Privacy Legislation Grid

◈ Last edit: June 5, 2021
◈ 84 Privacy Laws Covered
◈ New Ontology, Links, Research

Unique data. Hand-curated.

Applying Ontology to Privacy Legislation

When privacy professionals talk about privacy laws, we say here’s a law, it has some features. What we have not done often or with much robustness, is to categorize our privacy laws, to put them into discrete buckets that allow us to think about them comparatively.

I’ve used existing and newly created ontologies to categorize laws relevant to US-centric privacy practices and the CIPP/US certification offered by IAPP. This is not meant as a study guide, though I originally started building it for my own study. I see it now as a reference guide that can be used to gain insight into the privacy landscape.

We knew privacy law was a complex patchwork. I’ve highlighted that complexity by categorizing laws in new ways:

  • Scope :: Comprehensive, Sectoral, Topical, more
  • Silo :: Info, Bodily, Territorial, Communication
  • Type :: Rights, Rules, Policing (+ sub-levels)
  • Sector :: Consumer, Financial, Medical, Employ, 9 more
  • Protected Info :: 23 categories
  • Protected Entity :: 9 cats – Consumer to Business
  • Regulated Entity :: 16 cats – All Controllers to Specific
Visit the Privacy Legislation Grid Infographic. An easy-to-reference PDF of the primary data from this research.
http://bit.ly/PrivGridIG
Submit suggestions for laws to be added, new features, or suggested fixes. If accepted, we will give you attribution.  https://forms.gle/Xu6bReG1w6YnC8FXA
Privacy Grid

A Searchable Grid of Privacy Legislation

Privacy LegislationYrJurisScopeSiloSectorType of LawTargeted InfoProtects Who?Regulates Who?Fed EnforceSt EnforcePrivate Right?Criminal Pen?Preempt?DSAR?Data Security?Loc Data?URL1URL2URL3URL4URL5Quick SumFull Legal
US Con: 4Ahttps://www.law.cornell.edu/constitution/fourth_amendment1791Fourth Amendment: Protection from Unreasonable Searches and SeizuresFederalCriminalTerritorial PrivacyLaw EnforcePrivacy Rights👮 EvidenceCitizensLaw EnforceCourtsYYhttps://www.law.cornell.edu/constitution/fourth_amendmentlaw.cornell.eduhttps://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitutionwikipedia.orghttps://law.justia.com/constitution/us/amendment-04/law.justia.comNo Unreasonable Gov SearchesSeveral English Common Law Cases >> Semayne’s Case (1604): Old English common law - right of a homeowner to defend his/her premises against intrusion. Wilkes v. Wood (1763): General warrants are bad. Entick v. Carrington (1765): Leading case in English law and UK constitutional law establishing the civil liberties of individuals and limiting the scope of executive power.Fourth Amendment: Protection from Unreasonable Searches and Seizures of 1791
FTC Acthttps://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter2-subchapter1&edition=prelim1914Federal Trade Commission ActFederalBroadInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinessesFTCYYhttps://www.ftc.gov/enforcement/statutes/federal-trade-commission-actftc.govhttps://en.wikipedia.org/wiki/Federal_Trade_Commission_Act_of_1914wikipedia.orghttps://epic.org/privacy/internet/ftc/Authority.htmlepic.orghttps://www.brookings.edu/blog/techtank/2019/08/08/the-ftc-can-rise-to-the-privacy-challenge-but-not-without-help-from-congress/brookings.eduUnfair, deceptive trade practicesThe inspiration and motivation for The FTC Act started in 1890, when the Sherman Anti-trust Act was passed. In 1913, President Wilson passed the Federal Trade Commissions Act along with the Clayton Antitrust Act. Congress passed this Act with the hopes of protecting consumers against methods of deception in advertisement, forcing the business to be upfront and truthful about items being sold. - WikipediaFederal Trade Commission Act of 1914
Federal Comm Acthttps://transition.fcc.gov/Reports/1934new.pdf1934Federal Communications ActCommunications ActFederalSectoralComm PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersCommsFCCYYYYhttps://en.wikipedia.org/wiki/Communications_Act_of_1934wikipedia.orghttps://www.mtsu.edu/first-amendment/article/1044/communications-act-of-1934mtsu.eduhttps://www.law.cornell.edu/constitution-conan/amendment-4/federal-communications-actlaw.cornell.eduhttps://www.cybertelecom.org/notes/communications_act.htmcybertelecom.orghttps://www.law.cornell.edu/uscode/text/47/551law.cornell.eduCombined fed regs: phone, telgrph, radioCommittee created by FDR reported that "the communications service, as far as congressional action is involved, should be regulated by a single body" e.g. FCC. FDR, along with lobbyists and state regulators, wanted comms tech, both wired and wireless, to be monitored in a similar way and influenced Congress to pass the Communications Act of 1934. Goal was telephone and broadcasting regulated with same juris similar to way ICC regulated the railways and interstate commerce.Federal Communications Act of 1934, AKA Communications Act
NSLAhttps://www.govinfo.gov/content/pkg/USCODE-2011-title42/html/USCODE-2011-title42-chap13.htm1946National School Lunch ActFederalPrivacy BenefitInformation PrivacyEducation PrivacyPrivacy Rights🎓 Education RecordsStudents / ParentsEducatorsFNS (USDA)YYhttps://en.wikipedia.org/wiki/National_School_Lunch_Actwikipedia.orghttps://www.fns.usda.gov/richard-b-russell-national-school-lunch-actfns.usda.govhttps://www.cde.ca.gov/ls/nu/sn/confidential.aspcde.ca.govSchool Lunch program eligibilityThe number of malnourished young men reporting to a national draft call during World War II. The dual purpose of the NSLP was to safeguard the health and well-being of the nation’s children and to encourage the domestic consumption of foods produced in the United States.National School Lunch Act of 1946
Census Confid Statutehttps://www.law.cornell.edu/uscode/text/13/91954Census Confidentiality StatuteTitle 13, U.S. CodeCensus Act, Title 13FederalTopicalInformation PrivacyConsumer PrivacyPrivacy Rights🇺🇸 Census DataCitizensGovernmentYhttps://definitions.uslegal.com/c/census-confidentiality-statute/definitions.uslegal.comhttps://www.brennancenter.org/sites/default/files/2019-08/Report_Federal_Laws_Census_Confidentiality.pdfbrennancenter.orghttps://cdt.org/insights/testimony-of-deirdre-mulligan-before-the-senate-committee-on-commerce-science-and-transportation-subcommittee-on-communications/#ccscdt.orghttps://www.census.gov/history/www/reference/privacy_confidentiality/title_13_us_code.htmlcensus.govhttps://www.census.gov/history/pdf/history-privacy-protection102019.pdfcensus.govIllegal to disclose /share census PIINone found in literature, but safe to assume this was to protect the sanctity of the information and make sure that citizens and businesses continued to provide robust data without fear of reprisal.Census Confidentiality Statute of 1954, AKA Census Act, Title 13. See: Title 13, U.S. Code
CRA of 1964https://www.law.cornell.edu/uscode/text/42/chapter-211964Civil Rights Act42 U.S. Code Chapter 21, Pub.L. 88–352, 78 Stat. 241FederalBroadInformation PrivacyNational SecurityAnti-Discrim Rights👤 SPI - Sensitive Personal InformationCitizensAll ControllersAG, EEOCYYLimitedhttps://en.wikipedia.org/wiki/Civil_Rights_Act_of_1964wikipedia.orghttps://www.lawfareblog.com/federal-privacy-legislation-should-protect-civil-rightslawfareblog.comhttps://www.supremecourt.gov/opinions/19pdf/17-1618_hfci.pdfsupremecourt.govhttps://www.govinfo.gov/content/pkg/STATUTE-78/pdf/STATUTE-78-Pg241.pdfgovinfo.govCan't discrim on race, color, relig, sex, originCRA of 1964 was nation's premier civil rights legislation. Outlawed discrimination on basis of race, color, religion, sex, or national origin. Required equal access to public places, employment. Enforced desegregation of schools, right to vote.Civil Rights Act of 1964. See: 42 U.S. Code Chapter 21, Pub.L. 88–352, 78 Stat. 241
FOIAhttps://www.foia.gov/foia-statute.html1966Freedom of Information Act5 U.S.C. § 552FederalSectoralInformation PrivacyGovernment RecordsTransparency🇺🇸 Gov DataCitizensGovernmentvia PAYdocshttps://en.wikipedia.org/wiki/Freedom_of_Information_Act_(United_States)wikipedia.orghttps://www.foia.gov/foia.govhttps://foiamapper.com/foiamapper.comhttps://iapp.org/resources/article/foia-v-privacy-act-a-comparison-chart/iapp.orghttps://www.americanbar.org/content/dam/aba/multimedia/government_public/foia101_prog_recording.mp4americanbar.orgPublic can request most gov recordsU.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. Most states have some state level equivalent of FOIA.Freedom of Information Act of 1966. See: 5 U.S.C. § 552
Wiretap Acthttps://www.law.cornell.edu/uscode/text/18/part-I/chapter-1191968Federal Wiretap ActModified by ECPA Title IFederalSectoralComm PrivacyLaw EnforceSurveillance Laws📞 Personal CommsSecurityAll ControllersYYhttps://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Actwikipedia.orghttps://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285it.ojp.govhttps://www.lawyers.com/legal-info/personal-injury/types-of-personal-injury-claims/wiretap-act-privacy.htmllawyers.comhttps://www.law.cornell.edu/uscode/text/18/2511law.cornell.eduWiretaps require super-warrantsOriginally passed to prevent unauthorized gov access to private electronic comms and as Wiretap Statute (Title III of the Omnibus Crime Control and Safe Streets Act of 1968). It became the Wiretap Act we know it with the passage of the ECPA. Another impetus for Congressional action: the routine advertisement of scanning receivers promoting eavesdropping on cellular conversations.Federal Wiretap Act of 1968, AKA Modified by ECPA Title I
OSHAhttps://www.osha.gov/laws-regs/oshact/completeoshact1970Occupational Safety and Health ActFederalPrivacy BenefitInformation PrivacyEmployment PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoEmployeesEmployersOSHAYYhttps://www.osha.gov/osha.govhttps://en.wikipedia.org/wiki/Occupational_Safety_and_Health_Administrationwikipedia.orghttps://www.osha.gov/Publications/all_about_OSHA.pdfosha.govProtect worker safety. Recordkeeping.In 1969, 14K Americans killed in the Vietnam War. Another 14K were killed on the job. 50x that were maimed and disfigured. OSHA was passed to remedy that.Occupational Safety and Health Act of 1970
FCRAhttps://www.law.cornell.edu/uscode/text/15/chapter-41/subchapter-III1970Fair Credit Reporting ActFederalSectoralInformation PrivacyFinancial PrivacyPrivacy Rights$ Consumer ReportsConsumersFinancial OrgsCFPB, FTCStAGYYYYYhttps://codes.findlaw.com/us/title-15-commerce-and-trade/15-usc-sect-1681.htmlcodes.findlaw.comhttps://www.investopedia.com/terms/f/fair-credit-reporting-act-fcra.aspinvestopedia.comhttps://en.wikipedia.org/wiki/Fair_Credit_Reporting_Actwikipedia.orghttps://www.lexingtonlaw.com/credit/what-is-the-fair-credit-reporting-actlexingtonlaw.comhttps://epic.org/privacy/fcra/epic.orgRegulation of Credit Reports, BureausInadequate safeguards existed to protect consumers from credit reporting agencies. In the 1960s, significant controversy surrounded CRAs. Reports were sometimes used to deny services/opportunities. Individuals had no right to see what was in their file. There was abuse in the industry, incl. reqs that investigators fill quotas of neg info on data subjects. Fabricated neg info. "Lifestyle" info on data subjects, incl. sexual orientation, marital status, drinking habits, cleanliness. Outdated info.Fair Credit Reporting Act of 1970
Bank Secrecy Acthttps://www.fdic.gov/regulations/safety/manual/section8-1.pdf1970Bank Secrecy ActBSA, Currency and Foreign Transactions Reporting ActFederalCriminalInformation PrivacyFinancial PrivacyTransparency$ Financial RecordsSecurityFinancial OrgsOCC, FinCENYhttps://www.occ.treas.gov/topics/supervision-and-examination/bsa/index-bsa.htmlocc.treas.govhttps://www.investopedia.com/terms/b/bank_secrecy_act.aspinvestopedia.comhttps://scholarship.law.wm.edu/cgi/viewcontent.cgi?article=2643&context=wmlrlaw.wm.eduAnti-money laundering rulesConcerns about piles of cash coming into the country from the drug tradeBank Secrecy Act of 1970, AKA BSA, Currency and Foreign Transactions Reporting Act
Privacy Acthttps://www.law.cornell.edu/uscode/text/5/552a1974Privacy ActFederalSectoralInformation PrivacyGovernment RecordsPrivacy Rights🇺🇸 Gov DataCitizensGovernmentYYYYhttps://en.wikipedia.org/wiki/Privacy_Act_of_1974wikipedia.orghttps://www.justice.gov/opcl/privacy-act-1974justice.govhttps://epic.org/privacy/1974act/epic.orghttps://www.ftc.gov/about-ftc/foiaftc.govhttps://www.archives.gov/about/laws/privacy-act-1974.htmlarchives.govCitizen rights and gov record handlingTriggered by the 1973 report published by the HEW which recommended the first FIPP (“Code of Fair Information Practices”) to be followed by all federal agenciesPrivacy Act of 1974
FERPAhttps://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.331974Family Education Rights and Privacy Act20 USC. § 1232gBuckley AmendmentFederalSectoralInformation PrivacyEducation PrivacyPrivacy Rights🎓 Education RecordsStudents / ParentsEducatorsDept EdPartialYYhttps://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.htmled.govhttps://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Actwikipedia.orghttps://epic.org/privacy/student/ferpa/epic.orghttps://www.law.cornell.edu/uscode/text/20/1232glaw.cornell.eduhttps://nces.ed.gov/pubs97/web/97859.aspnces.ed.govStudent data DSAR, sharing limitsAbuses of student personal information. No real congressional debate here - Ford just signed it into law: https://www.stetson.edu/law/academics/highered/home/media/2002/Revisiting_the_Purpose_of_FERPA.pdfFamily Education Rights and Privacy Act of 1974, AKA Buckley Amendment. See: 20 USC. § 1232g
42 CFR Part 2https://www.law.cornell.edu/cfr/text/42/part-21975Confidentiality Of Substance Use Disorder Patient Records42 C.F.R. § 2Confidentiality of Alcohol and Drug Abuse Patient RecordsFederalSectoralInformation PrivacyMedical PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoConsumersHealthcareDOJ, SAMHSAYPartialYhttps://www.law.cornell.edu/uscode/text/42/290dd-2law.cornell.eduhttps://www.ncsc.org/sitecore/content/microsites/future-trends-2012/home/privacy-and-technology/substance-abuse.aspxncsc.orghttp://www.healthinfolaw.org/federal-law/42-cfr-part-2healthinfolaw.orghttp://www.health-law.com/newsroom-advisories-HHS-Finalizes-Transitional-Changes-to-42-CFR-Part-2-Regulations.htmlhealth-law.comProtects fed-funded substance abuse recordsTo address concerns about the potential use of Substance Use Disorder (SUD) info in non-treatment based settings (such as administrative or criminal hearings related to the patient.) Part 2 is intended to ensure that a patient receiving treatment for a SUD in a Part 2 Program does not face adverse consequences in relation to issues such as criminal proceedings and domestic proceedings such as those related to child custody, divorce or employment.Confidentiality Of Substance Use Disorder Patient Records of 1975, AKA Confidentiality of Alcohol and Drug Abuse Patient Records. See: 42 C.F.R. § 2
IDEAhttps://uscode.house.gov/view.xhtml?path=/prelim@title20/chapter33/subchapter1&edition=prelim1975Individuals with Disabilities Education Act20 USC Chapter 33FederalPrivacy BenefitInformation PrivacyEducation PrivacyPrivacy Rights🎓 Education RecordsStudents / ParentsEducatorsOCRYUnclearYYhttps://en.wikipedia.org/wiki/Individuals_with_Disabilities_Education_Actwikipedia.orghttps://sites.ed.gov/idea/sites.ed.govhttps://sites.ed.gov/idea/about-idea/sites.ed.govhttps://www.understood.org/en/school-learning/your-childs-rights/basics-about-childs-rights/individuals-with-disabilities-education-act-idea-what-you-need-to-knowunderstood.orghttps://www.ncld.org/wp-content/uploads/2014/11/IDEA-Parent-Guide1.pdfncld.orgEducational rights of the disabledPARC and Mills rulings in 1971 prompted Congressional inquiry. Found 2.5 million students receiving substandard education and 1.75 million weren't in school. https://educationonline.ku.edu/community/idea-timelineIndividuals with Disabilities Education Act of 1975. See: 20 USC Chapter 33
FISAhttps://www.law.cornell.edu/uscode/text/50/chapter-361978Foreign Intelligence Surveillance ActFederalSectoralComm PrivacyNational SecuritySurveillance Laws🇺🇸 FII - Foreign IntellSecurityLaw EnforceFISCYYhttps://www.fisc.uscourts.gov/about-foreign-intelligence-surveillance-courtfisc.uscourts.govhttps://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Actwikipedia.orghttps://epic.org/privacy/surveillance/fisa/epic.orghttps://fas.org/irp/agency/doj/fisa/fas.orgSpying can be OK. Secret courts.Passed after abuses by Nixon found by Church Committee. Tradeoffs about warrantless domestic wiretapping.Foreign Intelligence Surveillance Act of 1978
Prot of Pupil Rights Amendhttps://www.ecfr.gov/cgi-bin/text-idx?SID=c372efef49f7659ea9397da901b0ab0a&mc=true&node=pt34.1.98&rgn=div51978Protection of Pupil Rights Amendment49 FR 35321, Sept. 6, 1984Hatch Amendment, PPRAFederalSectoralInformation PrivacyEducation PrivacyTransparency🎓 Education RecordsStudents / ParentsEducatorsDept Edsurveyshttps://studentprivacy.ed.gov/faq/what-protection-pupil-rights-amendment-pprastudentprivacy.ed.govhttps://en.wikipedia.org/wiki/Protection_of_Pupil_Rights_Amendmentwikipedia.orghttps://www.ascd.org/ASCD/pdf/journals/ed_lead/el_198512_greene.pdfascd.orghttps://www.law.cornell.edu/uscode/text/20/1232hlaw.cornell.eduhttps://www.studentprivacymatters.org/ferpa_ppra_coppa/#PPRAstudentprivacymattersParental rights over school surveysFERPA applied only to info stored in ed records. Congress responded to concerns about the collection and disclosure of student information for commercial purposes by amending FERPA in 1978 with the Protection of Pupil Rights Amendment (PPRA). Also, conspiracy-minded parents and Senator Hatch were concerned about liberal educators. https://www.ascd.org/ASCD/pdf/journals/ed_lead/el_198512_greene.pdfProtection of Pupil Rights Amendment of 1978, AKA Hatch Amendment, PPRA. See: 49 FR 35321, Sept. 6, 1984
Right to Finan Privacy Acthttps://www.law.cornell.edu/uscode/text/12/chapter-351978Right to Financial Privacy ActFederalSectoralInformation PrivacyLaw EnforcePrivacy Rights$ Financial RecordsConsumersFinancial OrgsYhttps://www.fdic.gov/regulations/compliance/manual/8/viii-3.1.pdffdic.govhttps://epic.org/privacy/rfpa/epic.orghttps://medium.com/golden-data/federal-right-to-financial-privacy-act-3336b09aaf1bmedium.comLimits Bank record disclosuresUS v Miller was the trigger: In 1976, the Supreme Court held that a bank customer has no constitutionally protected right of privacy in his or her bank records because these records are the "business records of the bank." In 1978, Congress passed the RFPA in direct response to this decision: " The Court did not acknowledge the sensitive nature of these records..."Right to Financial Privacy Act of 1978
Privacy Protection Acthttps://www.law.cornell.edu/uscode/text/42/2000aa1980Privacy Protection ActPPAFederalSectoralInformation PrivacyMedia & PrivacyPrivacy Rights📰 JournalismJournalistsGovernmentYUnclearhttps://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980wikipedia.orghttps://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980wikipedia.orghttps://epic.org/privacy/ppa/epic.orgGov can't raid journalist working on storyPassed in response to Zurcher v. Stanford Daily (1978 Supreme Court case)Privacy Protection Act of 1980, AKA PPA
The Common Rulehttps://ecfr.federalregister.gov/current/title-45/subtitle-A/subchapter-A/part-461981The Common RuleFederal Policy for the Protection of Human SubjectsFederalTopicalInformation PrivacyMedical PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoResearch subjectsResearchersALLStAGhttps://www.research.va.gov/programs/pride/resources/Common_Rule_Flyer.pdfresearch.va.govhttps://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.htmlhhs.govhttps://en.wikipedia.org/wiki/Common_Rulewikipedia.orghttps://www.ecfr.gov/cgi-bin/text-idx?SID=300df04ebff09c7b23735d902a3f645a&mc=true&tpl=/ecfrbrowse/Title45/45cfr46_main_02.tplecfr.govhttps://researchcompliance.stanford.edu/panels/hs/common-rulestanford.eduNeed informed consent, reviewA sad history of failed oversight of human research participants, exemplified by the Tuskegee syphilis study, military radiation experiments, provided impetus for federal protections. The 1979 Belmont Report formed the intellectual backdrop for federal research protection, introducing ethical principles of respect for persons, beneficence, and justice. - https://homepage.cs.uiowa.edu/~sriram/5980/spring18/jama_Hodge_2017_vp_170024.pdfThe Common Rule of 1981, AKA Federal Policy for the Protection of Human Subjects
Cable Comm Policy Acthttps://www.congress.gov/bill/98th-congress/senate-bill/661984Cable Communications Policy ActCable Act of 1984, CCPAFederalSectoralInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersCommsFCCYYYhttps://www.congress.gov/bill/98th-congress/senate-bill/66congress.govhttps://en.wikipedia.org/wiki/Cable_Communications_Policy_Act_of_1984wikipedia.orghttps://www.mtsu.edu/first-amendment/article/1057/cable-communications-policy-act-of-1984mtsu.eduhttps://www.law.cornell.edu/uscode/text/47/551law.cornell.eduhttps://www.cippguide.org/2013/05/24/cable-communications-privacy-act-of-1984/cippguide.orgDeregulated cable TVBarry Goldwater wanted deregulation. The new law attempted to strike a delicate balance between the FCC, local governments, and marketplace competition, where in the past, each of these entities had vied for dominance. The Cable Act was to be the solution to the ongoing problem of who, or what, should exercise the most power over local cable operationsCable Communications Policy Act of 1984, AKA Cable Act of 1984, CCPA
ECPAhttps://content.next.westlaw.com/3-508-5021?transitionType=Default&contextData=(sc.Default)&__lrTS=20200512005853663&firstPage=true1986Electronic Communications Privacy ActPub.L. 99–508FederalSectoralComm PrivacyLaw EnforceSurveillance Laws📞 Personal CommsSecurityAll ControllersYYhttps://codes.findlaw.com/us/title-18-crimes-and-criminal-procedure/18-usc-sect-2511.htmlcodes.findlaw.comhttps://epic.org/privacy/ecpa/epic.orghttps://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Actwikipedia.orghttps://cdt.org/insights/electronic-communications-privacy-act-primer/cdt.orgElectronic Spying Bill. Some protections.With the development of new forms of digital comms (esp email and digital call info) new regs were needed to deal with the data and the potential abuses. ECPA was enacted to create/promote "the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal info would remain safe. https://epic.org/privacy/ecpa/Electronic Communications Privacy Act of 1986. See: Pub.L. 99–508
Pen Register Acthttps://www.law.cornell.edu/uscode/text/18/part-II/chapter-2061986Pen Register ActECPA Title IIIFederalSectoralComm PrivacyLaw EnforceSurveillance Laws📞 Personal CommsSecurityAll ControllersYhttps://www.law.cornell.edu/uscode/text/18/part-II/chapter-206law.cornell.eduhttps://en.wikipedia.org/wiki/Pen_register#Pen_Register_Actwikipedia.orghttps://cyber.harvard.edu/privacy/Introduction%20to%20Government%20Investigations.htmcyber.harvard.eduEasy LEO access to phone metadataWith the development of new forms of digital comms (esp email and digital call info) new regs were needed to deal with the data and the potential abuses. ECPA was enacted to create/promote "the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal info would remain safe. https://epic.org/privacy/ecpa/Pen Register Act of 1986, AKA ECPA Title III
Stored Comm Acthttps://www.law.cornell.edu/uscode/text/18/part-I/chapter-1211986Stored Communications ActECPA Title IIFederalSectoralComm PrivacyLaw EnforceSurveillance Laws📞 Personal CommsSecurityAll ControllersYYhttps://en.wikipedia.org/wiki/Stored_Communications_Actwikipedia.orghttps://www.law.cornell.edu/uscode/text/18/part-I/chapter-121law.cornell.eduhttps://www.lexisnexis.com/lexis-practice-advisor/the-journal/b/lpa/posts/stored-communications-act-practical-considerationslexisnexis.comhttps://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285it.ojp.govhttps://fas.org/sgp/crs/misc/R44036.pdffas.orgAccess to email, ISP historyWith the development of new forms of digital comms (esp email and digital call info) new regs were needed to deal with the data and the potential abuses. ECPA was enacted to create/promote "the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal info would remain safe. https://epic.org/privacy/ecpa/Stored Communications Act of 1986, AKA ECPA Title II
CFAAhttps://www.congress.gov/bill/99th-congress/house-bill/47181986Computer Fraud and Abuse ActFederalCriminalInformation PrivacyInfoSec / BreachesAnti-Crime Policing🖥️ Info from a “protected computer”SecurityIllegal ActsDOJYYhttps://codes.findlaw.com/us/title-18-crimes-and-criminal-procedure/18-usc-sect-1030.htmlcodes.findlaw.comhttps://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Actwikipedia.orghttps://www.goodwinlaw.com/-/media/files/publications/10_01-aa-key-issues-in-computer-fraud-and-abuse.pdfgoodwinlaw.comhttps://readingroom.law.gsu.edu/cgi/viewcontent.cgi?article=1021&context=lib_studentgsu.eduhttps://scholarship.law.uc.edu/cgi/viewcontent.cgi?article=1172&context=uclruc.eduHacking is a crime. Unauthorized access.Congress made clear that the impetus behind initial creation of § 1030 was to target hacking activities. The House Report accompanying the statute stressed both governments’ and businesses’ growing reliance on computers and the threat that increased networking would make society more vulnerable to hacking incidents. The “vast potential for significant criminal activity... because the criminal justice system was ill-equipped to deal with changing technology.Computer Fraud and Abuse Act of 1986
EPPAhttps://finduslaw.com/employee-polygraph-protection-epp-29-us-code-chapter-221988Employee Polygraph Protection Act29 U.S. Code Chapter 22FederalTopicalBodily PrivacyEmployment PrivacyPrivacy Rights⚕️ PBI - Protected Biometric InfoEmployeesEmployersDept LaborYhttps://www.dol.gov/agencies/whd/polygraphdol.govhttps://en.wikipedia.org/wiki/Employee_Polygraph_Protection_Actwikipedia.orghttps://www.dol.gov/agencies/whd/fact-sheets/36-eppadol.govhttps://www.polygraph.org/employee-polygraph-protection-act-eppa-polygraph.orghttps://www.law.cornell.edu/uscode/text/29/chapter-22law.cornell.eduLimits Employer use of lie detectorsVast majority of the polygraph examinations given in the US were administered by private sector employers, requiring tests both as pre-employment screening devices, post-employment ID devices for discipline. Use was adversely affecting thousands of innocent workers per year. EPPA was Congressional response to the unfairness of subjecting a worker to discipline or discharge based solely upon the results of the inherently unreliable polygraph test.Employee Polygraph Protection Act of 1988. See: 29 U.S. Code Chapter 22
CMPPA 1988https://www.federalregister.gov/documents/2015/02/06/2015-02469/computer-matching-and-privacy-protection-act-of-1988-computer-matching-program-between-the-us1988Computer Matching and Privacy Protection ActFederalTopicalInformation PrivacyGovernment RecordsPrivacy Rights🇺🇸 Gov DataCitizensGovernmentOMBYhttps://www.federalregister.gov/documents/2016/02/17/2016-03164/computer-matching-and-privacy-protection-act-of-1988-report-of-matching-program-corporation-forfederalregister.govhttps://itlaw.wikia.org/wiki/Computer_Matching_and_Privacy_Protection_Act_of_1988itlaw.wikia.orghttps://aspe.hhs.gov/report/minimizing-disclosure-risk-hhs-open-data-initiatives/2-computer-matching-and-privacy-protection-act-1988-0aspe.hhs.govhttps://www.irs.gov/irm/part11/irm_11-003-039irs.govGov cant use PII to go fishingConcern about abuse of PII collected for specific purposes being rerouted to other agencies in violation of Privacy Act.Computer Matching and Privacy Protection Act of 1988
VPPAhttps://www.law.cornell.edu/uscode/text/18/27101988Video Privacy Protection Act18 U.S. Code § 2710FederalSectoralInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersVideo businessesYYhttps://www.law.cornell.edu/uscode/text/18/2710law.cornell.eduhttps://epic.org/privacy/vppa/epic.orghttps://www.law.cornell.edu/uscode/text/18/2710law.cornell.eduhttps://www.insideprivacy.com/tag/vppa/insideprivacy.comVideo Rental PII Sharing limitsJudge Bork. The impetus for enacting the VPPA occurred when a weekly newspaper in Washington, DC, published a profile of Judge Robert H. Bork based on the titles of 146 films his family had rented from a video store. At the time, the Senate Judiciary Committee was conducting hearings on Judge Bork's nomination to the Supreme Court.Video Privacy Protection Act of 1988. See: 18 U.S. Code § 2710
ADAhttps://www.ada.gov/pubs/adastatute08.htm1990Americans with Disabilities ActFederalPrivacy BenefitInformation PrivacyEmployment PrivacyAnti-Discrim Rights⚕️ PHI - Protected Health InfoCitizensEmployersEEOC, DOJYYhttps://www.eeoc.gov/publications/ada-your-employment-rights-individual-disabilityeeoc.govhttps://www.dol.gov/general/topic/disability/adadol.govhttps://www.mintz.com/insights-center/viewpoints/2226/2020-03-31-updated-eeoc-issues-ada-and-title-vii-guidance-employersmintz.comRights of the disabledThe impetus for ADA grew out of the Civil Rights Movement of the 1960's. Federal legislation to protect civil rights initially focused on the prevention of racial discriminationAmericans with Disabilities Act of 1990
Clery Acthttps://www.govinfo.gov/content/pkg/FR-2014-10-20/pdf/2014-24284.pdf#page=331990Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics ActPub.L. 101–54, 220 U.S.C. § 1092(f), 34 CFR 668.46FederalSectoralInformation PrivacyEducation PrivacyTransparency👮 Incident RecordsStudents / ParentsEducatorsDept Edcrimehttps://en.wikipedia.org/wiki/Clery_Actwikipedia.orghttps://fas.org/sgp/crs/misc/IF11277.pdffas.orghttps://www.knowyourix.org/college-resources/clery-act/knowyourix.orghttps://www.ewa.org/story-lab/ferpa-and-clery-act-explainedewa.orghttps://www.justice.gov/archives/ovw/page/file/910306/downloadjustice.govCampus crime reporting transparency19-year-old Lehigh University student whom Josoph Henry raped and murdered in her campus hall of residence in 1986. Ms. Clery triggered a backlash against unreported crime on campuses across the countryJeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act of 1990. See: Pub.L. 101–54, 220 U.S.C. § 1092(f), 34 CFR 668.46
TCPAhttps://www.law.cornell.edu/uscode/text/47/2271991Telephone Consumer Protection ActFederalTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 Contact InfoConsumersTelemarketersFCCStAGYYhttps://www.law.cornell.edu/uscode/text/47/227law.cornell.eduhttps://en.wikipedia.org/wiki/Telephone_Consumer_Protection_Act_of_1991wikipedia.orghttps://www.consumeradvocates.org/for-consumers/robocalls-telemarketingconsumeradvocateshttps://www.natlawreview.com/article/hard-sell-sixth-circuit-denies-vicarious-liability-tcpa-violations-against-thirdnatlawreview.comhttps://www.venable.com/-/media/files/events/2020/01/telemarketing-and-texting-slides-jan-2020.pdfvenable.comDo Not Call, Dialing, Robocall rulesUnsolicited ads by telemarketers, where the recipient was forced to incur the cost of printing a faxed advertisement or incurring an actual charge on a cellular telephone of a call from a telemarketer. Telephone Consumer Protection Act of 1991
DPPAhttps://www.law.cornell.edu/uscode/text/18/27211994Driver’s Privacy Protection ActFederalSectoralInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoCitizensGovernmentYYPartialhttps://www.law.cornell.edu/uscode/text/18/2721law.cornell.eduhttps://epic.org/privacy/drivers/epic.orghttps://en.wikipedia.org/wiki/Driver%27s_Privacy_Protection_Actwikipedia.orghttps://www.spj.org/news.asp?ref=169spj.orghttps://epic.org/amicus/dppa/maracich/epic.orgDrivers License Info Sharing limitsMurdered Actress. The law was a response to the murder of actress Rebecca Schaeffer. Her attacker had obtained her home address from the California Department of Motor Vehicles indirectly, through a private investigator. During debate on the bill, a number of stories recounted the ease with which a stalker could get home addresses based only a license plate.Driver’s Privacy Protection Act of 1994
CALEAhttps://www.congress.gov/bill/103rd-congress/house-bill/49221994Communications Assistance for Law Enforcement ActDigital Telephony ActFederalSectoralComm PrivacyLaw EnforceSurveillance Laws📞 Personal CommsSecurityCommsDOJhttps://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/general/communications-assistancefcc.govhttps://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Actwikipedia.orghttps://blogs.harvard.edu/surveillance/2008/10/23/calea-status/harvard.eduTelecoms must spy for GovThe Wiretap Act imposed no specific responsibility on telecom carriers to assist law enforcement officials with wiretaps. This was the primary impetus behind CALEA. Also, the growing use of digital telephone switches that did not inherently provide the same support for wiretapping as did the older tools. In 2005, the FCC extended its interpretation of the law to require that ISPs provide wiretapping access to a range of Internet data.Communications Assistance for Law Enforcement Act of 1994, AKA Digital Telephony Act
Telemarketing Sales Rulehttps://www.ecfr.gov/cgi-bin/text-idx?SID=e37d3cd088c6b4724a389338f9c3e141&mc=true&tpl=/ecfrbrowse/Title16/16cfr310_main_02.tpl1995Telemarketing Sales Rule (TSR)16 C.F.R. Part 310Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA)FederalTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 Contact InfoConsumersTelemarketersFTCStAGYhttps://en.wikipedia.org/wiki/Telemarketing_and_Consumer_Fraud_and_Abuse_Prevention_Actwikipedia.orghttps://www.ftc.gov/enforcement/statutes/telemarketing-consumer-fraud-abuse-prevention-actftc.govhttps://www.venable.com/-/media/files/events/2020/01/telemarketing-and-texting-slides-jan-2020.pdfvenable.comhttps://www.ftc.gov/tips-advice/business-center/guidance/complying-telemarketing-sales-ruleftc.govhttps://thedma.org/resources/compliance-resources/ftc-telemarketing-sales-rule/thedma.orgDo Not Call, Dialing, Robocall rulesSpawned from 1995 Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA)Telemarketing Sales Rule (TSR) of 1995, AKA Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA). See: 16 C.F.R. Part 310
HIPAAhttps://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf1996Health Insurance Portability and Accountability ActKennedy-Kassebaum ActFederalSectoralInformation PrivacyMedical PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoConsumersHealthcareHHS-OCRStAGYYYhttps://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.htmlhhs.govhttps://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdfcms.govhttps://www.atlantic.net/hipaa-compliant-hosting/hipaa-compliance-guide-what-is-hipaa/atlantic.nethttps://evisit.com/resources/hipaa-guide/#12evisit.comhttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.htmlhhs.govElectronic Medical Records regulatedThe initial purpose of HIPAA was not privacy, but portability of healthcare for employees changing jobs.Health Insurance Portability and Accountability Act of 1996, AKA Kennedy-Kassebaum Act
PRWORAhttps://www.congress.gov/bill/104th-congress/house-bill/3734/text1996Personal Responsibility and Work Opportunity Reconciliation ActWelfare ReformFederalTopicalInformation PrivacyEmployment PrivacyTransparency👷 Employment infoCitizensBusinesseshttps://www.ssa.gov/OP_Home/comp2/F104-193.htmlssa.govhttps://en.wikipedia.org/wiki/Personal_Responsibility_and_Work_Opportunity_Actwikipedia.orghttps://www.centreforpublicimpact.org/case-study/personal-responsibility-and-work-opportunity-reconciliation-act-the-clinton-welfare-reform/centreforpublicimpactWelfare reform = new hire transparencyRepublican "Contract with America." Widely viewed as the most fundamental reform to the US social safety net since the New Deal by its dismantling of the major cash entitlement programs AFDC and replacing it with state-controlled block grant TANF fundsPersonal Responsibility and Work Opportunity Reconciliation Act of 1996, AKA Welfare Reform
CDA 230https://www.law.cornell.edu/uscode/text/47/2301996Communications Decency ActFederalPrivacy BenefitInformation PrivacyMedia & PrivacyFree Speech Rights💬 Protected SpeechPlatformsOnline publishersCourtshttps://en.wikipedia.org/wiki/Communications_Decency_Actwikipedia.orghttps://www.eff.org/issues/cda230eff.orghttps://www.britannica.com/topic/Communications-Decency-Actbritannica.comhttps://www.law.cornell.edu/uscode/text/47/230law.cornell.eduPlatforms are not publishers, not liableResponse to the Prodigy decision that penalized the company for their content moderation efforts. Wyden got 230 added to CDA. Original CDA legislation was to prevent porn, but failed miserably on constitutional grounds. "[T]he whole point of Section 230 was to allow online services to have the discretion to block content that they deem objectionable." https://arstechnica.com/tech-policy/2020/06/section-230-the-internet-law-politicians-love-to-hate-explained/Communications Decency Act of 1996
Telecommunications Acthttps://www.congress.gov/bill/104th-congress/senate-bill/652/text1996Telecommunications ActPub. L. 104-104, Feb. 8, 1996, 110 Stat. 56FederalSectoralInformation PrivacyConsumer PrivacyPrivacy Rights📂 CPNI - Customer Proprietary Network InfoConsumersBusinessesFCCStAGYYYhttps://www.fcc.gov/general/telecommunications-act-1996fcc.govhttps://en.wikipedia.org/wiki/Telecommunications_Act_of_1996wikipedia.orghttps://www.ntia.doc.gov/legacy/opadhome/overview.htmntia.doc.govhttps://thehill.com/policy/technology/268459-bill-clintons-telecom-law-twenty-years-laterthehill.comhttps://www.britannica.com/topic/Telecommunications-Actbritannica.comDereg to increase competition backfiredThe Act envisioned increased competition in all telecommunications markets, both in the markets for the various elements that comprise the telecommunications network, as well as for the final services the network creates. Telecommunications Act of 1996. See: Pub. L. 104-104, Feb. 8, 1996, 110 Stat. 56
Tax Browsing Prot Acthttps://www.congress.gov/bill/105th-congress/house-bill/1226/text1997Taxpayer Browsing Protection ActPub. L. 105-35 (08/05/1997)TBPAFederalSectoralInformation PrivacyFinancial PrivacyPrivacy Rights$ Financial RecordsCitizensGovernmentYYhttps://www.law.cornell.edu/topn/taxpayer_browsing_protection_actlaw.cornell.eduhttps://www.irs.gov/irm/part10/irm_10-005-005irs.govhttps://itlaw.wikia.org/wiki/Taxpayer_Browsing_Protection_Act_of_1997itlaw.wikia.orghttps://www.congress.gov/bill/105th-congress/house-bill/1226/text?overview=closedcongress.govhttps://www.congress.gov/105/plaws/publ35/PLAW-105publ35.pdfcongress.govUnlawful to snoop tax recordsOne Congressman from Texas: Rep. Bill Archer (R - Texas) https://www.epic.org/privacy/databases/irs/archer_statement_497.htmlTaxpayer Browsing Protection Act of 1997, AKA TBPA. See: Pub. L. 105-35 (08/05/1997)
ITADAhttps://www.ftc.gov/node/1194591998Identity Theft and Assumption Deterrence ActFederalCriminalInformation PrivacyInfoSec / BreachesAnti-Crime Policing👤 PII - Personally Identifiable InfoBusinessesIllegal ActsFTCYhttps://www.ftc.gov/node/119459ftc.govhttps://www.comparitech.com/identity-theft-protection/identity-theft-assumption-deterrence-act/comparitech.comhttps://itlaw.wikia.org/wiki/Identity_Theft_and_Assumption_Deterrence_Act_of_1998itlaw.wikia.orgID theft is a federal crimeIndividual and institutional losses of $745 million to identity theft in 1997. "Tens of thousands of Americans have been victims of identity theft. Imposters often run up huge debts, file for bankruptcy, and commit serious crimes. It can take years for victims of identity theft to restore their credit ratings and their reputations. This legislation will enable the United States Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies to combat this type of crime, which can financially devastate its victims." I President William J. Clinton.Identity Theft and Assumption Deterrence Act of 1998
COPPAhttps://www.law.cornell.edu/uscode/text/15/chapter-911998Children’s Online Privacy Protection Act15 U.S. Code CHAPTER 91FederalBroadInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersOnline businessesFTCStAGYYYYhttps://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-ruleftc.govhttps://epic.org/privacy/kids/epic.orghttps://www.ftc.gov/tips-advice/business-center/privacy-and-security/children%27s-privacyftc.govhttps://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Actwikipedia.orghttps://www.inc.com/encyclopedia/childrens-online-privacy-protection-act-coppa.htmlinc.comChildren's PII highly regulatedKidsCom.com prosecution, 1998 FTC Privacy On-Line Report to Congress, documenting the online collection of personal information from childrenChildren’s Online Privacy Protection Act of 1998. See: 15 U.S. Code CHAPTER 91
GLBAhttps://www.congress.gov/bill/106th-congress/senate-bill/900/text1999Gramm-Leach Bliley ActFinancial Services Modernization Act, Title VFederalSectoralInformation PrivacyFinancial PrivacyPrivacy Rights👤 NPI - Non-Public InfoConsumersFinancial OrgsCFPB, FTC, OthersStAGYNot directlyYhttps://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-actftc.govhttps://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Actwikipedia.orghttps://www.investopedia.com/terms/g/glba.aspinvestopedia.comhttps://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-bliley-actdigitalguardian.comhttps://www.lexology.com/library/detail.aspx?g=415d0c61-a5d1-4e6b-a68b-82437a64230dlexology.comFinancial Records regulatedControversial data practices of major banks like the U.S. Bancorp/MemberWorks Scandal: Prior to GLBA’s passage, a number of leading financial institutions were found to have shared detailed customer information, including account numbers and other highly sensitive data, with telemarketing firms. Subsequently, the firms used the account numbers to charge customers for unsolicited services. + Citicorp/Travellers merger, relaxations of Glass-Steagall.Gramm-Leach Bliley Act of 1999, AKA Financial Services Modernization Act, Title V
EO 13145: Genetic Infohttps://www.transportation.gov/sites/dot.gov/files/docs/eo13145_0_0.pdf2000To Prohibit Discrimination in Federal Employment Based on Genetic InformationFederalTopicalBodily PrivacyEmployment PrivacyAnti-Discrim Rights⚕️ PGI - Protected Genetic InfoEmployeesGovernmenthttps://www.govinfo.gov/content/pkg/WCPD-2000-02-14/pdf/WCPD-2000-02-14-Pg244.pdfgovinfo.govhttps://www.eeoc.gov/eeoc/history/35th/thelaw/13145.htmleeoc.govhttps://www.eeoc.gov/policy/docs/qanda-genetic.htmleeoc.govFed Employers can't discrim on DNAAnti-discriminationTo Prohibit Discrimination in Federal Employment Based on Genetic Information of 2000
Safe Harbor (EU-US)https://www.everycrsreport.com/files/20151029_R44257_35c829bb2fee9d0ef3aa897dd15f69a573f1ab68.pdf2000U.S.-EU Safe Harbor FrameworkInternationalTopicalInformation PrivacyNational SecuritySelf Reg👤 PII - Personally Identifiable InfoBusinessesBusinessesFTChttps://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principleswikipedia.orghttps://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-frameworkftc.govhttps://iapp.org/resources/article/a-brief-history-of-safe-harbor/iapp.orgOrig agreement to give US orgs "adequacy"In a word, adequacy. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called "safe harbour scheme", were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbour decision.U.S.-EU Safe Harbor Framework of 2000
PIPEDA (Canada)https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html2001Canada's Personal Information Protection and Electronic Documents ActCanadaComprehensiveInformation PrivacyInternational PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersAll ControllersOPCYhttps://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/priv.gc.cahttps://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Actwikipedia.orghttps://digitalguardian.com/blog/what-pipeda-personal-information-protection-and-electronic-documents-act-understand-and-complydigitalguardian.comhttps://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.htmlcanlii.orgConsent. Access. Accuracy. Purpose Limit.Rapid Internet growth and other technological advances that greatly facilitated the collection, retention, organization and dissemination of personal data + the European Union’s Privacy Directive (1995)Canada's Personal Information Protection and Electronic Documents Act of 2001
PATRIOT Acthttps://epic.org/privacy/terrorism/hr3162.html2001Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct TerrorismFederalBroadComm PrivacyNational SecuritySurveillance Laws📞 Personal CommsSecurityLaw EnforceFBIYhttps://en.wikipedia.org/wiki/Patriot_Actwikipedia.orghttps://epic.org/privacy/terrorism/hr3162.htmlepic.orghttps://www.vox.com/2015/6/2/8701499/patriot-act-explainvox.comhttps://www.eff.org/issues/patriot-acteff.orghttps://www.aclu.org/issues/national-security/privacy-and-surveillance/surveillance-under-patriot-actaclu.orgPost-911 made Gov snooping easier9/11. Legislative proposals in response to the terrorist attacks of September 11, 2001 were introduced less than a week after the attacks. USA PATRIOT was a compromise bill, weaker than Anti-Terrorism Act of 2001 (ATA) but still very privacy-compromising. President Bush signed the final bill into law on October 26, 2001Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism of 2001
EGOVhttps://www.congress.gov/bill/107th-congress/house-bill/024582002E-government ActFederal Information Security Management Act (FISMA)FederalSectoralInformation PrivacyGovernment RecordsTransparency🇺🇸 Gov DataCitizensGovernmentOMBYhttps://en.wikipedia.org/wiki/E-Government_Act_of_2002wikipedia.orghttps://www.justice.gov/opcl/e-government-act-2002justice.govhttps://www.cms.gov/Research-Statistics-Data-and-Systems/Computer-Data-and-Systems/Privacy/eGovernment-Actcms.govhttps://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/egov_docs/egov_implementation_report_6_17_16.pdfwhitehouse.govhttps://www.data.gov/data.govPushs Gov info & services onlineGovernment efficiency law passed by President George W. Bush: "The Act will also assist in expanding the use of the Internet and computer resources in order to deliver Government services, consistent with the reform principles I outlined on July 10, 2002, for a citizen-centered, results-oriented, and market-based Government."E-government Act of 2002, AKA Federal Information Security Management Act (FISMA)
CAN-SPAMhttps://www.congress.gov/bill/108th-congress/senate-bill/8772003Controlling the Assault of Non-Solicited Pornography and Marketing ActFederalTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 Contact InfoConsumersMarketersFTCStAGISP OnlyYYhttps://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-businessftc.govhttps://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003wikipedia.orghttps://www.federalregister.gov/documents/2019/04/04/2019-06562/controlling-the-assault-of-non-solicited-pornography-and-marketing-rulefederalregister.govhttps://ccbjournal.com/articles/controlling-assault-non-solicited-pornography-and-marketing-act-2003-can-spam-act-2003ccbjournal.comhttps://www.law.cornell.edu/uscode/text/15/chapter-103law.cornell.eduNo spamming emails or textsOpt Out: Its widely believed that a principal impetus for passage of the CAN-SPAM Act at the federal level was the inclusion of provisions that preempted harsher state laws that required Opt In.Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
DNC Implement Acthttps://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter87A&edition=prelim2003Do-Not-Call Implementation ActFederalSectoralInformation PrivacyConsumer PrivacyPrivacy Rights👤 Contact InfoConsumersTelemarketershttps://en.wikipedia.org/wiki/National_Do_Not_Call_Registrywikipedia.orghttps://definitions.uslegal.com/d/do-not-call-implementation-act/uslegal.comhttps://www.congress.gov/congressional-report/108th-congress/house-report/8/1congress.govProtects from telemarketing callsAuthorizes the FTC to collect fees for the implementation and enforcement of a Do-Not-Call Registry.Do-Not-Call Implementation Act of 2003
CalFIPA [CA]https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=1.4.&lawCode=FIN2003California Financial Information Privacy ActSB-1StateSectoralInformation PrivacyFinancial PrivacyPrivacy Rights👤 NPI - Non-Public InfoConsumersFinancial OrgsStAGYhttps://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=1.4.&lawCode=FINca.govhttps://medium.com/golden-data/what-is-calfipa-ee7e48c88dd0medium.comhttps://www.reedsmith.com/-/media/files/perspectives/2004/09/sb1--the-california-financial-information-privacy/files/sb1--the-california-financial-information-privacy/fileattachment/acf6c0d.pdfreedsmith.comhttps://www.hldataprotection.com/2018/12/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-the-interplay-between-the-ccpa-and-financial-institutions/hldataprotectionLimits Bank PII sharingTo provide California consumers notice and meaningful choice about how consumers’ nonpublic personal information is shared and to offer greater protection than its federal counterpart the GLBA. The core focus of CalFIPA is to limit the sharing of information.California Financial Information Privacy Act of 2003, AKA SB-1
FACTAhttps://www.congress.gov/bill/108th-congress/house-bill/26222003Fair and Accurate Credit Transactions ActPublic Law No: 108-159FACT ActFederalSectoralInformation PrivacyFinancial PrivacyPrivacy Rights$ Consumer ReportsConsumersFinancial OrgsCFPB, FTCY* MostYYhttps://www.ftc.gov/enforcement/statutes/fair-accurate-credit-transactions-act-2003ftc.govhttps://www.investopedia.com/terms/f/facta.aspinvestopedia.comhttps://www.nclc.org/images/pdf/credit_reports/archive/analysis-facta.pdfnclc.orghttps://iapp.org/resources/article/fair-and-accurate-credit-transactions-act-of-2003-2/iapp.orghttps://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter41-subchapter3&edition=prelimuscode.house.govEnhanced ID theft, free cred reportsThe impetus for FACTA was expiration of existing subject-matter-specific preemption provisions in the FCRA. Prior version of FCRA provided that preemptions would not apply to state laws enacted after January 1, 2004. Congress eliminated that provision, and added a long list of new preemptions that significantly limit states’ abilities to regulate much of the FCRA’s subject matter and conduct requirements.Fair and Accurate Credit Transactions Act of 2003, AKA FACT Act. See: Public Law No: 108-159
CalOPPAhttps://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.&lawCode=BPC2004California Online Privacy Protection ActStateTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersOnline businessesStAGvia UCLhttps://en.wikipedia.org/wiki/Online_Privacy_Protection_Actwikipedia.orghttps://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/consumercal.orghttps://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.&lawCode=BPCca.govhttps://blog.rsisecurity.com/california-privacy-policy-what-is-caloppa/rsisecurity.comhttps://medium.com/golden-data/what-is-caloppa-b781b0cd5e39medium.comWebsites must have Privacy PolicyCalOPPA was enacted to help “foster the continued growth of the Internet economy…by allowing individuals to rely on a Privacy Policy posted online.” The law is meant to reassure consumers who were unsure of doing business online.California Online Privacy Protection Act of 2004
Vid Voyeur Prev Acthttps://www.law.cornell.edu/uscode/text/18/18012004Video Voyeurism Prevention ActFederalCriminalInformation PrivacyInfoSec / BreachesAnti-Crime Policing🖼️ ImagesCitizensIllegal ActsYhttps://www.law.cornell.edu/uscode/text/18/1801law.cornell.eduhttps://www.congress.gov/bill/108th-congress/senate-bill/01301congress.govhttps://itlaw.wikia.org/wiki/Video_Voyeurism_Prevention_Act_of_2004itlaw.wikia.orghttps://www.jeffweiner.com/blog/2018/april/video-voyeurism/jeffweiner.comDigital peeping is a crimeThe explosion of microcamera technology has fed the growing phenomenon of video voyeurism. Hidden cameras have been discovered in bedrooms, bathrooms, public showers, changing rooms, locker rooms, and tanning salons, all aimed at filming unsuspecting victims in various states of undress. Often, the invasion of privacy is exacerbated when captured images are posted on the Internet for all the world to see - Sen. LeahyVideo Voyeurism Prevention Act of 2004
JFPAhttps://www.congress.gov/bill/109th-congress/senate-bill/714/text?overview=closed2005Junk Fax Prevention ActFederalTopicalInformation PrivacyTelecom / MarketingPrivacy Rights👤 Contact InfoBusinessesMarketershttps://www.congress.gov/bill/109th-congress/senate-bill/714congress.govhttps://www.fcc.gov/general/fax-advertising-policyfcc.govhttps://en.wikipedia.org/wiki/Junk_Fax_Prevention_Act_of_2005wikipedia.orghttps://thedma.org/resources/compliance-resources/tcpa/tcpa-and-junk-fax-prevention-act-requirements/thedma.orghttps://www.congress.gov/congressional-report/109th-congress/senate-report/76/1congress.govEBR exceptions, ban on fax marketingGoal of the legislation was twofold: Close loopholes on fax scammers and codify EBR exception rule that many businesses desired. Critic were unhappy about EBR as faxes cost the receiver money, essentially forcing them to pay for their own sales pitches.Junk Fax Prevention Act of 2005
BIPA [IL]https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=572008Illinois' Biometric Information Privacy Act740 ILCS 14StateTopicalBodily PrivacyConsumer PrivacyPrivacy Rights⚕️ PBI - Protected Biometric InfoConsumersBusinessesStAG*YYhttps://en.wikipedia.org/wiki/Biometric_Information_Privacy_Actwikipedia.orghttp://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57ilga.govhttps://www.skadden.com/insights/publications/2019/01/illinois-supreme-courtskadden.comhttps://www.natlawreview.com/article/illinois-biometric-information-privacy-act-bipa-when-will-companies-heed-warningnatlawreview.comhttps://www.jacksonlewis.com/sites/default/files/docs/IllinoisBIPAFAQs.pdfjacksonlewis.comRegulates business biometric data useBiometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.Illinois' Biometric Information Privacy Act of 2008. See: 740 ILCS 14
GINAhttps://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-20082008Genetic Information Nondiscrimination ActFederalTopicalBodily PrivacyEmployment PrivacyAnti-Discrim Rights⚕️ PGI - Protected Genetic InfoConsumersHealthcareEEOC, Othershttp://www.ginahelp.org/GINAhelp.pdfginahelp.orghttps://en.wikipedia.org/wiki/Genetic_Information_Nondiscrimination_Actwikipedia.orghttps://www.eeoc.gov/eeoc/publications/fs-gina.cfmeeoc.govhttps://www.ncbi.nlm.nih.gov/pmc/articles/PMC3627538/ncbi.nlm.nih.govhttps://academic.oup.com/jlb/article/5/3/495/5498593oup.comNo discrim based on genetic infoTwo sets of concerns were the impetus for genetic nondiscrimination legislation at the state and federal levels: 1) worries about the potential for actual genetic discrimination and 2) apprehension about the public health and research implications of public fears of genetic discrimination.Genetic Information Nondiscrimination Act of 2008
HITECHhttps://www.hipaasurvivalguide.com/hitech-act-text.php2009Health Information Technology for Economic and Clinical Health Actpart of American Recovery and Reinvestment ActFederalSectoralInformation PrivacyMedical PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoConsumersHealthcareHHS-OCRePHIhttps://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.htmlhhs.govhttps://www.hipaajournal.com/what-is-the-hitech-act/hipaajournal.comhttps://compliancy-group.com/what-is-the-hitech-act/compliancy-grouphttps://www.asha.org/Practice/reimbursement/hipaa/HITECH-Act/asha.orgData Breach reporting for HIPAALack of hospital adoption of electronic health records. While many healthcare providers wanted to transition to EHRs from paper records, the cost was expensive. HITECH Act introduced incentives to encourage change. Had the Act not been passed, many healthcare providers would still be using paper records. HITECH increased rate of adoption of EHRs. 3.2% in 2008. By 2017, 86% of office-based physicians had adopted an EHR.Health Information Technology for Economic and Clinical Health Act of 2009, AKA part of American Recovery and Reinvestment Act
Red Flag Rulehttps://www.ecfr.gov/cgi-bin/text-idx?SID=fddfe88d36b1e7881a1b76f4e8437d65&mc=true&node=pt16.1.681&rgn=div5#se16.1.681_112010Red Flag Program Clarification ActFederalTopicalInformation PrivacyFinancial PrivacyAnti-Crime Policing👤 PII - Personally Identifiable InfoConsumersFinancial Orgshttps://en.wikipedia.org/wiki/Red_Flags_Rulewikipedia.orghttps://www.huntonprivacyblog.com/2010/12/20/president-obama-signs-red-flag-program-clarification-act/huntonprivacybloghttps://www.federalregister.gov/documents/2014/02/20/2014-03264/identity-theft-red-flags-regulation-vfederalregister.govhttps://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-businessftc.govID Theft Prevent programs required 4 some orgsRapid rise in identity theft. 13.9M victims in 2009Red Flag Program Clarification Act of 2010
Consumer Finan Prot Acthttps://www.govtrack.us/congress/bills/111/hr4173/text2010Consumer Financial Protection ActDodd-Frank: Title X, CFPA, CFPBFederalSectoralInformation PrivacyFinancial PrivacyPrivacy Rights$ Financial MarketingConsumersFinancial OrgsCFPBStAGYhttps://www.law.cornell.edu/wex/dodd-frank_title_x_-_bureau_of_consumer_financial_protectionlaw.cornell.eduhttps://www.investopedia.com/terms/c/consumer-financial-protection-act.aspinvestopedia.comhttps://www.consumerfinance.gov/about-us/the-bureau/creatingthebureau/consumerfinance.govhttps://en.wikipedia.org/wiki/Dodd%E2%80%93Frank_Wall_Street_Reform_and_Consumer_Protection_Actwikipedia.orgCreate CFPB: regulate financial scamsSubprime Mortgages: Unfair, deceptive, or abusive acts and practices by under-regulated financial product marketers, highlighted by the subprime mortgage industry.Consumer Financial Protection Act of 2010, AKA Dodd-Frank: Title X, CFPA, CFPB
CIPSEAhttps://www.bls.gov/bls/cipsea.pdf2012Confidential Information Protection and Statistical Efficiency ActPub.L. 107–347, 116 Stat. 2899, 44 U.S.C. § 101FederalTopicalInformation PrivacyGovernment RecordsPrivacy Rights🇺🇸 Gov DataCitizensGovernmentOMBhttps://en.wikipedia.org/wiki/Confidential_Information_Protection_and_Statistical_Efficiency_Actwikipedia.orghttps://www.bls.gov/bls/cipsea.pdfbls.govhttps://www.congress.gov/bill/107th-congress/house-bill/5215congress.govProtects PII collected for Gov StatsEnsuring that information provided under a pledge of confidentiality for statistical purposes receives protection is essential in continuing public cooperation in statistical programs. Concern about abuse of PII collected for specific purposes being rerouted to other agencies in violation of Privacy Act.Confidential Information Protection and Statistical Efficiency Act of 2012. See: Pub.L. 107–347, 116 Stat. 2899, 44 U.S.C. § 101
CMIA [CA]https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=56.10.&lawCode=CIV2013Confidentiality of Medical Information ActCivil Code (CIV) 56.10StateSectoralInformation PrivacyMedical PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoConsumersHealthcareStAG*YYhttps://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=56.10.&lawCode=CIVca.govhttps://consumercal.org/about-cfc/cfc-education-foundation/cfceducation-foundationyour-medical-privacy-rights/confidentiality-of-medical-information-act/consumercal.orghttps://www.eff.org/issues/law-and-medical-privacyeff.orghttps://irb.ucsd.edu/cmia.pdfirb.ucsd.eduhttp://www.law.uh.edu/healthlaw/perspectives/privacy/010830texas.htmllaw.uh.eduHIPAA-like w/ Right of Actionto close some HIPAA loopholes and offer Private Right of ActionConfidentiality of Medical Information Act of 2013. See: Civil Code (CIV) 56.10
ESSAhttps://www.govtrack.us/congress/bills/114/s1177/text2015Every Student Succeeds ActPub. L. 114-95, Dec. 10, 2015, 129 Stat. 1802FederalPrivacy BenefitInformation PrivacyEducation PrivacyPrivacy Rights🎓 Education RecordsStudents / ParentsEducatorsDept Edhttps://en.wikipedia.org/wiki/Every_Student_Succeeds_Actwikipedia.orghttps://www2.ed.gov/policy/elsec/leg/essa/legislation/index.htmled.govhttps://www.understood.org/en/school-learning/your-childs-rights/basics-about-childs-rights/every-student-succeeds-act-essa-what-you-need-to-knowunderstood.orghttps://www.edweek.org/ew/issues/every-student-succeeds-act/index.htmledweek.orghttps://isafedirect.com/blog/educational-data-federal-policyisafedirect.comStudent Testing & ReportingTeacher Unions joined with Small Gov conservatives: In the years after No Child Left Behind, the center of gravity in education policy shifted from the states to Washington. Under the Obama administration, a left-right alliance—between unions and small-gov conservatives became ascendant. Unions argued tagainst standardized testing, evals; conservatives argued against fed control of education funds.Every Student Succeeds Act of 2015. See: Pub. L. 114-95, Dec. 10, 2015, 129 Stat. 1802
CISAhttps://www.congress.gov/bill/114th-congress/senate-bill/754/text2015Cybersecurity Information Sharing ActFederalTopicalComm PrivacyInfoSec / BreachesInfoSec👮 Incident RecordsBusinessesAll ControllersYYhttps://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Actwikipedia.orghttps://www.cisecurity.org/newsletter/cybersecurity-information-sharing-act-of-2015/cisecurity.orghttps://www.nextgov.com/cybersecurity/2018/06/only-6-non-federal-groups-share-cyber-threat-info-homeland-security/149343/nextgov.comhttps://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/10/cisas-still-overcoming-challenges-5-years-after-cybersecurity-information-sharing-act-became-law/federalnewsnetworkhttps://thehill.com/opinion/cybersecurity/461452-americas-cyber-blind-spotthehill.comCompanies can share infosec w/ less liabilityThe growth of cybersecurity threats required greater collection and sharing of data. But a lot of legal liability might result from this: FOIA, Electronic Communications Privacy Act of 1986, Cable Communications Policy Act of 1984, Antitrust Laws, Tort Law. So Congress passed CISA to give companies, Gov a way to collect and shar intel with the government while reducing liability.Cybersecurity Information Sharing Act of 2015
USA Freedom Acthttps://www.govtrack.us/congress/bills/114/hr2048/text2015USA Freedom ActFederalSectoralComm PrivacyNational SecuritySurveillance Laws📞 Personal CommsSecurityLaw EnforceFBIYhttps://en.wikipedia.org/wiki/USA_Freedom_Actwikipedia.orghttps://www.lawfareblog.com/nsa-and-usa-freedom-actlawfareblog.comhttps://www.lawfareblog.com/so-what-does-usa-freedom-act-do-anywaylawfareblog.comhttps://www.intelligence.gov/index.php/ic-on-the-record-database/results/787-fact-sheet-implementation-of-the-usa-freedom-act-of-2015intelligence.govhttps://www.eff.org/deeplinks/2015/05/usa-freedom-act-passes-what-we-celebrate-what-we-mourn-and-where-we-go-hereeff.orgSlightly less mass surveillanceNSA whistleblower Edward Snowden’s revelations and backlack to PATRIOT Act abuses exposed by the NYT.USA Freedom Act of 2015
Cures Acthttps://www.congress.gov/bill/114th-congress/house-bill/34/text201621st Century Cures ActPub. L. 114-255, Dec. 13, 2016, 130 Stat. 1033Act to Accelerate the Discovery, Development, and Delivery of 21st Century Cures, and for Other PurposesFederalPrivacy BenefitInformation PrivacyMedical PrivacyPrivacy Rights⚕️ PHI - Protected Health InfoResearch subjectsResearchersOIG/ONC (HHS)YYhttps://www.fda.gov/regulatory-information/selected-amendments-fdc-act/21st-century-cures-actfda.govhttps://iapp.org/news/a/privacy-and-security-impacts-of-the-21st-century-cures-legislation/iapp.orghttps://www.congress.gov/114/bills/hr34/BILLS-114hr34enr.pdfcongress.govhttps://en.wikipedia.org/wiki/21st_Century_Cures_Actwikipedia.orghttps://www.ncbi.nlm.nih.gov/pmc/articles/PMC5424829/ncbi.nlm.nih.govSharing of data for medical researchBipartisan desire for progress on disease research https://www.curetoday.com/cure-tv/rep-frank-pallone-jr-on-the-impetus-for-the-21st-century-cures-act21st Century Cures Act of 2016, AKA Act to Accelerate the Discovery, Development, and Delivery of 21st Century Cures, and for Other Purposes. See: Pub. L. 114-255, Dec. 13, 2016, 130 Stat. 1033
DOPPA [DE]https://delcode.delaware.gov/title6/c012c/index.shtml2016Delaware Online Privacy and Protection ActStateTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinessesStDOJ^https://privacylaw.proskauer.com/2015/11/articles/online-privacy/delaware-enacts-comprehensive-online-privacy-protection-law/#:~:text=On%20January%201%2C%202016%2C%20the,privacy%20protection%20for%20its%20residents.&text=The%20law%20grants%20the%20state's,prosecute%20violations%20of%20the%20law.proskauer.comhttps://www.winston.com/en/privacy-law-corner/delaware-s-online-privacy-and-protection-act-now-in-effect.htmlwinston.comhttps://delcode.delaware.gov/title6/c012c/index.shtmldelaware.govhttps://www.termsfeed.com/blog/doppa/termsfeed.comPrivacy policies, ads to kids, ebooksSubstantially similar to three existing California laws that regulate the same practices.Delaware Online Privacy and Protection Act of 2016
AB 2828 [CA]https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB28282016AB-2828 Personal information: privacy: breachStateTopicalInformation PrivacyInfoSec / BreachesTransparency👤 PII - Personally Identifiable InfoConsumersBusinesseshttps://privacylaw.proskauer.com/2016/11/articles/california/california-amends-data-breach-notification-law-to-require-notification-of-breach-of-encrypted-personal-information-when-encryption-key-has-been-leaked/proskauer.comhttps://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB2828ca.govBreach must be reported if encrypt key leakedTo better protect consumers from companies hiding behind the encryption safe harbor written into most data breach reporting laws. Encryption can protect stolen data, but not if the keys to breaking it are also compromised.AB-2828 Personal information: privacy: breach of 2016
SB 2005 [TN]https://www.capitol.tn.gov/Bills/109/Bill/SB2005.pdf2016Tennessee SB 2005HB 1631StateTopicalInformation PrivacyInfoSec / BreachesTransparency👤 PII - Personally Identifiable InfoConsumersBusinessesStAGYhttps://iapp.org/news/a/tennessee-law-first-to-require-notification-regardless-of-information-encryption-status/iapp.orghttps://www.dwt.com/blogs/privacy--security-law-blog/2016/04/tennessee-gives-businesses-45-days-for-data-breachdwt.comhttps://healthitsecurity.com/news/tn-updates-data-breach-notification-law-for-encrypted-datahealthitsecurity.comhttps://wapp.capitol.tn.gov/apps/BillInfo/Default.aspx?BillNumber=SB0547&GA=110tn.govhttps://law.justia.com/codes/tennessee/2010/title-47/chapter-18/part-21/47-18-2107law.justia.comNo encrypt safe harbor (later fixed)Modified Tennessee Data Breach LawTennessee SB 2005 of 2016, AKA HB 1631
Privacy Shield (EU-US)https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg2016EU-U.S. Privacy Shield FrameworkInternationalTopicalInformation PrivacyNational SecuritySelf Reg👤 PII - Personally Identifiable InfoBusinessesBusinessesFTChttps://www.privacyshield.gov/welcomeprivacyshield.govhttps://www.impact-advisors.com/security/eu-us-privacy-shield-framework/impact-advisors.comhttps://www.privacyshield.gov/eu-us-frameworkprivacyshield.govStop-gap prog to address lack of US AdequacyThe CJEU invalidation of Safe Harbor in the Shrems I decision. The 2013 revelations regarding the reach and indiscriminate nature of some U.S. surveillance programs were also key impetus behind the dismantling of Safe Harbor and the creation of Privacy Shield.EU-U.S. Privacy Shield Framework of 2016
Biometric Privacy Law [WA]https://app.leg.wa.gov/RCW/default.aspx?cite=19.3752017Washington Biometric Privacy LawChapter 19.375 RCWHB 1493StateTopicalBodily PrivacyConsumer PrivacyPrivacy Rights⚕️ PBI - Protected Biometric InfoConsumersBusinessesStAG*Yhttps://www.huntonprivacyblog.com/2017/06/01/washington-becomes-third-state-enact-biometric-privacy-law/huntonprivacybloghttps://www3.swipeclock.com/blog/learn-washingtons-new-biometric-privacy-law-affects-businesses/swipeclock.comhttps://www.cov.com/-/media/files/corporate/publications/2017/07/wash_expands_biometric_privacy_quilt_with_more_limited_law.pdfcov.comhttps://www.dlapiper.com/en/us/insights/publications/2017/06/washington-third-state-with-biometric-privacy-law/dlapiper.comhttps://app.leg.wa.gov/RCW/default.aspx?cite=19.375wa.govLimits commercial (not emplyr) use of biometricsSeen as a more business-friendly alternative to an Illinois law.Washington Biometric Privacy Law of 2017, AKA HB 1493. See: Chapter 19.375 RCW
Cybersecurity Reg [NY]https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)2017New York’s NYDFS Cybersecurity Regulation23 NYCRR 50023 NYCRR 500StateSectoralInformation PrivacyInfoSec / BreachesInfoSec👤 NPI - Non-Public InfoConsumersFinancial OrgsNYSDFSYhttps://blog.ariacybersecurity.com/blog/what-is-23-nycrr-500-blogariacybersecurity.comhttps://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdfdfs.ny.govForced of infosec for financial orgsRoughly 36% of banks still didn’t have a CISO (chief information security officer.) Plus, high-profile data breaches at JPMorgan Chase (83+M accounts), HSBC denial of service attack that shuttered its personal banking website. Disproportionate impact on New York City as a center of global commerce and finance. As a result, the New York Department of DFS took action.New York’s NYDFS Cybersecurity Regulation of 2017, AKA 23 NYCRR 500. See: 23 NYCRR 500
PIPPA [NJ]https://legiscan.com/NJ/text/S1913/id/14193892017New Jersey Personal Information and Privacy Protection ActStateTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinessesStAG*Yhttps://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/new-jerseys-personal-information-and-privacy-protection-act-signed-into-lawwilmerhale.comhttps://www.faegredrinkerondata.com/2017/new-jersey-enacts-personal-information-and-privacy-protection-act/faegredrinkerondatahttps://njbia.org/personal-information-privacy-act/njbia.orghttps://www.njleg.state.nj.us/2016/Bills/AL17/124_.HTMnjleg.state.nj.usLimits Driver ID scanning by retailersIn the perceived absence of significant new federal regulation on privacy issues, states have taken a greater interest in consumer privacy. In March 2017, the U.S. Congress voted to remove broadband privacy rules which would have gone into effect later that year. The president confirmed the repeal, which ended efforts to pass federal privacy protection law. After that, states became interested in passing their own legislation to protect the online privacy of their citizens.New Jersey Personal Information and Privacy Protection Act of 2017
HB 1260 [IL]https://www.ilga.gov/legislation/publicacts/99/PDF/099-0503.pdf2017Illinois HB 1260StateTopicalInformation PrivacyInfoSec / BreachesTransparency👤 PII - Personally Identifiable InfoConsumersBusinessesStAGYhttps://www.radarfirst.com/blog/illinois-personal-information-protection-act/radarfirst.comhttps://www.ilga.gov/legislation/fulltext.asp?DocName=09900HB1260enr&GA=99&SessionId=88&DocTypeId=HB&LegID=85740&DocNum=1260&GAID=13&Session=ilga.govhttps://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67ilga.govhttps://csrcyberprivacy.com/privacy-regulations/illinois/csrcyberprivacyhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.htmlperkinscoie.comExpanded PII: med, health, biometric, moreModified Illinois Personal Information Protection ActIllinois HB 1260 of 2017
HB 15 [NM]https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2017/04/HB0015.pdf2017New Mexico Data Breach Notification ActStateTopicalInformation PrivacyInfoSec / BreachesTransparency👤 PII - Personally Identifiable InfoConsumersBusinessesStAGYYhttps://www.huntonprivacyblog.com/2017/04/17/new-mexico-enacts-data-breach-notification-law/huntonprivacybloghttps://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2017/04/HB0015.pdfhuntonprivacyblog48th state data breach notification lawPressure to protect consumers, one of the last states to enact.New Mexico Data Breach Notification Act of 2017
SB 538 [NV]https://www.leg.state.nv.us/Session/79th2017/Bills/SB/SB538_EN.pdf2017Nevada SB 538StateTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersOnline publishersStAGhttps://www.ballardspahr.com/alertspublications/legalalerts/2017-08-01-nevada-becomes-the-third-state-to-enact-website-privacy-notification-lawballardspahr.comhttps://blog.zwillgen.com/2017/08/16/ready-nevadas-new-website-privacy-notice-law/zwillgen.comhttps://www.leg.state.nv.us/Session/79th2017/Bills/SB/SB538.pdfleg.state.nv.usrequires publication of privacy policysimilar to laws passed in California (2004) and Delaware (2016)Nevada SB 538 of 2017
GDPRhttps://gdpr-info.eu/2018General Data Protection RegulationEEAComprehensiveInformation PrivacyInternational PrivacyPrivacy Rights👤 PD - Personal DataAny PersonAll ControllersDPAsYY*YYYhttps://eugdpr.org/eugdpr.orghttps://en.wikipedia.org/wiki/General_Data_Protection_Regulationwikipedia.orghttps://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.htmlcsoonline.comhttps://iapp.org/resources/article/gdpr-genius/iapp.orghttps://www.tableau.com/learn/articles/gdpr-resourcestableau.comEurope protects personal data more effectivelyTrust. GDPR seeks to ensure that customers can trust businesses to protect their sensitive data, maintain transparency about what they do with that data, and, in the event of a security breach, that the customers are informed of the breach in a timely manner. Numerous highly public data breaches of personal data at global corporations such as Facebook, Marriott, Equifax and Yahoo. Exponential growth of data in the digital age, globalization, more.General Data Protection Regulation of 2018
CCPA [CA]https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.52018California Consumer Privacy ActSB-1121, GDPR-liteStateComprehensiveInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinessesStAGBreach OnlyYYYhttps://oag.ca.gov/privacy/ccpaoag.ca.govhttps://en.wikipedia.org/wiki/California_Consumer_Privacy_Actwikipedia.orghttps://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.htmlcsoonline.comhttps://www.perkinscoie.com/en/practices/security-privacy-law/california-consumer-privacy-act-of-2018.htmlperkinscoie.comhttps://www.caprivacy.org/caprivacy.org1st comprehensive US state privacy lawGDPR + data privacy scandals. Spearheaded by rich private citizen Alastair Mactaggart.California Consumer Privacy Act of 2018, AKA SB-1121, GDPR-lite
CLOUD Acthttps://www.justice.gov/dag/page/file/1152896/download2018Clarifying Lawful Overseas Use of Data ActPub.L. 115–141H.R.4943FederalSectoralComm PrivacyLaw EnforceSurveillance Laws📞 Personal CommsSecurityCommsDOJvia ECPAhttps://en.wikipedia.org/wiki/CLOUD_Actwikipedia.orghttps://epic.org/privacy/cloud-act/epic.orghttps://www.orrick.com/Insights/2018/04/The-CLOUD-Act-Explainedorrick.comhttps://www.congress.gov/bill/115th-congress/house-bill/4943congress.govhttps://www.justice.gov/opa/press-release/file/1153446/downloadjustice.govUS LEOs can grab data anywhereMicrosoft v US was pending before Supreme Court and Congress was worried law enforcement was going to be thwarted in its ability to chase down villains whose data was stored overseas.Clarifying Lawful Overseas Use of Data Act of 2018, AKA H.R.4943. See: Pub.L. 115–141
PCI DSS 3.2.1https://drive.google.com/file/d/1HDx4BMf0oYE8m94834bPVE7dtI_S0jwv/view?usp=sharing2018Payment Card Industry Data Security Standard (PCI-DSS) 3.2.1InternationalTopicalInformation PrivacyFinancial PrivacySelf Reg$ Credit CardsConsumersOnline businessesPCI SSCYhttps://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standardwikipedia.orghttps://www.pcicomplianceguide.org/faq/pcicomplianceguide.orghttps://www.imperva.com/learn/data-security/pci-dss-certification/imperva.comhttps://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdfpcisecuritystandardshttps://www.securitymetrics.com/blog/pci-vs-gdpr-whats-difference#:~:text=The%20PCI%20Data%20Security%20Standard,protecting%20the%20privacy%20of%20individuals.securitymetrics.comInfosec cert for orgs using branded CCsSelf-regulation to prevent federal oversight. In this case, industry really wanted Payment Card Industry Data Security Standard (PCI-DSS) 3.2.1 of 2018
CPRA [CA]https://transcend.io/laws/cpra/#section-12020California Privacy Rights and Enforcement ActProp 24StateComprehensiveInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinessesCPPA [CA]Breach OnlyYYYhttps://www.jdsupra.com/legalnews/california-privacy-rights-and-65727/jdsupra.comhttps://www.manatt.com/insights/newsletters/client-alert/the-california-privacy-rights-act-has-passedmanatt.comhttps://fpf.org/2020/11/04/californias-prop-24-the-california-privacy-rights-act-passed-whats-next/fpf.orghttps://www.onetrust.com/blog/ccpa-vs-cpra-what-has-changed/onetrust.comhttps://www.truevault.com/blog/whats-new-in-the-cpra-more-than-you-thinktruevault.comRework of CCPA, passed by ballot measureCalifornians for Consumer Privacy (the same group responsible for the ballot initiative that led to the CCPA) pushed for the adoption of CPRA, a second round of more substantial privacy rights protections. It triples fines against companies that violate kids' data, establishes an enforcement arm for consumers, and makes it harder to weaken privacy laws in the future.California Privacy Rights and Enforcement Act of 2020, AKA Prop 24
DAI Self-Reg Principleshttps://digitaladvertisingalliance.org/principles2020Digital Advertising Alliance Self-Regulatory PrinciplesMobile Guidance, the Online Behavioral Advertising Principles, the CrossDevice Guidance, and the Multi-Site Data PrinciplesDAIInternationalTopicalInformation PrivacyTelecom / MarketingSelf Reg👤 PII - Personally Identifiable InfoBusinessesMarketersDAIYhttps://digitaladvertisingalliance.org/principlesdigitaladvertisingallianceResponsible privacy practices 4 digital ad orgsAn industry effort to instill consumer trust and negate the need for government regulation.Digital Advertising Alliance Self-Regulatory Principles of 2020, AKA DAI. See: Mobile Guidance, the Online Behavioral Advertising Principles, the CrossDevice Guidance, and the Multi-Site Data Principles
NAI Code of Conducthttps://www.networkadvertising.org/sites/default/files/nai_code2020.pdf2020Network Advertising Initiative Code of ConductNAIInternationalTopicalInformation PrivacyTelecom / MarketingSelf Reg👤 PII - Personally Identifiable InfoBusinessesMarketersNAIYhttps://www.networkadvertising.org/code-enforcement/code/networkadvertising.orgSelf-reg notice & choice for digital ad orgsAn industry effort to instill consumer trust and negate the need for government regulation.Network Advertising Initiative Code of Conduct of 2020, AKA NAI
VCDPA [VA]https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB13922021Virginia’s Consumer Data Protection ActSB 1392 / H.B. 2307StateComprehensiveInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinessesStAGYYYhttps://www.privacyquicktipsblog.com/2021/03/virginia-joins-california-in-adopting-a-comprehensive-data-privacy-law/#more-2246privacyquicktipsbloghttps://www.jdsupra.com/legalnews/virginia-passes-new-consumer-data-1232151/jdsupra.com2nd comprehensive US state privacy lawThis bill had a lot of support from both political parties as well as Big Tech (including Amazon, who is moving into Northern Virginia in a big way).Virginia’s Consumer Data Protection Act of 2021, AKA SB 1392 / H.B. 2307
Illinois Right to Knowhttps://www.termsfeed.com/blog/illinois-right-know-act/Illinois Right to Know [PROPOSED]StateTopicalInformation PrivacyConsumer PrivacyPrivacy Rights👤 PII - Personally Identifiable InfoConsumersBusinesseshttps://www.jdsupra.com/legalnews/illinois-right-to-know-bill-passed-out-64580/jdsupra.comhttps://www.termsfeed.com/blog/illinois-right-know-act/termsfeed.comhttps://www.chicagotribune.com/business/ct-illinois-privacy-bill-passes-senate-0506-biz-20170505-story.htmlchicagotribune.comhttps://www.ilga.gov/legislation/BillStatus.asp?DocNum=2149&GAID=15&DocTypeID=SB&LegID=120357&SessionID=108&SpecSess=&Session=&GA=101ilga.govProposed consumer privacy rightsIllinois Right to Know [PROPOSED] of PROPOSED

New Categorization Schemes for Privacy Laws

Categorizing Privacy: 

Scope: The initial categorization I’ve made is on Scope. This is a characterization of each law based on its breadth. It’s an expansion of the Comprehensive vs Sectoral identification often made about privacy laws. I’ve expanded this classification to include the following:

  • Comprehensive: privacy laws that cover the widest range of organizations and activities
  • Broad: privacy laws that cover many organizations and activities but can’t be considered comprehensive
  • Sectoral: privacy laws that apply to a specific industry or business sector
  • Topical: privacy laws that apply to a specific topic or technology 
  • Criminal Statute: extremely specific privacy laws with criminal penalties 
  • Privacy Benefit: explicitly created for another purpose, where privacy rights are a fringe benefit

Silo: I’ve created a Silo classification based on the 1996 Simon Davies ontology from “Big Brother: Britain’s Web Of Surveillance And The New Technological Order.” This is a common classification, but I’ve never seen it applied to legislation in a systematic way. Here are the four types, with the definitions I utilized:

  • Information Privacy: Establishment of rules governing collection and handling of PII (private data) e.g. Financial, Medical, Educational, Gov, Internet, Consumer Privacy
  • Bodily Privacy: Protection of the physical self from invasive processes (private parts) e.g. Genetic Testing, Drug Testing, Body Cavity, Birth Control, Abortion, Adoption
  • Territorial Privacy: Limits on an intrusion in domestic, work, public space (private places) e.g. Video surveillance, Identity checks, Home searches, Vehicle searches, Laptop searches, GPS
  • Comm Privacy: Security and privacy of communications (private messages) e.g. Postal privacy, Phone Conversations, Email, Wiretaps, Social media, Mass Surveillance

Type: Privacy laws are further bucketed into Types. There are 3 major types: Rights, Rules, & Policing, with sub-types of each:

  • Privacy Rights: laws directly regulating data privacy rights
  • Free Speech Rights: laws impacting 1A / Freedom of Speech
  • Anti-Discrim Rights: laws limiting the business use of sensitive data
  • Surveillance Law Policing: laws allowing or limiting spying
  • Anti-Crime Policing: laws primarily designed to fight crime
  • Transparency Rules: laws requiring orgs & governments to expose info
  • InfoSec Rules: laws focused on data security & data protection
  • Self-Regulation Rules: self-imposed rulesets for building consumer trust, warding off regulation

Sector: Each law is assigned a primary Sector.  I’ve created an ontology consisting of 13 sectors. Legislation in the International Privacy category might have been broken out differently, but I choose to do it this way as my initial focus was on the CIPP/US corpus:

  • Consumer Privacy
  • Financial Privacy
  • Medical Privacy
  • Employment Privacy
  • Education Privacy
  • InfoSec / Breaches
  • Telecomm / Marketing
  • Media & Privacy
  • Government Records
  • Public Safety
  • Law Enforcement
  • National Security
  • International Privacy

Protected Info: What information is protected by the law? I’ve summarized the legislation, creating 23 discrete buckets to describe the protected data:

  • ? Contact Info
  • ? PII – Personally Identifiable Info
  • ? SPI – Sensitive Personal Info
  • ? NPI – Non-Public Info
  • ⚕️ PBI – Protected Biometric Info
  • ⚕️ PGI – Protected Genetic Info
  • ⚕️ PHI – Protected Health Info
  • ? Employment info
  • ? Education Records
  • $ Financial Marketing
  • $ Financial Records
  • $ Credit Cards
  • $ Consumer Reports
  • ? Personal Comms
  • ? CPNI – Customer Proprietary Network Info
  • ? Protected Speech
  • ? Journalism
  • ?? Census Data
  • ?? Gov Data
  • ?? FII – Foreign Intelligence Info
  • ?️ Images
  • ? Incident Records
  • ?️ Info from a “protected computer”

 
Who’s Protected?
: What audience is the law trying to protect? At times this can be messy. I have created 9 categories to describe who is being protected. In many cases is some form of consumer or citizen (see the list on the left). But there are other laws that are harder to box. I’ve also created a bucket for “Security” for legislation that focuses on protecting the State or the public good rather than any individual or organization:

  • Consumers
  • Citizens
  • Students/Parents
  • Employees
  • Research subjects
  • Journalists
  • Businesses
  • Platforms
  • Security

 

Who’s Regulated?: What organizations is the law trying to protect? Sixteen categories are used here to describe the regulated organization, industry, or area. The All Controllers classification covers not just GDPR but laws that attempt to cover all entities, regardless of who they are (business, government, individual, other) or their Sector. Illegal Acts is a bucket that covers Criminal Scope laws like CFAA, ITADA, and the Video Voyeurism Prevention Act.

  • All Controllers
  • Businesses
  • Employers
  • Online businesses
  • Online publishers
  • Marketers
  • Telemarketers
  • Financial orgs
  • Healthcare orgs
  • Video businesses
  • Educators
  • Researchers
  • Government
  • Law Enforcement
  • Communications
  • Illegal Acts

Other Features of this Data Set:

In addition to the categorization, this CIPP/US Legislation Grid pack many other features:

  • Link to the Full Text of the Legislation
    — Click on the name of the law
  • Enforcement Information:
    — Federal / State Agencies involved, Private Right of Action, Criminal Penalties, Preemption
  • External Links to additional data for your research
Flags:

  • DSAR provision?
  • Data Security coverage?
  • Location Data rules?

Since this is a live dataset, you can search it and sort it on any of the columns.