CFR 668.46 | ||||||||||||||
TCPA | https://www.law.cornell.edu/uscode/text/47/227 | 1991 | Telephone Consumer Protection Act | Federal | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 Contact Info | Consumers | Telemarketers | FCC | StAG | Y | Y | https://www.law.cornell.edu/uscode/text/47/227 | law.cornell.edu | https://en.wikipedia.org/wiki/Telephone_Consumer_Protection_Act_of_1991 | wikipedia.org | https://www.consumeradvocates.org/for-consumers/robocalls-telemarketing | consumeradvocates | https://www.natlawreview.com/article/hard-sell-sixth-circuit-denies-vicarious-liability-tcpa-violations-against-third | natlawreview.com | https://www.venable.com/-/media/files/events/2020/01/telemarketing-and-texting-slides-jan-2020.pdf | venable.com | Do Not Call, Dialing, Robocall rules | Unsolicited ads by telemarketers, where the recipient was forced to incur the cost of printing a faxed advertisement or incurring an actual charge on a cellular telephone of a call from a telemarketer. | Telephone Consumer Protection Act of 1991 | |||||||||||||
DPPA | https://www.law.cornell.edu/uscode/text/18/2721 | 1994 | Driver’s Privacy Protection Act | Federal | Sectoral | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Citizens | Government | Y | Y | Partial | https://www.law.cornell.edu/uscode/text/18/2721 | law.cornell.edu | https://epic.org/privacy/drivers/ | epic.org | https://en.wikipedia.org/wiki/Driver%27s_Privacy_Protection_Act | wikipedia.org | https://www.spj.org/news.asp?ref=169 | spj.org | https://epic.org/amicus/dppa/maracich/ | epic.org | Drivers License Info Sharing limits | Murdered Actress. The law was a response to the murder of actress Rebecca Schaeffer. Her attacker had obtained her home address from the California Department of Motor Vehicles indirectly, through a private investigator. During debate on the bill, a number of stories recounted the ease with which a stalker could get home addresses based only a license plate. | Driver’s Privacy Protection Act of 1994 | ||||||||||||||
CALEA | https://www.congress.gov/bill/103rd-congress/house-bill/4922 | 1994 | Communications Assistance for Law Enforcement Act | Digital Telephony Act | Federal | Sectoral | Comm Privacy | Law Enforce | Surveillance Laws | 📞 Personal Comms | Security | Comms | DOJ | https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/general/communications-assistance | fcc.gov | https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act | wikipedia.org | https://blogs.harvard.edu/surveillance/2008/10/23/calea-status/ | harvard.edu | Telecoms must spy for Gov | The Wiretap Act imposed no specific responsibility on telecom carriers to assist law enforcement officials with wiretaps. This was the primary impetus behind CALEA. Also, the growing use of digital telephone switches that did not inherently provide the same support for wiretapping as did the older tools. In 2005, the FCC extended its interpretation of the law to require that ISPs provide wiretapping access to a range of Internet data. | Communications Assistance for Law Enforcement Act of 1994, AKA Digital Telephony Act | |||||||||||||||||||
Telemarketing Sales Rule | https://www.ecfr.gov/cgi-bin/text-idx?SID=e37d3cd088c6b4724a389338f9c3e141&mc=true&tpl=/ecfrbrowse/Title16/16cfr310_main_02.tpl | 1995 | Telemarketing Sales Rule (TSR) | 16 C.F.R. Part 310 | Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA) | Federal | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 Contact Info | Consumers | Telemarketers | FTC | StAG | Y | https://en.wikipedia.org/wiki/Telemarketing_and_Consumer_Fraud_and_Abuse_Prevention_Act | wikipedia.org | https://www.ftc.gov/enforcement/statutes/telemarketing-consumer-fraud-abuse-prevention-act | ftc.gov | https://www.venable.com/-/media/files/events/2020/01/telemarketing-and-texting-slides-jan-2020.pdf | venable.com | https://www.ftc.gov/tips-advice/business-center/guidance/complying-telemarketing-sales-rule | ftc.gov | https://thedma.org/resources/compliance-resources/ftc-telemarketing-sales-rule/ | thedma.org | Do Not Call, Dialing, Robocall rules | Spawned from 1995 Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA) | Telemarketing Sales Rule (TSR) of 1995, AKA Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA). See: 16 C.F.R. Part 310 | ||||||||||||
HIPAA | https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf | 1996 | Health Insurance Portability and Accountability Act | Kennedy-Kassebaum Act | Federal | Sectoral | Information Privacy | Medical Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Consumers | Healthcare | HHS-OCR | StAG | Y | Y | Y | https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html | hhs.gov | https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf | cms.gov | https://www.atlantic.net/hipaa-compliant-hosting/hipaa-compliance-guide-what-is-hipaa/ | atlantic.net | https://evisit.com/resources/hipaa-guide/#12 | evisit.com | https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html | hhs.gov | Electronic Medical Records regulated | The initial purpose of HIPAA was not privacy, but portability of healthcare for employees changing jobs. | Health Insurance Portability and Accountability Act of 1996, AKA Kennedy-Kassebaum Act | |||||||||||
PRWORA | https://www.congress.gov/bill/104th-congress/house-bill/3734/text | 1996 | Personal Responsibility and Work Opportunity Reconciliation Act | Welfare Reform | Federal | Topical | Information Privacy | Employment Privacy | Transparency | 👷 Employment info | Citizens | Businesses | https://www.ssa.gov/OP_Home/comp2/F104-193.html | ssa.gov | https://en.wikipedia.org/wiki/Personal_Responsibility_and_Work_Opportunity_Act | wikipedia.org | https://www.centreforpublicimpact.org/case-study/personal-responsibility-and-work-opportunity-reconciliation-act-the-clinton-welfare-reform/ | centreforpublicimpact | Welfare reform = new hire transparency | Republican "Contract with America." Widely viewed as the most fundamental reform to the US social safety net since the New Deal by its dismantling of the major cash entitlement programs AFDC and replacing it with state-controlled block grant TANF funds | Personal Responsibility and Work Opportunity Reconciliation Act of 1996, AKA Welfare Reform | ||||||||||||||||||||
CDA 230 | https://www.law.cornell.edu/uscode/text/47/230 | 1996 | Communications Decency Act | Federal | Privacy Benefit | Information Privacy | Media & Privacy | Free Speech Rights | 💬 Protected Speech | Platforms | Online publishers | Courts | https://en.wikipedia.org/wiki/Communications_Decency_Act | wikipedia.org | https://www.eff.org/issues/cda230 | eff.org | https://www.britannica.com/topic/Communications-Decency-Act | britannica.com | https://www.law.cornell.edu/uscode/text/47/230 | law.cornell.edu | Platforms are not publishers, not liable | Response to the Prodigy decision that penalized the company for their content moderation efforts. Wyden got 230 added to CDA. Original CDA legislation was to prevent porn, but failed miserably on constitutional grounds. "[T]he whole point of Section 230 was to allow online services to have the discretion to block content that they deem objectionable." https://arstechnica.com/tech-policy/2020/06/section-230-the-internet-law-politicians-love-to-hate-explained/ | Communications Decency Act of 1996 | ||||||||||||||||||
Telecommunications Act | https://www.congress.gov/bill/104th-congress/senate-bill/652/text | 1996 | Telecommunications Act | Pub. L. 104-104, Feb. 8, 1996, 110 Stat. 56 | Federal | Sectoral | Information Privacy | Consumer Privacy | Privacy Rights | 📂 CPNI - Customer Proprietary Network Info | Consumers | Businesses | FCC | StAG | Y | Y | Y | https://www.fcc.gov/general/telecommunications-act-1996 | fcc.gov | https://en.wikipedia.org/wiki/Telecommunications_Act_of_1996 | wikipedia.org | https://www.ntia.doc.gov/legacy/opadhome/overview.htm | ntia.doc.gov | https://thehill.com/policy/technology/268459-bill-clintons-telecom-law-twenty-years-later | thehill.com | https://www.britannica.com/topic/Telecommunications-Act | britannica.com | Dereg to increase competition backfired | The Act envisioned increased competition in all telecommunications markets, both in the markets for the various elements that comprise the telecommunications network, as well as for the final services the network creates. | Telecommunications Act of 1996. See: Pub. L. 104-104, Feb. 8, 1996, 110 Stat. 56 | |||||||||||
Tax Browsing Prot Act | https://www.congress.gov/bill/105th-congress/house-bill/1226/text | 1997 | Taxpayer Browsing Protection Act | Pub. L. 105-35 (08/05/1997) | TBPA | Federal | Sectoral | Information Privacy | Financial Privacy | Privacy Rights | $ Financial Records | Citizens | Government | Y | Y | https://www.law.cornell.edu/topn/taxpayer_browsing_protection_act | law.cornell.edu | https://www.irs.gov/irm/part10/irm_10-005-005 | irs.gov | https://itlaw.wikia.org/wiki/Taxpayer_Browsing_Protection_Act_of_1997 | itlaw.wikia.org | https://www.congress.gov/bill/105th-congress/house-bill/1226/text?overview=closed | congress.gov | https://www.congress.gov/105/plaws/publ35/PLAW-105publ35.pdf | congress.gov | Unlawful to snoop tax records | One Congressman from Texas: Rep. Bill Archer (R - Texas) https://www.epic.org/privacy/databases/irs/archer_statement_497.html | Taxpayer Browsing Protection Act of 1997, AKA TBPA. See: Pub. L. 105-35 (08/05/1997) | |||||||||||||
ITADA | https://www.ftc.gov/node/119459 | 1998 | Identity Theft and Assumption Deterrence Act | Federal | Criminal | Information Privacy | InfoSec / Breaches | Anti-Crime Policing | 👤 PII - Personally Identifiable Info | Businesses | Illegal Acts | FTC | Y | https://www.ftc.gov/node/119459 | ftc.gov | https://www.comparitech.com/identity-theft-protection/identity-theft-assumption-deterrence-act/ | comparitech.com | https://itlaw.wikia.org/wiki/Identity_Theft_and_Assumption_Deterrence_Act_of_1998 | itlaw.wikia.org | ID theft is a federal crime | Individual and institutional losses of $745 million to identity theft in 1997. "Tens of thousands of Americans have been victims of identity theft. Imposters often run up huge debts, file for bankruptcy, and commit serious crimes. It can take years for victims of identity theft to restore their credit ratings and their reputations. This legislation will enable the United States Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies to combat this type of crime, which can financially devastate its victims." I President William J. Clinton. | Identity Theft and Assumption Deterrence Act of 1998 | |||||||||||||||||||
COPPA | https://www.law.cornell.edu/uscode/text/15/chapter-91 | 1998 | Children’s Online Privacy Protection Act | 15 U.S. Code CHAPTER 91 | Federal | Broad | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Online businesses | FTC | StAG | Y | Y | Y | Y | https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule | ftc.gov | https://epic.org/privacy/kids/ | epic.org | https://www.ftc.gov/tips-advice/business-center/privacy-and-security/children%27s-privacy | ftc.gov | https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act | wikipedia.org | https://www.inc.com/encyclopedia/childrens-online-privacy-protection-act-coppa.html | inc.com | Children's PII highly regulated | KidsCom.com prosecution, 1998 FTC Privacy On-Line Report to Congress, documenting the online collection of personal information from children | Children’s Online Privacy Protection Act of 1998. See: 15 U.S. Code CHAPTER 91 | ||||||||||
GLBA | https://www.congress.gov/bill/106th-congress/senate-bill/900/text | 1999 | Gramm-Leach Bliley Act | Financial Services Modernization Act, Title V | Federal | Sectoral | Information Privacy | Financial Privacy | Privacy Rights | 👤 NPI - Non-Public Info | Consumers | Financial Orgs | CFPB, FTC, Others | StAG | Y | Not directly | Y | https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act | ftc.gov | https://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act | wikipedia.org | https://www.investopedia.com/terms/g/glba.asp | investopedia.com | https://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-bliley-act | digitalguardian.com | https://www.lexology.com/library/detail.aspx?g=415d0c61-a5d1-4e6b-a68b-82437a64230d | lexology.com | Financial Records regulated | Controversial data practices of major banks like the U.S. Bancorp/MemberWorks Scandal: Prior to GLBA’s passage, a number of leading financial institutions were found to have shared detailed customer information, including account numbers and other highly sensitive data, with telemarketing firms. Subsequently, the firms used the account numbers to charge customers for unsolicited services. + Citicorp/Travellers merger, relaxations of Glass-Steagall. | Gramm-Leach Bliley Act of 1999, AKA Financial Services Modernization Act, Title V | |||||||||||
EO 13145: Genetic Info | https://www.transportation.gov/sites/dot.gov/files/docs/eo13145_0_0.pdf | 2000 | To Prohibit Discrimination in Federal Employment Based on Genetic Information | Federal | Topical | Bodily Privacy | Employment Privacy | Anti-Discrim Rights | ⚕️ PGI - Protected Genetic Info | Employees | Government | https://www.govinfo.gov/content/pkg/WCPD-2000-02-14/pdf/WCPD-2000-02-14-Pg244.pdf | govinfo.gov | https://www.eeoc.gov/eeoc/history/35th/thelaw/13145.html | eeoc.gov | https://www.eeoc.gov/policy/docs/qanda-genetic.html | eeoc.gov | Fed Employers can't discrim on DNA | Anti-discrimination | To Prohibit Discrimination in Federal Employment Based on Genetic Information of 2000 | |||||||||||||||||||||
Safe Harbor (EU-US) | https://www.everycrsreport.com/files/20151029_R44257_35c829bb2fee9d0ef3aa897dd15f69a573f1ab68.pdf | 2000 | U.S.-EU Safe Harbor Framework | International | Topical | Information Privacy | National Security | Self Reg | 👤 PII - Personally Identifiable Info | Businesses | Businesses | FTC | https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles | wikipedia.org | https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework | ftc.gov | https://iapp.org/resources/article/a-brief-history-of-safe-harbor/ | iapp.org | Orig agreement to give US orgs "adequacy" | In a word, adequacy. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called "safe harbour scheme", were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbour decision. | U.S.-EU Safe Harbor Framework of 2000 | ||||||||||||||||||||
PIPEDA (Canada) | https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html | 2001 | Canada's Personal Information Protection and Electronic Documents Act | Canada | Comprehensive | Information Privacy | International Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | All Controllers | OPC | Y | https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ | priv.gc.ca | https://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act | wikipedia.org | https://digitalguardian.com/blog/what-pipeda-personal-information-protection-and-electronic-documents-act-understand-and-comply | digitalguardian.com | https://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html | canlii.org | Consent. Access. Accuracy. Purpose Limit. | Rapid Internet growth and other technological advances that greatly facilitated the collection, retention, organization and dissemination of personal data + the European Union’s Privacy Directive (1995) | Canada's Personal Information Protection and Electronic Documents Act of 2001 | |||||||||||||||||
PATRIOT Act | https://epic.org/privacy/terrorism/hr3162.html | 2001 | Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism | Federal | Broad | Comm Privacy | National Security | Surveillance Laws | 📞 Personal Comms | Security | Law Enforce | FBI | Y | https://en.wikipedia.org/wiki/Patriot_Act | wikipedia.org | https://epic.org/privacy/terrorism/hr3162.html | epic.org | https://www.vox.com/2015/6/2/8701499/patriot-act-explain | vox.com | https://www.eff.org/issues/patriot-act | eff.org | https://www.aclu.org/issues/national-security/privacy-and-surveillance/surveillance-under-patriot-act | aclu.org | Post-911 made Gov snooping easier | 9/11. Legislative proposals in response to the terrorist attacks of September 11, 2001 were introduced less than a week after the attacks. USA PATRIOT was a compromise bill, weaker than Anti-Terrorism Act of 2001 (ATA) but still very privacy-compromising. President Bush signed the final bill into law on October 26, 2001 | Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism of 2001 | |||||||||||||||
EGOV | https://www.congress.gov/bill/107th-congress/house-bill/02458 | 2002 | E-government Act | Federal Information Security Management Act (FISMA) | Federal | Sectoral | Information Privacy | Government Records | Transparency | 🇺🇸 Gov Data | Citizens | Government | OMB | Y | https://en.wikipedia.org/wiki/E-Government_Act_of_2002 | wikipedia.org | https://www.justice.gov/opcl/e-government-act-2002 | justice.gov | https://www.cms.gov/Research-Statistics-Data-and-Systems/Computer-Data-and-Systems/Privacy/eGovernment-Act | cms.gov | https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/egov_docs/egov_implementation_report_6_17_16.pdf | whitehouse.gov | https://www.data.gov/ | data.gov | Pushs Gov info & services online | Government efficiency law passed by President George W. Bush: "The Act will also assist in expanding the use of the Internet and computer resources in order to deliver Government services, consistent with the reform principles I outlined on July 10, 2002, for a citizen-centered, results-oriented, and market-based Government." | E-government Act of 2002, AKA Federal Information Security Management Act (FISMA) | ||||||||||||||
CAN-SPAM | https://www.congress.gov/bill/108th-congress/senate-bill/877 | 2003 | Controlling the Assault of Non-Solicited Pornography and Marketing Act | Federal | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 Contact Info | Consumers | Marketers | FTC | StAG | ISP Only | Y | Y | https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business | ftc.gov | https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003 | wikipedia.org | https://www.federalregister.gov/documents/2019/04/04/2019-06562/controlling-the-assault-of-non-solicited-pornography-and-marketing-rule | federalregister.gov | https://ccbjournal.com/articles/controlling-assault-non-solicited-pornography-and-marketing-act-2003-can-spam-act-2003 | ccbjournal.com | https://www.law.cornell.edu/uscode/text/15/chapter-103 | law.cornell.edu | No spamming emails or texts | Opt Out: Its widely believed that a principal impetus for passage of the CAN-SPAM Act at the federal level was the inclusion of provisions that preempted harsher state laws that required Opt In. | Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 | ||||||||||||
DNC Implement Act | https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter87A&edition=prelim | 2003 | Do-Not-Call Implementation Act | Federal | Sectoral | Information Privacy | Consumer Privacy | Privacy Rights | 👤 Contact Info | Consumers | Telemarketers | https://en.wikipedia.org/wiki/National_Do_Not_Call_Registry | wikipedia.org | https://definitions.uslegal.com/d/do-not-call-implementation-act/ | uslegal.com | https://www.congress.gov/congressional-report/108th-congress/house-report/8/1 | congress.gov | Protects from telemarketing calls | Authorizes the FTC to collect fees for the implementation and enforcement of a Do-Not-Call Registry. | Do-Not-Call Implementation Act of 2003 | |||||||||||||||||||||
CalFIPA [CA] | https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=1.4.&lawCode=FIN | 2003 | California Financial Information Privacy Act | SB-1 | State | Sectoral | Information Privacy | Financial Privacy | Privacy Rights | 👤 NPI - Non-Public Info | Consumers | Financial Orgs | StAG | Y | https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=1.4.&lawCode=FIN | ca.gov | https://medium.com/golden-data/what-is-calfipa-ee7e48c88dd0 | medium.com | https://www.reedsmith.com/-/media/files/perspectives/2004/09/sb1--the-california-financial-information-privacy/files/sb1--the-california-financial-information-privacy/fileattachment/acf6c0d.pdf | reedsmith.com | https://www.hldataprotection.com/2018/12/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-the-interplay-between-the-ccpa-and-financial-institutions/ | hldataprotection | Limits Bank PII sharing | To provide California consumers notice and meaningful choice about how consumers’ nonpublic personal information is shared and to offer greater protection than its federal counterpart the GLBA. The core focus of CalFIPA is to limit the sharing of information. | California Financial Information Privacy Act of 2003, AKA SB-1 | ||||||||||||||||
FACTA | https://www.congress.gov/bill/108th-congress/house-bill/2622 | 2003 | Fair and Accurate Credit Transactions Act | Public Law No: 108-159 | FACT Act | Federal | Sectoral | Information Privacy | Financial Privacy | Privacy Rights | $ Consumer Reports | Consumers | Financial Orgs | CFPB, FTC | Y* Most | Y | Y | https://www.ftc.gov/enforcement/statutes/fair-accurate-credit-transactions-act-2003 | ftc.gov | https://www.investopedia.com/terms/f/facta.asp | investopedia.com | https://www.nclc.org/images/pdf/credit_reports/archive/analysis-facta.pdf | nclc.org | https://iapp.org/resources/article/fair-and-accurate-credit-transactions-act-of-2003-2/ | iapp.org | https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter41-subchapter3&edition=prelim | uscode.house.gov | Enhanced ID theft, free cred reports | The impetus for FACTA was expiration of existing subject-matter-specific preemption provisions in the FCRA. Prior version of FCRA provided that preemptions would not apply to state laws enacted after January 1, 2004. Congress eliminated that provision, and added a long list of new preemptions that significantly limit states’ abilities to regulate much of the FCRA’s subject matter and conduct requirements. | Fair and Accurate Credit Transactions Act of 2003, AKA FACT Act. See: Public Law No: 108-159 | |||||||||||
CalOPPA | https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.&lawCode=BPC | 2004 | California Online Privacy Protection Act | State | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Online businesses | StAG | via UCL | https://en.wikipedia.org/wiki/Online_Privacy_Protection_Act | wikipedia.org | https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/ | consumercal.org | https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.&lawCode=BPC | ca.gov | https://blog.rsisecurity.com/california-privacy-policy-what-is-caloppa/ | rsisecurity.com | https://medium.com/golden-data/what-is-caloppa-b781b0cd5e39 | medium.com | Websites must have Privacy Policy | CalOPPA was enacted to help “foster the continued growth of the Internet economy…by allowing individuals to rely on a Privacy Policy posted online.” The law is meant to reassure consumers who were unsure of doing business online. | California Online Privacy Protection Act of 2004 | |||||||||||||||
Vid Voyeur Prev Act | https://www.law.cornell.edu/uscode/text/18/1801 | 2004 | Video Voyeurism Prevention Act | Federal | Criminal | Information Privacy | InfoSec / Breaches | Anti-Crime Policing | 🖼️ Images | Citizens | Illegal Acts | Y | https://www.law.cornell.edu/uscode/text/18/1801 | law.cornell.edu | https://www.congress.gov/bill/108th-congress/senate-bill/01301 | congress.gov | https://itlaw.wikia.org/wiki/Video_Voyeurism_Prevention_Act_of_2004 | itlaw.wikia.org | https://www.jeffweiner.com/blog/2018/april/video-voyeurism/ | jeffweiner.com | Digital peeping is a crime | The explosion of microcamera technology has fed the growing phenomenon of video voyeurism. Hidden cameras have been discovered in bedrooms, bathrooms, public showers, changing rooms, locker rooms, and tanning salons, all aimed at filming unsuspecting victims in various states of undress. Often, the invasion of privacy is exacerbated when captured images are posted on the Internet for all the world to see - Sen. Leahy | Video Voyeurism Prevention Act of 2004 | ||||||||||||||||||
JFPA | https://www.congress.gov/bill/109th-congress/senate-bill/714/text?overview=closed | 2005 | Junk Fax Prevention Act | Federal | Topical | Information Privacy | Telecom / Marketing | Privacy Rights | 👤 Contact Info | Businesses | Marketers | https://www.congress.gov/bill/109th-congress/senate-bill/714 | congress.gov | https://www.fcc.gov/general/fax-advertising-policy | fcc.gov | https://en.wikipedia.org/wiki/Junk_Fax_Prevention_Act_of_2005 | wikipedia.org | https://thedma.org/resources/compliance-resources/tcpa/tcpa-and-junk-fax-prevention-act-requirements/ | thedma.org | https://www.congress.gov/congressional-report/109th-congress/senate-report/76/1 | congress.gov | EBR exceptions, ban on fax marketing | Goal of the legislation was twofold: Close loopholes on fax scammers and codify EBR exception rule that many businesses desired. Critic were unhappy about EBR as faxes cost the receiver money, essentially forcing them to pay for their own sales pitches. | Junk Fax Prevention Act of 2005 | |||||||||||||||||
BIPA [IL] | https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 | 2008 | Illinois' Biometric Information Privacy Act | 740 ILCS 14 | State | Topical | Bodily Privacy | Consumer Privacy | Privacy Rights | ⚕️ PBI - Protected Biometric Info | Consumers | Businesses | StAG* | Y | Y | https://en.wikipedia.org/wiki/Biometric_Information_Privacy_Act | wikipedia.org | http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 | ilga.gov | https://www.skadden.com/insights/publications/2019/01/illinois-supreme-court | skadden.com | https://www.natlawreview.com/article/illinois-biometric-information-privacy-act-bipa-when-will-companies-heed-warning | natlawreview.com | https://www.jacksonlewis.com/sites/default/files/docs/IllinoisBIPAFAQs.pdf | jacksonlewis.com | Regulates business biometric data use | Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions. | Illinois' Biometric Information Privacy Act of 2008. See: 740 ILCS 14 | |||||||||||||
GINA | https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008 | 2008 | Genetic Information Nondiscrimination Act | Federal | Topical | Bodily Privacy | Employment Privacy | Anti-Discrim Rights | ⚕️ PGI - Protected Genetic Info | Consumers | Healthcare | EEOC, Others | http://www.ginahelp.org/GINAhelp.pdf | ginahelp.org | https://en.wikipedia.org/wiki/Genetic_Information_Nondiscrimination_Act | wikipedia.org | https://www.eeoc.gov/eeoc/publications/fs-gina.cfm | eeoc.gov | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3627538/ | ncbi.nlm.nih.gov | https://academic.oup.com/jlb/article/5/3/495/5498593 | oup.com | No discrim based on genetic info | Two sets of concerns were the impetus for genetic nondiscrimination legislation at the state and federal levels: 1) worries about the potential for actual genetic discrimination and 2) apprehension about the public health and research implications of public fears of genetic discrimination. | Genetic Information Nondiscrimination Act of 2008 | ||||||||||||||||
HITECH | https://www.hipaasurvivalguide.com/hitech-act-text.php | 2009 | Health Information Technology for Economic and Clinical Health Act | part of American Recovery and Reinvestment Act | Federal | Sectoral | Information Privacy | Medical Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Consumers | Healthcare | HHS-OCR | ePHI | https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html | hhs.gov | https://www.hipaajournal.com/what-is-the-hitech-act/ | hipaajournal.com | https://compliancy-group.com/what-is-the-hitech-act/ | compliancy-group | https://www.asha.org/Practice/reimbursement/hipaa/HITECH-Act/ | asha.org | Data Breach reporting for HIPAA | Lack of hospital adoption of electronic health records. While many healthcare providers wanted to transition to EHRs from paper records, the cost was expensive. HITECH Act introduced incentives to encourage change. Had the Act not been passed, many healthcare providers would still be using paper records. HITECH increased rate of adoption of EHRs. 3.2% in 2008. By 2017, 86% of office-based physicians had adopted an EHR. | Health Information Technology for Economic and Clinical Health Act of 2009, AKA part of American Recovery and Reinvestment Act | ||||||||||||||||
Red Flag Rule | https://www.ecfr.gov/cgi-bin/text-idx?SID=fddfe88d36b1e7881a1b76f4e8437d65&mc=true&node=pt16.1.681&rgn=div5#se16.1.681_11 | 2010 | Red Flag Program Clarification Act | Federal | Topical | Information Privacy | Financial Privacy | Anti-Crime Policing | 👤 PII - Personally Identifiable Info | Consumers | Financial Orgs | https://en.wikipedia.org/wiki/Red_Flags_Rule | wikipedia.org | https://www.huntonprivacyblog.com/2010/12/20/president-obama-signs-red-flag-program-clarification-act/ | huntonprivacyblog | https://www.federalregister.gov/documents/2014/02/20/2014-03264/identity-theft-red-flags-regulation-v | federalregister.gov | https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business | ftc.gov | ID Theft Prevent programs required 4 some orgs | Rapid rise in identity theft. 13.9M victims in 2009 | Red Flag Program Clarification Act of 2010 | |||||||||||||||||||
Consumer Finan Prot Act | https://www.govtrack.us/congress/bills/111/hr4173/text | 2010 | Consumer Financial Protection Act | Dodd-Frank: Title X, CFPA, CFPB | Federal | Sectoral | Information Privacy | Financial Privacy | Privacy Rights | $ Financial Marketing | Consumers | Financial Orgs | CFPB | StAG | Y | https://www.law.cornell.edu/wex/dodd-frank_title_x_-_bureau_of_consumer_financial_protection | law.cornell.edu | https://www.investopedia.com/terms/c/consumer-financial-protection-act.asp | investopedia.com | https://www.consumerfinance.gov/about-us/the-bureau/creatingthebureau/ | consumerfinance.gov | https://en.wikipedia.org/wiki/Dodd%E2%80%93Frank_Wall_Street_Reform_and_Consumer_Protection_Act | wikipedia.org | Create CFPB: regulate financial scams | Subprime Mortgages: Unfair, deceptive, or abusive acts and practices by under-regulated financial product marketers, highlighted by the subprime mortgage industry. | Consumer Financial Protection Act of 2010, AKA Dodd-Frank: Title X, CFPA, CFPB | |||||||||||||||
CIPSEA | https://www.bls.gov/bls/cipsea.pdf | 2012 | Confidential Information Protection and Statistical Efficiency Act | Pub.L. 107–347, 116 Stat. 2899, 44 U.S.C. § 101 | Federal | Topical | Information Privacy | Government Records | Privacy Rights | 🇺🇸 Gov Data | Citizens | Government | OMB | https://en.wikipedia.org/wiki/Confidential_Information_Protection_and_Statistical_Efficiency_Act | wikipedia.org | https://www.bls.gov/bls/cipsea.pdf | bls.gov | https://www.congress.gov/bill/107th-congress/house-bill/5215 | congress.gov | Protects PII collected for Gov Stats | Ensuring that information provided under a pledge of confidentiality for statistical purposes receives protection is essential in continuing public cooperation in statistical programs. Concern about abuse of PII collected for specific purposes being rerouted to other agencies in violation of Privacy Act. | Confidential Information Protection and Statistical Efficiency Act of 2012. See: Pub.L. 107–347, 116 Stat. 2899, 44 U.S.C. § 101 | |||||||||||||||||||
CMIA [CA] | https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=56.10.&lawCode=CIV | 2013 | Confidentiality of Medical Information Act | Civil Code (CIV) 56.10 | State | Sectoral | Information Privacy | Medical Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Consumers | Healthcare | StAG* | Y | Y | https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=56.10.&lawCode=CIV | ca.gov | https://consumercal.org/about-cfc/cfc-education-foundation/cfceducation-foundationyour-medical-privacy-rights/confidentiality-of-medical-information-act/ | consumercal.org | https://www.eff.org/issues/law-and-medical-privacy | eff.org | https://irb.ucsd.edu/cmia.pdf | irb.ucsd.edu | http://www.law.uh.edu/healthlaw/perspectives/privacy/010830texas.html | law.uh.edu | HIPAA-like w/ Right of Action | to close some HIPAA loopholes and offer Private Right of Action | Confidentiality of Medical Information Act of 2013. See: Civil Code (CIV) 56.10 | |||||||||||||
ESSA | https://www.govtrack.us/congress/bills/114/s1177/text | 2015 | Every Student Succeeds Act | Pub. L. 114-95, Dec. 10, 2015, 129 Stat. 1802 | Federal | Privacy Benefit | Information Privacy | Education Privacy | Privacy Rights | 🎓 Education Records | Students / Parents | Educators | Dept Ed | https://en.wikipedia.org/wiki/Every_Student_Succeeds_Act | wikipedia.org | https://www2.ed.gov/policy/elsec/leg/essa/legislation/index.html | ed.gov | https://www.understood.org/en/school-learning/your-childs-rights/basics-about-childs-rights/every-student-succeeds-act-essa-what-you-need-to-know | understood.org | https://www.edweek.org/ew/issues/every-student-succeeds-act/index.html | edweek.org | https://isafedirect.com/blog/educational-data-federal-policy | isafedirect.com | Student Testing & Reporting | Teacher Unions joined with Small Gov conservatives: In the years after No Child Left Behind, the center of gravity in education policy shifted from the states to Washington. Under the Obama administration, a left-right alliance—between unions and small-gov conservatives became ascendant. Unions argued tagainst standardized testing, evals; conservatives argued against fed control of education funds. | Every Student Succeeds Act of 2015. See: Pub. L. 114-95, Dec. 10, 2015, 129 Stat. 1802 | |||||||||||||||
CISA | https://www.congress.gov/bill/114th-congress/senate-bill/754/text | 2015 | Cybersecurity Information Sharing Act | Federal | Topical | Comm Privacy | InfoSec / Breaches | InfoSec | 👮 Incident Records | Businesses | All Controllers | Y | Y | https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act | wikipedia.org | https://www.cisecurity.org/newsletter/cybersecurity-information-sharing-act-of-2015/ | cisecurity.org | https://www.nextgov.com/cybersecurity/2018/06/only-6-non-federal-groups-share-cyber-threat-info-homeland-security/149343/ | nextgov.com | https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/10/cisas-still-overcoming-challenges-5-years-after-cybersecurity-information-sharing-act-became-law/ | federalnewsnetwork | https://thehill.com/opinion/cybersecurity/461452-americas-cyber-blind-spot | thehill.com | Companies can share infosec w/ less liability | The growth of cybersecurity threats required greater collection and sharing of data. But a lot of legal liability might result from this: FOIA, Electronic Communications Privacy Act of 1986, Cable Communications Policy Act of 1984, Antitrust Laws, Tort Law. So Congress passed CISA to give companies, Gov a way to collect and shar intel with the government while reducing liability. | Cybersecurity Information Sharing Act of 2015 | |||||||||||||||
USA Freedom Act | https://www.govtrack.us/congress/bills/114/hr2048/text | 2015 | USA Freedom Act | Federal | Sectoral | Comm Privacy | National Security | Surveillance Laws | 📞 Personal Comms | Security | Law Enforce | FBI | Y | https://en.wikipedia.org/wiki/USA_Freedom_Act | wikipedia.org | https://www.lawfareblog.com/nsa-and-usa-freedom-act | lawfareblog.com | https://www.lawfareblog.com/so-what-does-usa-freedom-act-do-anyway | lawfareblog.com | https://www.intelligence.gov/index.php/ic-on-the-record-database/results/787-fact-sheet-implementation-of-the-usa-freedom-act-of-2015 | intelligence.gov | https://www.eff.org/deeplinks/2015/05/usa-freedom-act-passes-what-we-celebrate-what-we-mourn-and-where-we-go-here | eff.org | Slightly less mass surveillance | NSA whistleblower Edward Snowden’s revelations and backlack to PATRIOT Act abuses exposed by the NYT. | USA Freedom Act of 2015 | |||||||||||||||
Cures Act | https://www.congress.gov/bill/114th-congress/house-bill/34/text | 2016 | 21st Century Cures Act | Pub. L. 114-255, Dec. 13, 2016, 130 Stat. 1033 | Act to Accelerate the Discovery, Development, and Delivery of 21st Century Cures, and for Other Purposes | Federal | Privacy Benefit | Information Privacy | Medical Privacy | Privacy Rights | ⚕️ PHI - Protected Health Info | Research subjects | Researchers | OIG/ONC (HHS) | Y | Y | https://www.fda.gov/regulatory-information/selected-amendments-fdc-act/21st-century-cures-act | fda.gov | https://iapp.org/news/a/privacy-and-security-impacts-of-the-21st-century-cures-legislation/ | iapp.org | https://www.congress.gov/114/bills/hr34/BILLS-114hr34enr.pdf | congress.gov | https://en.wikipedia.org/wiki/21st_Century_Cures_Act | wikipedia.org | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5424829/ | ncbi.nlm.nih.gov | Sharing of data for medical research | Bipartisan desire for progress on disease research https://www.curetoday.com/cure-tv/rep-frank-pallone-jr-on-the-impetus-for-the-21st-century-cures-act | 21st Century Cures Act of 2016, AKA Act to Accelerate the Discovery, Development, and Delivery of 21st Century Cures, and for Other Purposes. See: Pub. L. 114-255, Dec. 13, 2016, 130 Stat. 1033 | ||||||||||||
DOPPA [DE] | https://delcode.delaware.gov/title6/c012c/index.shtml | 2016 | Delaware Online Privacy and Protection Act | State | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StDOJ^ | https://privacylaw.proskauer.com/2015/11/articles/online-privacy/delaware-enacts-comprehensive-online-privacy-protection-law/#:~:text=On%20January%201%2C%202016%2C%20the,privacy%20protection%20for%20its%20residents.&text=The%20law%20grants%20the%20state's,prosecute%20violations%20of%20the%20law. | proskauer.com | https://www.winston.com/en/privacy-law-corner/delaware-s-online-privacy-and-protection-act-now-in-effect.html | winston.com | https://delcode.delaware.gov/title6/c012c/index.shtml | delaware.gov | https://www.termsfeed.com/blog/doppa/ | termsfeed.com | Privacy policies, ads to kids, ebooks | Substantially similar to three existing California laws that regulate the same practices. | Delaware Online Privacy and Protection Act of 2016 | ||||||||||||||||||
AB 2828 [CA] | https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB2828 | 2016 | AB-2828 Personal information: privacy: breach | State | Topical | Information Privacy | InfoSec / Breaches | Transparency | 👤 PII - Personally Identifiable Info | Consumers | Businesses | https://privacylaw.proskauer.com/2016/11/articles/california/california-amends-data-breach-notification-law-to-require-notification-of-breach-of-encrypted-personal-information-when-encryption-key-has-been-leaked/ | proskauer.com | https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB2828 | ca.gov | Breach must be reported if encrypt key leaked | To better protect consumers from companies hiding behind the encryption safe harbor written into most data breach reporting laws. Encryption can protect stolen data, but not if the keys to breaking it are also compromised. | AB-2828 Personal information: privacy: breach of 2016 | |||||||||||||||||||||||
SB 2005 [TN] | https://www.capitol.tn.gov/Bills/109/Bill/SB2005.pdf | 2016 | Tennessee SB 2005 | HB 1631 | State | Topical | Information Privacy | InfoSec / Breaches | Transparency | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StAG | Y | https://iapp.org/news/a/tennessee-law-first-to-require-notification-regardless-of-information-encryption-status/ | iapp.org | https://www.dwt.com/blogs/privacy--security-law-blog/2016/04/tennessee-gives-businesses-45-days-for-data-breach | dwt.com | https://healthitsecurity.com/news/tn-updates-data-breach-notification-law-for-encrypted-data | healthitsecurity.com | https://wapp.capitol.tn.gov/apps/BillInfo/Default.aspx?BillNumber=SB0547&GA=110 | tn.gov | https://law.justia.com/codes/tennessee/2010/title-47/chapter-18/part-21/47-18-2107 | law.justia.com | No encrypt safe harbor (later fixed) | Modified Tennessee Data Breach Law | Tennessee SB 2005 of 2016, AKA HB 1631 | ||||||||||||||
Privacy Shield (EU-US) | https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg | 2016 | EU-U.S. Privacy Shield Framework | International | Topical | Information Privacy | National Security | Self Reg | 👤 PII - Personally Identifiable Info | Businesses | Businesses | FTC | https://www.privacyshield.gov/welcome | privacyshield.gov | https://www.impact-advisors.com/security/eu-us-privacy-shield-framework/ | impact-advisors.com | https://www.privacyshield.gov/eu-us-framework | privacyshield.gov | Stop-gap prog to address lack of US Adequacy | The CJEU invalidation of Safe Harbor in the Shrems I decision. The 2013 revelations regarding the reach and indiscriminate nature of some U.S. surveillance programs were also key impetus behind the dismantling of Safe Harbor and the creation of Privacy Shield. | EU-U.S. Privacy Shield Framework of 2016 | ||||||||||||||||||||
Biometric Privacy Law [WA] | https://app.leg.wa.gov/RCW/default.aspx?cite=19.375 | 2017 | Washington Biometric Privacy Law | Chapter 19.375 RCW | HB 1493 | State | Topical | Bodily Privacy | Consumer Privacy | Privacy Rights | ⚕️ PBI - Protected Biometric Info | Consumers | Businesses | StAG* | Y | https://www.huntonprivacyblog.com/2017/06/01/washington-becomes-third-state-enact-biometric-privacy-law/ | huntonprivacyblog | https://www3.swipeclock.com/blog/learn-washingtons-new-biometric-privacy-law-affects-businesses/ | swipeclock.com | https://www.cov.com/-/media/files/corporate/publications/2017/07/wash_expands_biometric_privacy_quilt_with_more_limited_law.pdf | cov.com | https://www.dlapiper.com/en/us/insights/publications/2017/06/washington-third-state-with-biometric-privacy-law/ | dlapiper.com | https://app.leg.wa.gov/RCW/default.aspx?cite=19.375 | wa.gov | Limits commercial (not emplyr) use of biometrics | Seen as a more business-friendly alternative to an Illinois law. | Washington Biometric Privacy Law of 2017, AKA HB 1493. See: Chapter 19.375 RCW | |||||||||||||
Cybersecurity Reg [NY] | https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default) | 2017 | New York’s NYDFS Cybersecurity Regulation | 23 NYCRR 500 | 23 NYCRR 500 | State | Sectoral | Information Privacy | InfoSec / Breaches | InfoSec | 👤 NPI - Non-Public Info | Consumers | Financial Orgs | NYSDFS | Y | https://blog.ariacybersecurity.com/blog/what-is-23-nycrr-500-blog | ariacybersecurity.com | https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf | dfs.ny.gov | Forced of infosec for financial orgs | Roughly 36% of banks still didn’t have a CISO (chief information security officer.) Plus, high-profile data breaches at JPMorgan Chase (83+M accounts), HSBC denial of service attack that shuttered its personal banking website. Disproportionate impact on New York City as a center of global commerce and finance. As a result, the New York Department of DFS took action. | New York’s NYDFS Cybersecurity Regulation of 2017, AKA 23 NYCRR 500. See: 23 NYCRR 500 | |||||||||||||||||||
PIPPA [NJ] | https://legiscan.com/NJ/text/S1913/id/1419389 | 2017 | New Jersey Personal Information and Privacy Protection Act | State | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StAG* | Y | https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/new-jerseys-personal-information-and-privacy-protection-act-signed-into-law | wilmerhale.com | https://www.faegredrinkerondata.com/2017/new-jersey-enacts-personal-information-and-privacy-protection-act/ | faegredrinkerondata | https://njbia.org/personal-information-privacy-act/ | njbia.org | https://www.njleg.state.nj.us/2016/Bills/AL17/124_.HTM | njleg.state.nj.us | Limits Driver ID scanning by retailers | In the perceived absence of significant new federal regulation on privacy issues, states have taken a greater interest in consumer privacy. In March 2017, the U.S. Congress voted to remove broadband privacy rules which would have gone into effect later that year. The president confirmed the repeal, which ended efforts to pass federal privacy protection law. After that, states became interested in passing their own legislation to protect the online privacy of their citizens. | New Jersey Personal Information and Privacy Protection Act of 2017 | |||||||||||||||||
HB 1260 [IL] | https://www.ilga.gov/legislation/publicacts/99/PDF/099-0503.pdf | 2017 | Illinois HB 1260 | State | Topical | Information Privacy | InfoSec / Breaches | Transparency | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StAG | Y | https://www.radarfirst.com/blog/illinois-personal-information-protection-act/ | radarfirst.com | https://www.ilga.gov/legislation/fulltext.asp?DocName=09900HB1260enr&GA=99&SessionId=88&DocTypeId=HB&LegID=85740&DocNum=1260&GAID=13&Session= | ilga.gov | https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67 | ilga.gov | https://csrcyberprivacy.com/privacy-regulations/illinois/ | csrcyberprivacy | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.html | perkinscoie.com | Expanded PII: med, health, biometric, more | Modified Illinois Personal Information Protection Act | Illinois HB 1260 of 2017 | |||||||||||||||
HB 15 [NM] | https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2017/04/HB0015.pdf | 2017 | New Mexico Data Breach Notification Act | State | Topical | Information Privacy | InfoSec / Breaches | Transparency | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StAG | Y | Y | https://www.huntonprivacyblog.com/2017/04/17/new-mexico-enacts-data-breach-notification-law/ | huntonprivacyblog | https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2017/04/HB0015.pdf | huntonprivacyblog | 48th state data breach notification law | Pressure to protect consumers, one of the last states to enact. | New Mexico Data Breach Notification Act of 2017 | ||||||||||||||||||||
SB 538 [NV] | https://www.leg.state.nv.us/Session/79th2017/Bills/SB/SB538_EN.pdf | 2017 | Nevada SB 538 | State | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Online publishers | StAG | https://www.ballardspahr.com/alertspublications/legalalerts/2017-08-01-nevada-becomes-the-third-state-to-enact-website-privacy-notification-law | ballardspahr.com | https://blog.zwillgen.com/2017/08/16/ready-nevadas-new-website-privacy-notice-law/ | zwillgen.com | https://www.leg.state.nv.us/Session/79th2017/Bills/SB/SB538.pdf | leg.state.nv.us | requires publication of privacy policy | similar to laws passed in California (2004) and Delaware (2016) | Nevada SB 538 of 2017 | ||||||||||||||||||||
GDPR | https://gdpr-info.eu/ | 2018 | General Data Protection Regulation | EEA | Comprehensive | Information Privacy | International Privacy | Privacy Rights | 👤 PD - Personal Data | Any Person | All Controllers | DPAs | Y | Y* | Y | Y | Y | https://eugdpr.org/ | eugdpr.org | https://en.wikipedia.org/wiki/General_Data_Protection_Regulation | wikipedia.org | https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html | csoonline.com | https://iapp.org/resources/article/gdpr-genius/ | iapp.org | https://www.tableau.com/learn/articles/gdpr-resources | tableau.com | Europe protects personal data more effectively | Trust. GDPR seeks to ensure that customers can trust businesses to protect their sensitive data, maintain transparency about what they do with that data, and, in the event of a security breach, that the customers are informed of the breach in a timely manner. Numerous highly public data breaches of personal data at global corporations such as Facebook, Marriott, Equifax and Yahoo. Exponential growth of data in the digital age, globalization, more. | General Data Protection Regulation of 2018 | |||||||||||
CCPA [CA] | https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 | 2018 | California Consumer Privacy Act | SB-1121, GDPR-lite | State | Comprehensive | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StAG | Breach Only | Y | Y | Y | https://oag.ca.gov/privacy/ccpa | oag.ca.gov | https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act | wikipedia.org | https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html | csoonline.com | https://www.perkinscoie.com/en/practices/security-privacy-law/california-consumer-privacy-act-of-2018.html | perkinscoie.com | https://www.caprivacy.org/ | caprivacy.org | 1st comprehensive US state privacy law | GDPR + data privacy scandals. Spearheaded by rich private citizen Alastair Mactaggart. | California Consumer Privacy Act of 2018, AKA SB-1121, GDPR-lite | |||||||||||
CLOUD Act | https://www.justice.gov/dag/page/file/1152896/download | 2018 | Clarifying Lawful Overseas Use of Data Act | Pub.L. 115–141 | H.R.4943 | Federal | Sectoral | Comm Privacy | Law Enforce | Surveillance Laws | 📞 Personal Comms | Security | Comms | DOJ | via ECPA | https://en.wikipedia.org/wiki/CLOUD_Act | wikipedia.org | https://epic.org/privacy/cloud-act/ | epic.org | https://www.orrick.com/Insights/2018/04/The-CLOUD-Act-Explained | orrick.com | https://www.congress.gov/bill/115th-congress/house-bill/4943 | congress.gov | https://www.justice.gov/opa/press-release/file/1153446/download | justice.gov | US LEOs can grab data anywhere | Microsoft v US was pending before Supreme Court and Congress was worried law enforcement was going to be thwarted in its ability to chase down villains whose data was stored overseas. | Clarifying Lawful Overseas Use of Data Act of 2018, AKA H.R.4943. See: Pub.L. 115–141 | |||||||||||||
PCI DSS 3.2.1 | https://drive.google.com/file/d/1HDx4BMf0oYE8m94834bPVE7dtI_S0jwv/view?usp=sharing | 2018 | Payment Card Industry Data Security Standard (PCI-DSS) 3.2.1 | International | Topical | Information Privacy | Financial Privacy | Self Reg | $ Credit Cards | Consumers | Online businesses | PCI SSC | Y | https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard | wikipedia.org | https://www.pcicomplianceguide.org/faq/ | pcicomplianceguide.org | https://www.imperva.com/learn/data-security/pci-dss-certification/ | imperva.com | https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf | pcisecuritystandards | https://www.securitymetrics.com/blog/pci-vs-gdpr-whats-difference#:~:text=The%20PCI%20Data%20Security%20Standard,protecting%20the%20privacy%20of%20individuals. | securitymetrics.com | Infosec cert for orgs using branded CCs | Self-regulation to prevent federal oversight. In this case, industry really wanted | Payment Card Industry Data Security Standard (PCI-DSS) 3.2.1 of 2018 | |||||||||||||||
CPRA [CA] | https://transcend.io/laws/cpra/#section-1 | 2020 | California Privacy Rights and Enforcement Act | Prop 24 | State | Comprehensive | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | CPPA [CA] | Breach Only | Y | Y | Y | https://www.jdsupra.com/legalnews/california-privacy-rights-and-65727/ | jdsupra.com | https://www.manatt.com/insights/newsletters/client-alert/the-california-privacy-rights-act-has-passed | manatt.com | https://fpf.org/2020/11/04/californias-prop-24-the-california-privacy-rights-act-passed-whats-next/ | fpf.org | https://www.onetrust.com/blog/ccpa-vs-cpra-what-has-changed/ | onetrust.com | https://www.truevault.com/blog/whats-new-in-the-cpra-more-than-you-think | truevault.com | Rework of CCPA, passed by ballot measure | Californians for Consumer Privacy (the same group responsible for the ballot initiative that led to the CCPA) pushed for the adoption of CPRA, a second round of more substantial privacy rights protections. It triples fines against companies that violate kids' data, establishes an enforcement arm for consumers, and makes it harder to weaken privacy laws in the future. | California Privacy Rights and Enforcement Act of 2020, AKA Prop 24 | |||||||||||
DAI Self-Reg Principles | https://digitaladvertisingalliance.org/principles | 2020 | Digital Advertising Alliance Self-Regulatory Principles | Mobile Guidance, the Online Behavioral Advertising Principles, the CrossDevice Guidance, and the Multi-Site Data Principles | DAI | International | Topical | Information Privacy | Telecom / Marketing | Self Reg | 👤 PII - Personally Identifiable Info | Businesses | Marketers | DAI | Y | https://digitaladvertisingalliance.org/principles | digitaladvertisingalliance | Responsible privacy practices 4 digital ad orgs | An industry effort to instill consumer trust and negate the need for government regulation. | Digital Advertising Alliance Self-Regulatory Principles of 2020, AKA DAI. See: Mobile Guidance, the Online Behavioral Advertising Principles, the CrossDevice Guidance, and the Multi-Site Data Principles | |||||||||||||||||||||
NAI Code of Conduct | https://www.networkadvertising.org/sites/default/files/nai_code2020.pdf | 2020 | Network Advertising Initiative Code of Conduct | NAI | International | Topical | Information Privacy | Telecom / Marketing | Self Reg | 👤 PII - Personally Identifiable Info | Businesses | Marketers | NAI | Y | https://www.networkadvertising.org/code-enforcement/code/ | networkadvertising.org | Self-reg notice & choice for digital ad orgs | An industry effort to instill consumer trust and negate the need for government regulation. | Network Advertising Initiative Code of Conduct of 2020, AKA NAI | ||||||||||||||||||||||
VCDPA [VA] | https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB1392 | 2021 | Virginia’s Consumer Data Protection Act | SB 1392 / H.B. 2307 | State | Comprehensive | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | StAG | Y | Y | Y | https://www.privacyquicktipsblog.com/2021/03/virginia-joins-california-in-adopting-a-comprehensive-data-privacy-law/#more-2246 | privacyquicktipsblog | https://www.jdsupra.com/legalnews/virginia-passes-new-consumer-data-1232151/ | jdsupra.com | 2nd comprehensive US state privacy law | This bill had a lot of support from both political parties as well as Big Tech (including Amazon, who is moving into Northern Virginia in a big way). | Virginia’s Consumer Data Protection Act of 2021, AKA SB 1392 / H.B. 2307 | ||||||||||||||||||
Illinois Right to Know | https://www.termsfeed.com/blog/illinois-right-know-act/ | Illinois Right to Know [PROPOSED] | State | Topical | Information Privacy | Consumer Privacy | Privacy Rights | 👤 PII - Personally Identifiable Info | Consumers | Businesses | https://www.jdsupra.com/legalnews/illinois-right-to-know-bill-passed-out-64580/ | jdsupra.com | https://www.termsfeed.com/blog/illinois-right-know-act/ | termsfeed.com | https://www.chicagotribune.com/business/ct-illinois-privacy-bill-passes-senate-0506-biz-20170505-story.html | chicagotribune.com | https://www.ilga.gov/legislation/BillStatus.asp?DocNum=2149&GAID=15&DocTypeID=SB&LegID=120357&SessionID=108&SpecSess=&Session=&GA=101 | ilga.gov | Proposed consumer privacy rights | Illinois Right to Know [PROPOSED] of PROPOSED |
New Categorization Schemes for Privacy Laws
Categorizing Privacy:
Scope: The initial categorization I’ve made is on Scope. This is a characterization of each law based on its breadth. It’s an expansion of the Comprehensive vs Sectoral identification often made about privacy laws. I’ve expanded this classification to include the following:
- Comprehensive: privacy laws that cover the widest range of organizations and activities
- Broad: privacy laws that cover many organizations and activities but can’t be considered comprehensive
- Sectoral: privacy laws that apply to a specific industry or business sector
- Topical: privacy laws that apply to a specific topic or technology
- Criminal Statute: extremely specific privacy laws with criminal penalties
- Privacy Benefit: explicitly created for another purpose, where privacy rights are a fringe benefit
Silo: I’ve created a Silo classification based on the 1996 Simon Davies ontology from “Big Brother: Britain’s Web Of Surveillance And The New Technological Order.” This is a common classification, but I’ve never seen it applied to legislation in a systematic way. Here are the four types, with the definitions I utilized:
- Information Privacy: Establishment of rules governing collection and handling of PII (private data) e.g. Financial, Medical, Educational, Gov, Internet, Consumer Privacy
- Bodily Privacy: Protection of the physical self from invasive processes (private parts) e.g. Genetic Testing, Drug Testing, Body Cavity, Birth Control, Abortion, Adoption
- Territorial Privacy: Limits on an intrusion in domestic, work, public space (private places) e.g. Video surveillance, Identity checks, Home searches, Vehicle searches, Laptop searches, GPS
- Comm Privacy: Security and privacy of communications (private messages) e.g. Postal privacy, Phone Conversations, Email, Wiretaps, Social media, Mass Surveillance
Type: Privacy laws are further bucketed into Types. There are 3 major types: Rights, Rules, & Policing, with sub-types of each:
- Privacy Rights: laws directly regulating data privacy rights
- Free Speech Rights: laws impacting 1A / Freedom of Speech
- Anti-Discrim Rights: laws limiting the business use of sensitive data
- Surveillance Law Policing: laws allowing or limiting spying
- Anti-Crime Policing: laws primarily designed to fight crime
- Transparency Rules: laws requiring orgs & governments to expose info
- InfoSec Rules: laws focused on data security & data protection
- Self-Regulation Rules: self-imposed rulesets for building consumer trust, warding off regulation
Sector: Each law is assigned a primary Sector. I’ve created an ontology consisting of 13 sectors. Legislation in the International Privacy category might have been broken out differently, but I choose to do it this way as my initial focus was on the CIPP/US corpus:
|
|
Protected Info: What information is protected by the law? I’ve summarized the legislation, creating 23 discrete buckets to describe the protected data:
|
|
Who’s Protected?: What audience is the law trying to protect? At times this can be messy. I have created 9 categories to describe who is being protected. In many cases is some form of consumer or citizen (see the list on the left). But there are other laws that are harder to box. I’ve also created a bucket for “Security” for legislation that focuses on protecting the State or the public good rather than any individual or organization:
|
|
Who’s Regulated?: What organizations is the law trying to protect? Sixteen categories are used here to describe the regulated organization, industry, or area. The All Controllers classification covers not just GDPR but laws that attempt to cover all entities, regardless of who they are (business, government, individual, other) or their Sector. Illegal Acts is a bucket that covers Criminal Scope laws like CFAA, ITADA, and the Video Voyeurism Prevention Act.
|
|
Other Features of this Data Set:
In addition to the categorization, this CIPP/US Legislation Grid pack many other features:
|
Flags:
|
Since this is a live dataset, you can search it and sort it on any of the columns.