The Legislation of Privacy: New Laws That Will Change Your Life
As our information and mobile technology becomes more sophisticated, so do the criminals who use and abuse that technology. Legislators and law enforcement alike have struggled to keep pace with these advancements, which in turn impacts our ability as a society to protect the innocent from cyber-based crimes. There are now widespread efforts to enact legislation and regulations that will close gaps in securing medical and financial records and will protect against new tech that exploits vulnerable members of society, like children and seniors.
What follows is a guide to many of the new and proposed laws regarding privacy in the United States.
These laws and proposals are designed to protect your privacy in the online and mobile spheres, ensuring that you and your loved ones aren’t tracked, subject to data seizures, or at risk of becoming victims.
Proposed by Rep. Lamar Smith of Texas and signed into law by President Obama on December 7th, 2012. The act funds the Internet Crimes Against Children Task Force through 2018. The ICAC program is designed to combat the efforts of people who prey on children via online environments.
- What This Means For You: The act amends federal criminal law to allow for the imposition of prison sentences of up to 20 years for the transportation, receipt, distribution, sale or possession of pornographic images of children younger than 12. The law requires U.S. district courts to issue protective orders that guard against the intimidation of minor victims or witnesses. The law directs the Sentencing Commission to review and amend federal sentencing guidelines to include additional penalties for trafficking of children, as well as other child abuse crimes. The act increases the amount the Attorney General can award to non-law enforcement agencies to create and run training courses for members of the National Internet Crimes Against Children Task Force and other law enforcement officials.
COPPA was signed into law by President Clinton in October 1998 and became effective on April 21, 2000. The act protects children under 13 from the online collection of personal information. As a result, many sites today disallow children under 13 from using their services or require parental permission for disclosure of any personal information.
The FTC announced revisions to COPPA that expand the definition of what it means to collect data from children. These new rules would include regulations on data retention and deletion, and would require any third parties to whom a child’s information is disclosed to have policies in place to protect the information.
- What This Means For You: Both the original law and subsequent revisions to the rules of its enforcement are designed to protect the privacy of children and thereby reduce their risk of becoming victims of internet predators. The latest revisions address changes in the way children access the internet in general and social media in particular. They have expanded the definition of what is personal information to now include “persistent identifiers” or cookies that can be used to track a child’s online activity. The changes also recognize the frequency with which young children access the internet through mobile devices such as smart phones and tablets; it also places tighter controls on geolocation information, photos, videos and audio recordings.
This act, nearly 30 year old, is the subject of proposed amendments introduced in the House by Representative Matt Salmon (R-AZ) and others in the Senate by Patrick Leahy (D-VT). The original act was designed to help expand federal wiretapping and electronic eavesdropping provisions. The act also protects communications that occur via wire, oral, and electronic means, and generally seeks to balance citizens’ privacy rights with the needs of law enforcement.
- What This Means For You: If reforms to the ECPA go through, law enforcement and government officials will no longer be able to access your personal emails stored on a server without a warrant. This is a strong first step towards updating the bill and ensuring that the privacy concerns addressed are in line with the realities of current technology. While the proposed changes to the law have bipartisan support, so far they have been stuck in committee.
The GPS Act, proposed by Representative Jason Chaffetz (R-UT) in March of 2013 seeks to give government agencies, commercial entities, and private citizens specific guidelines to when and how geolocation information can be accessed and used. At present, there are no U.S. laws that directly address GPS tracking data, and with the proliferation of trackable devices like cell phones and GPS systems, the importance of addressing the technology via legislation is apparent.
- What This Means For You: The bill would amend the federal criminal code to make it a criminal offense to intentionally intercept geolocation information pertaining to another person as well as disclosing that information to a third party. There are exceptions that include information acquired by covered service providers in their normal course of business, as well as individuals who have given prior consent. Certain federal officers or agents who are conducting foreign intelligence would also be exempt.
Proposed by Rep. Michael Rogers (R-MI) and co-sponsored by 111 other House members, CISPA is designed to help the government better investigate cyber threats and ensure that large networks are secure against the threat of cyber attack. The bill passed the House of Representatives by a vote of 288/127 on April 18, 2013 and is awaiting action by the Senate.
- What This Means For You: If CISPA becomes law, it would make it harder for cybercriminals to execute major attacks on networks. However, it may also mean that the government could also easily, and without warrant, track any individual’s browsing history. As the bill is presently worded, there are few limits on how or when the government can monitor an individual, and it may even make certain kinds of spyware legal if it’s being used in good faith for a cyber-security purpose.
The reach of e-commerce is ever expanding. According to Forrester Research, U.S. consumers spent $226 billion online in 2012 representing about 7% of all retail sales. Projects indicate that e-sales will increase to about 9% of retail commerce.
The growth in online sales is the result of retailers making website and service improvements and increased consumer confidence in transaction security. Confidence in e-commerce security is driven by both merchant innovation and enhanced regulation.
E-commerce is overseen by federal regulation primarily because internet based retailers conduct interstate commerce and are by and large beyond the reach of state and municipal laws and regulations. On the federal end of things, regulations are issued by the Federal Trade Commission (FTC) and the Payment Card Industry Security Standards Council (PCI). PCI is a self-governing trade council that issues security standards primarily for credit card payment processing. The council was founded by five global payment brands, including American Express, Discover and Visa.
Several pieces of privacy legislation focused on online consumers have failed to move beyond committee and are, for all intents and purposes, dead. They include:
This act was introduced by Representative Hank Johnson (D-GA) and would have directed mobile device application developers, including e-commerce apps, to seek and obtain user permission before collecting personal information.
Written by Senator Al Franken (D-MN) was meant to prevent non-governmental individuals or entities from collecting geolocation information from devices without the express consent of users. This bill remains in committee.
Work and Employment
Digital information produced on employer owned devices, including phones, tablets and computers are not private, period. This includes love letters to your spouse as much as correspondence to business associates. Employer owned devices and everything that is produced on them is subject to review by your employer.
Your employer’s ability and right to access data extends in most cases to information that passes through your employer’s equipment. This means that even if you connect your personal laptop to your company’s network to send personal emails, those emails can be legally intercepted and read by your employer due to the activity taking place on their network. Know the laws that can protect you.
So far, 15 states have enacted laws similar to California’s Social Media Privacy Act, prohibiting employers from requesting or requiring an employee or applicant from having to provide their username and passwords to personal social media accounts. The California law also prohibits employers from requesting access in the presence of employees.
The states that have enacted social media privacy laws include: Arkansas, Colorado, California, Delaware, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont and Washington, with more than 30 other states working on similar bills.
- What This Means For You: The legislation will only affect you if you live and work in a state that has passed a social media privacy law – but it’s likely most states will follow suit within the next year. These acts make it illegal for employers to require applicants or current employees to hand over passwords to private accounts, which will help protect your personal accounts and private interactions when seeking employment. Some laws, like those of Delaware and New Jersey, focus on colleges and not employers, banning admissions officers and college employees from requiring password information. Be sure to look into the language of your state’s law to check if it protects you.
Passed in 2008, this act prohibits the use of genetic information in health insurance and employment. That means employers can’t make hiring, firing, placement, or promotion decisions based on genetic information, nor can insurers raise premiums or deny coverage to people with a genetic predisposition for a disease.
While GINA itself is only five years old, the Presidential Commission for the Study of Bioethical Issues is recommending the law be expanded to include security measures for whole-genome sequence data rather than focusing on issues of discrimination. New regulations would likely update the consent forms individuals sign when they agree to take part in research studies, helping protect their genetic information and preventing misuse of this data. Additionally, under recommendations by the committee, GINA would be expanded to include comprehensive national rules on how genetic privacy is protected.
- What This Means For You: Should the act be expanded, individuals will enjoy greater protection of their genetic data. Research studies must be more transparent about security risks and genetic data itself will see greater protection under law to ensure that fewer privacy breaches occur and that discrimination cannot occur. Currently, GINA does not protect individuals from discrimination when applying for life or long-term care policies. Greater protections on genetic data could make it possible for this information to be off limits to anyone outside the individual’s immediate family.
FISA was signed into law in October 1978 by President Carter. FISA addresses the collection of intelligence including digital data between “foreign powers” and “agents of foreign powers,” which can include American citizens and legal residents suspected of espionage. The act requires strict judicial and congressional oversight of any covert surveillance activities and periodic (every 5 years) congressional reauthorization.
FISA Amendments Act of 2008 (FISA Amendments)
This became law in July 2008 and amended the original law to expand the authority of the Attorney General to collect communications of “certain persons” outside of the United States. The first changes to the act occurred under the Patriot Act, and though they expired in 2008, many of those changes were extended by the FISA Amendments Act of 2008.
Under this act, the government is authorized to get year-long orders to conduct surveillance of citizens’ international communications, including phone calls, emails, and Internet records. Currently, these orders do not need to specify who is being spied on or the reasons for doing so. The FISA Amendments Act Reauthorization Act of 2012 is a reauthorization of the 2008 act through 2017.
- What This Means For You: The amendment to FISA will remain in place for five years, with the same limited oversight requirements that allows government agents to gather information on foreign communications – a right that’s been intensely questioned by the public and the media (follow all current news on FISA here). The act authorizes governmental agencies, like the NSA, to collect information on anyone at all suspected of being a threat or who may be connected to a threat. Phone calls, email, and internet browsing history are all subject to monitoring.
Signed into law in 1988 by President Reagan. Its intent is to prevent the wrongful disclosure of video tape rental/sale records or similar audio visual materials. The law has sparked renewed interest in recent years thanks to streaming technology and online video rental subscription programs, like Netflix, who are often integrated with social media sites. The result has been several lawsuits, including a case in 2012 that required Netflix to change its privacy rules so that members who quit the site no longer had records with the company.
While the law has been at odds with some online media providers in recent years, recent changes to the legislation in the form of the Video Privacy Protection Act Amendments Act of 2012 made it permissible for streaming services to share details of the content viewed after consumers have given blanket permission, making it possible for greater integration into social media sites like Facebook.
- What This Means For You: The VPPA amendment only affects individuals who subscribe to online streaming movie providers. Non-subscribers are unaffected by the amendments. Subscribers to services like Netflix must first give permission before their information can be disclosed publicly. Providers must seek a renewal of permission from subscribers either once every two years or each time disclosures are sought.
Most Americans are familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but many may not realize that the protections they enjoy under HIPAA got an update in the form of the Health Information Technology for Economic and Clinical Health Act (HITECH). Part of the American Recovery and Reinvestment Act of 2009, HITECH contains incentives to expand the adoption of health information technology, including the establishment of a nationwide network of health records.
HITECH also requires that security breaches be reported to Health and Human Services as well as the media; it increases enforcement of HIPAA and the resulting penalties; and it ensures that any individual can request a copy of their public health record. Most importantly, it expands HIPAA regulations to include any business associates or providers to medical facilities; requiring vendors of any kind to keep private records private.
- What This Means For You: HITECH will ensure that your health records are even more secure than they were under HIPAA. Despite expanding electronic health records, which make many nervous, the act also ensures that anyone having any contact with your records cannot disclose information about them without your knowledge. It also makes it an even more serious offense if this is done.
After passage, some members of Congress don’t think that HITECH went far enough in protecting patient privacy. So in June 2012 a bill was proposed that would amend the American Recovery and Reinvestment Act. The bill was the Protect Our Health Privacy Act of 2012.
This act would require health providers to encrypt any mobile device containing health information, restrict business associates’ use of protected health information, improve congressional oversight of HIPAA, and provide additional measures that would protect patient privacy and safety when using health information tech.
- What This Means For You: The Protect Our Health Privacy Act further strengthens provisions already in place under HITECH by going one step further with mobile medical devices. Under this bill, those devices would all need to be secured to ensure they are no breaches of privacy. The act would also help individuals ensure that HIT is to their benefit and that new innovations do not compromise their health, safety, or privacy.
Ultimately your privacy is your own responsibility, which is why being aware of the inherent risks in technology can shore up the risk of exposure to your personal information.
- Use online resources like the Center for Democracy and Technology, which maintains a list of existing federal privacy laws so you can easily research your concerns.
- The National Conference of State Legislatures site serves as an easy to navigate clearinghouse of state internet privacy laws.
- The American Civil Liberties Union (ACLU) is a valuable resource for all civil rights matters that deal with medical and workplace privacy.
- Finally the various departments of the federal government offer large amounts of information regarding a number of privacy topics. The Department of Health and Human Services regulates HIPPA and other health care and personal medical information.
It is crucial parents remember that children – teens included – likely won’t understand the value and importance of privacy. Parents and caregivers should be proactive in monitoring and educating children about the dangers of sharing information freely with anyone.
Back to Top ↑