The Legislation of Privacy: New Laws That Will Change Your Life

QUICK LINKS

As our information and mobile technology becomes more sophisticated, so do the criminals who use and abuse that technology. Legislators and law enforcement alike have struggled to keep pace with these advancements, which in turn impacts our ability as a society to protect the innocent from cyber-based crimes. There are now widespread efforts to enact legislation and regulations that will close gaps in securing medical and financial records and will protect against new tech that exploits vulnerable members of society, like children and seniors.

What follows is a guide to many of the new and proposed laws regarding privacy in the United States.

Digital Life

These laws and proposals are designed to protect your privacy in the online and mobile spheres, ensuring that you and your loved ones aren’t tracked, subject to data seizures, or at risk of becoming victims.

The Child Protection Act of 2012

Proposed by Rep. Lamar Smith of Texas and signed into law by President Obama on December 7th, 2012. The act funds the Internet Crimes Against Children Task Force through 2018. The ICAC program is designed to combat the efforts of people who prey on children via online environments.

Children’s Online Privacy Protection Act of 1998 (COPPA)

COPPA was signed into law by President Clinton in October 1998 and became effective on April 21, 2000. The act protects children under 13 from the online collection of personal information. As a result, many sites today disallow children under 13 from using their services or require parental permission for disclosure of any personal information.

The FTC announced revisions to COPPA that expand the definition of what it means to collect data from children. These new rules would include regulations on data retention and deletion, and would require any third parties to whom a child’s information is disclosed to have policies in place to protect the information.

Electronic Communications Privacy Act

This act, nearly 30 year old, is the subject of proposed amendments introduced in the House by Representative Matt Salmon (R-AZ) and others in the Senate by Patrick Leahy (D-VT). The original act was designed to help expand federal wiretapping and electronic eavesdropping provisions. The act also protects communications that occur via wire, oral, and electronic means, and generally seeks to balance citizens’ privacy rights with the needs of law enforcement.

The GPS Act

The GPS Act, proposed by Representative Jason Chaffetz (R-UT) in March of 2013 seeks to give government agencies, commercial entities, and private citizens specific guidelines to when and how geolocation information can be accessed and used. At present, there are no U.S. laws that directly address GPS tracking data, and with the proliferation of trackable devices like cell phones and GPS systems, the importance of addressing the technology via legislation is apparent.

Cyber Intelligence Sharing and Protection Act (CISPA)

Proposed by Rep. Michael Rogers (R-MI) and co-sponsored by 111 other House members, CISPA is designed to help the government better investigate cyber threats and ensure that large networks are secure against the threat of cyber attack. The bill passed the House of Representatives by a vote of 288/127 on April 18, 2013 and is awaiting action by the Senate.

Back to Top ↑

E-Commerce

The reach of e-commerce is ever expanding. According to Forrester Research, U.S. consumers spent $226 billion online in 2012 representing about 7% of all retail sales. Projects indicate that e-sales will increase to about 9% of retail commerce.

The growth in online sales is the result of retailers making website and service improvements and increased consumer confidence in transaction security. Confidence in e-commerce security is driven by both merchant innovation and enhanced regulation.

E-commerce is overseen by federal regulation primarily because internet based retailers conduct interstate commerce and are by and large beyond the reach of state and municipal laws and regulations. On the federal end of things, regulations are issued by the Federal Trade Commission (FTC) and the Payment Card Industry Security Standards Council (PCI). PCI is a self-governing trade council that issues security standards primarily for credit card payment processing. The council was founded by five global payment brands, including American Express, Discover and Visa.

Several pieces of privacy legislation focused on online consumers have failed to move beyond committee and are, for all intents and purposes, dead. They include:

Application Privacy Protection and Security Act of 2013

This act was introduced by Representative Hank Johnson (D-GA) and would have directed mobile device application developers, including e-commerce apps, to seek and obtain user permission before collecting personal information.

Location Privacy Protection Act of 2011

Written by Senator Al Franken (D-MN) was meant to prevent non-governmental individuals or entities from collecting geolocation information from devices without the express consent of users. This bill remains in committee.

Back to Top ↑

Work and Employment

Digital information produced on employer owned devices, including phones, tablets and computers are not private, period. This includes love letters to your spouse as much as correspondence to business associates. Employer owned devices and everything that is produced on them is subject to review by your employer.

Your employer’s ability and right to access data extends in most cases to information that passes through your employer’s equipment. This means that even if you connect your personal laptop to your company’s network to send personal emails, those emails can be legally intercepted and read by your employer due to the activity taking place on their network. Know the laws that can protect you.

California’s Social Media Privacy Act

So far, 15 states have enacted laws similar to California’s Social Media Privacy Act, prohibiting employers from requesting or requiring an employee or applicant from having to provide their username and passwords to personal social media accounts. The California law also prohibits employers from requesting access in the presence of employees.

The states that have enacted social media privacy laws include: Arkansas, Colorado, California, Delaware, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont and Washington, with more than 30 other states working on similar bills.

Genetic Information Nondiscrimination Act of 2008 (GINA)

Passed in 2008, this act prohibits the use of genetic information in health insurance and employment. That means employers can’t make hiring, firing, placement, or promotion decisions based on genetic information, nor can insurers raise premiums or deny coverage to people with a genetic predisposition for a disease.

While GINA itself is only five years old, the Presidential Commission for the Study of Bioethical Issues is recommending the law be expanded to include security measures for whole-genome sequence data rather than focusing on issues of discrimination. New regulations would likely update the consent forms individuals sign when they agree to take part in research studies, helping protect their genetic information and preventing misuse of this data. Additionally, under recommendations by the committee, GINA would be expanded to include comprehensive national rules on how genetic privacy is protected.

Back to Top ↑

Personal Information

Foreign Intelligence Surveillance Act of 1978 (FISA)

FISA was signed into law in October 1978 by President Carter. FISA addresses the collection of intelligence including digital data between “foreign powers” and “agents of foreign powers,” which can include American citizens and legal residents suspected of espionage. The act requires strict judicial and congressional oversight of any covert surveillance activities and periodic (every 5 years) congressional reauthorization.

FISA Amendments Act of 2008 (FISA Amendments)

This became law in July 2008 and amended the original law to expand the authority of the Attorney General to collect communications of “certain persons” outside of the United States. The first changes to the act occurred under the Patriot Act, and though they expired in 2008, many of those changes were extended by the FISA Amendments Act of 2008.

Under this act, the government is authorized to get year-long orders to conduct surveillance of citizens’ international communications, including phone calls, emails, and Internet records. Currently, these orders do not need to specify who is being spied on or the reasons for doing so. The FISA Amendments Act Reauthorization Act of 2012 is a reauthorization of the 2008 act through 2017.

Video Privacy Protection Act

Signed into law in 1988 by President Reagan. Its intent is to prevent the wrongful disclosure of video tape rental/sale records or similar audio visual materials. The law has sparked renewed interest in recent years thanks to streaming technology and online video rental subscription programs, like Netflix, who are often integrated with social media sites. The result has been several lawsuits, including a case in 2012 that required Netflix to change its privacy rules so that members who quit the site no longer had records with the company.

While the law has been at odds with some online media providers in recent years, recent changes to the legislation in the form of the Video Privacy Protection Act Amendments Act of 2012 made it permissible for streaming services to share details of the content viewed after consumers have given blanket permission, making it possible for greater integration into social media sites like Facebook.

Health Information Technology for Economic and Clinical Health Act (HITECH)

Most Americans are familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but many may not realize that the protections they enjoy under HIPAA got an update in the form of the Health Information Technology for Economic and Clinical Health Act (HITECH). Part of the American Recovery and Reinvestment Act of 2009, HITECH contains incentives to expand the adoption of health information technology, including the establishment of a nationwide network of health records.

HITECH also requires that security breaches be reported to Health and Human Services as well as the media; it increases enforcement of HIPAA and the resulting penalties; and it ensures that any individual can request a copy of their public health record. Most importantly, it expands HIPAA regulations to include any business associates or providers to medical facilities; requiring vendors of any kind to keep private records private.

After passage, some members of Congress don’t think that HITECH went far enough in protecting patient privacy. So in June 2012 a bill was proposed that would amend the American Recovery and Reinvestment Act. The bill was the Protect Our Health Privacy Act of 2012.

Protect Our Health Privacy Act of 2012

This act would require health providers to encrypt any mobile device containing health information, restrict business associates’ use of protected health information, improve congressional oversight of HIPAA, and provide additional measures that would protect patient privacy and safety when using health information tech.

Back to Top ↑

Additional Resources

Ultimately your privacy is your own responsibility, which is why being aware of the inherent risks in technology can shore up the risk of exposure to your personal information.

It is crucial parents remember that children – teens included – likely won’t understand the value and importance of privacy. Parents and caregivers should be proactive in monitoring and educating children about the dangers of sharing information freely with anyone.
Back to Top ↑