United States

Privacy Culture

In the aftermath of Snowden's revelations Facebook founder's assertion that ‘privacy is no longer a social norm’ seems to be inadequate. An argument exists that ‘if one has not done anything wrong, then one has nothing to hide’. However, bringing such claims under a little scrutiny reveals a different picture. A series of recent surveys suggest that Americans do care about their personal data and their privacy online.
A number of 2015 surveys conducted among adult Americans reveal that the majority of U.S. citizens are indeed worried about their privacy online. The top reasons for these concerns relate to security threats to online data and also to businesses collecting and sharing personal information with other businesses. This has led to a significant impact on business since an astonishing 90% of respondents claim they avoid doing business with companies who they do not believe protect their privacy online. Three quarters of the surveyed claim they have moderated their online activity to address their concerns.
A large majority of Americans now believe that they are primarily responsible for the protection of their online data. Three quarters of the respondents claim they are actively taking steps in protecting their privacy online by deleting cookies, changing browser settings, etc. Businesses at risk should hear these concerns and adapt to the changing realities in their consumer’s awareness. Nevertheless, lawmakers are also influenced by consumer's attitudes and have power to address such concerns through means of law. Without a doubt, hiring a data protection professional can ensure that the organization continues to meet its increasingly complex statutory and regulatory obligations.

Legal History

The U.S. system of Data Protection & Privacy law is a complex mix of statues, self-regulatory codes and some constitutional safeguards. Apart from the constitutionally-enshrined right to privacy the U.S. industry is regulated by sector at federate level, with separate legal acts governing different branches of commerce. The most prominent single-state regulation of data protection comes from the State of California. It is the single U.S. jurisdiction that has adopted a comprehensive, omnibus data protection legislation which applies extra-territorially on the basis of data processing of Californian residents. It also applies across industries and establishes obligations for all companies processing personal information.

There are numerous statutes that address Data Protection & Privacy at federal level either in their entirety or at least partially The non-exhaustive list includes:
⦁    The Federal Trade Commission Act ('FTC') - specifies the power of the regulator;
⦁    The Gramm-Leach-Bliley Act ('GLB') - relates to certain obligations of financial institutions;
⦁    The Health Insurance Portability and Accountability Act ('HIPPA') - imposes data protection obligations to covered entities in the health sector;
⦁    The Fair Credit Reporting Act - in part addresses privacy obligations of credit providers
⦁    The Controlling the Assault of Non-Solicited Pornography and Marketing Act ('CAN-SPAM') - among others, it refers to email spam;
⦁    The Electronic Communications Privacy Act - refers to data protection obligations for communication services providers;
⦁    The Computer Fraud and Abuse Act - in part addresses data protection issues in fraud.

In addition to the above the State of California has enacted two statutes that apply to any company processing data of residents of California. The purpose of these laws is to regulate Privacy & Data Protection as a whole omnibus set of rules. The two leading pieces of legislation are:

⦁    California’s Security Breach Notification Law
⦁    California’s Online Privacy Protection Act.

Enforcement and Court Action

The different legal acts regulating Data Protection are enforced by different State Agencies. The main public bodies responsible for the enforcement of Privacy and Data Protection laws are the Courts of Law of the U.S. but also the Federal Trade Commission ('FTC'), Federal Communications Commission (FCC), U.S. Department of Health and Human Services ('DHHS'). The Californian omnibus laws are enforced by the California Attorney General and district attorneys.

The FTC is the primary enforcer of U.S. Data Protection & Privacy laws. The FCC is an independent agency of the U.S. government created in order to regulate interstate communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia and U.S. territories. Most of the actions against organisations are initiated by this Commission. The FTC has the powers to impose penalties, obtain injunctions, repayments of costs and even to initiate criminal prosecutions. This body is also leading in policy-making. The FTC reports to the U.S. Congress on all issues pertaining to Data Protection and makes recommendations in relation to law-making.

Corporate Risk

Enforcement actions against organizations in breach of Data Protection & Privacy laws in the U.S.A has increased astonishingly in 2014. Nearly 1 billion USD have been imposed in fines and penalties breaking all records worldwide. The largest proportion of these has been imposed by the Federal Trade Commission.
Read more…
In 2014 the FTC has issued more than $300 million in penalties in privacy-related settlements. Around half of that total amount comes from a single court ruling against a software company. During the same year the FCC issued over $100 million in legal settlements. A single mobile-phone service provider was charged with paying most of that total amount. The U.S. department of Health and Human Services, enforcing the HIPPA privacy rule took a number of actions against health-sector organizations that resulted in the imposition of a total $6 million in penalties. A single hospital was liable to pay half of that total amount in order to settle charges.  In 2014, the largest privacy-related penalty was awarded in damages resulting from a class-action lawsuit against a U.S. hospital. $190 million was the sum agreed to be paid to thousands of citizens for a violation of doctor-patient trust where one of the main charges alleged invasion of privacy.

Future Outlook 

As a leading jurisdiction and at the background of the growth in security breaches and incidents, U.S. Data Protection law is set to develop at an unprecedented pace. 2015 has seen a number of large and comprehensive regulatory proposals brought in Congress. 

Some of the new bills currently discussed in Congress are the Consumer Privacy Protection Act, the Student Digital Privacy and Parental Rights Act and the Data Broker Accountability and Transparency Act. These federal laws, if enacted, will bring many companies operating across the U.S. more responsibilities and will hold them more accountable for the personal data that they are processing. Self-regulation is also gathering pace. Notably, the advertising industry is continually developing and expanding its programme for behavioural advertising. At the same time however, users are increasingly taking control of their privacy and advertisement exposure. In that context, many ad-blocking initiatives have gathered pace as well. Businesses are starting to realise that advertisement is causing a major obstruction for consumers and user experience (especially in the mobile environment). In the late 2015 Apple Inc. announced a new embedded ad-blocking capability in their latest iOS. The repercussions for the advertising industry are yet to be seen.

There have also been developments in the field of Transatlantic data transfers between the EU and U.S.A. On October 6, 2015, the Court of Justice of the European Union (CJEU) effectively invalidated the Safe Harbor Framework, which allowed for companies to transfer data from the EU to the U.S.A. The rationale behind the decision was that the European Commission had not appropriately evaluated whether the United States maintains “essentially equivalent” protections of EU citizen data. Following that judgement, the EU-U.S. Privacy Shield was announced in February 2016 by the European Commission and U.S. Department of Commerce as a replacement for the Safe Harbor Framework. The new framework agreement contains three key features:

The US will create an ombudsman to handle complaints from EU citizens about Americans spying on their data;
The US Office of the Director of National Intelligence will give written commitments that Europeans' personal data will not be subject to mass surveillance;
The EU and US will conduct an annual review to check the new system is working properly.


TRUSTe, Privacy Index 2015, <http://www.truste.com/blog/2015/01/28/data-privacy-concern-consumers/>

Thomson Reuters, Practical Law, A 2015 Q&A Guide to Data Protection in the United States <http://uk.practicallaw.com/6-502-0467>

Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, March 2015 <http://pwc.blogs.com/data_protection/2015/03/enforcement-tracker-download-here.html>

Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, the United Kingdom