About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (October 12, 2022)

handle is hein.crs/govejdh0001 and id is 1 raw text is: Con gressional Research Service nforming the legislitive diebate since 1914 0 Updated October 12, 2022 Data Protection and Privacy Law: An Introduction Recent controversy surrounding how third parties protect the privacy of individuals in the digital age has raised national concerns over legal protections of Americans' electronic data. The current legislative paradigms governing cybersecurity and data privacy are complex and technical and lack uniformity at the federal level. This In Focus provides an introduction to data protection laws and an overview of considerations for Congress. (For a more detailed analysis, see CRS Report R45631, Data Protection Law: An Overview, by Stephen P. Mulligan, Wilson C. Freeman, and Chris D. Linebaugh.) Defining Data Protection As a legislative concept, data protection melds the fields of data privacy (i.e., how to control the collection, use, and dissemination of personal information) and data security (i.e., how to protect personal information from unauthorized access or use and respond to such unauthorized access or use). Historically, many laws addressed these issues separately, but more recent data protection initiatives indicate a trend toward combining data privacy and security into unified legislative schemes. Feder. Data Protection Laws While the Supreme Court has interpreted the Constitution to provide individuals with a right to privacy, this right generally guards only against government intrusions. Given the limitations in constitutional law, Congress has enacted a number of federal laws designed to provide statutory protections of individuals' personal information. However, these statutory protections are not comprehensive in nature and primarily regulate certain industries and subcategories of data. These laws-which differ based on their scope, who enforces them, and their associated penalties-include: * Children's Online Privacy Protection Act: provides data protection requirements for children's information collected by online operators. * Communications Act of 1934: includes data protection provisions for common carriers, cable operators, and satellite carriers. * Computer Fraud and Abuse Act: prohibits the unauthorized access of protected computers. * Consumer Financial Protection Act: regulates unfair, deceptive, or abusive acts in connection with consumer financial products or services. * Electronic Communications Privacy Act: prohibits the unauthorized access or interception of electronic communications in storage or transit. * Fair Credit Reporting Act: covers the collection and use of data contained in consumer reports. * Federal Securities Laws: may require data security controls and data breach reporting responsibilities. * Federal Trade Commission (FTC) Act: prohibits unfair or deceptive acts or practices. * Gramm-Leach-Bliley Act: regulates financial institutions' use of nonpublic personal information. * Health Insurance Portability and Accountability Act: regulates health care providers' collection and disclosure of protected health information. * Video Privacy Protection Act: provides privacy protections related to video rental and streaming. Of these laws, the FTC Act's prohibition of unfair or deceptive acts or practices (UDAPs) is especially important in the context of data protection. The FTC has brought hundreds of enforcement actions based on the allegation that companies' data protection practices violated this prohibition. One of the well-settled principles in FTC practice is that companies are bound by their data privacy and data security promises. The FTC has taken the position that companies act deceptively when they handle personal information in a way that contradicts their posted privacy policies or other statements or when they fail to adequately protect personal information from unauthorized access despite promises that they would do so. In addition to broken promises, the FTC has maintained that certain data protection practices are unfair, such as when companies have default privacy settings that are difficult to change or when companies retroactively apply revised privacy policies. However, while the FTC's enforcement of the UDAP prohibition fills in some statutory gaps in federal data protection law, its authority has limits. In contrast to many of the sector-specific data protection laws, the FTC Act does not require companies to abide by specific data protection policies or practices and has historically been interpreted not to reach entities that have not made explicit promises concerning data protection. In August 2022, the FTC issued an advance notice of proposed rulemaking and request for public comment (87 FR 51273) on whether it should implement more comprehensive data protection regulations. State Data Protection Laws Adding to the complex patchwork of federal laws, some states have developed their own statutory frameworks for data protection. Every state has passed some form of data breach response legislation, and many states have consumer protection laws of various types. In addition, California created one of the first state-level comprehensive data protection regimes through the California Consumer Privacy Act (CCPA).

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most