Federal Data Privacy ActsThe federal government has multiple data privacy laws designed to protect the public. No one law provides complete protection – instead, there are sector-specific laws. These include:
- U.S. Privacy Act of 1974
- Federal Educational Rights and Privacy Act of 1974
- Video Privacy Protection Act of 1988
- Driver’s Privacy Protection Act of 1994
- Health Insurance Portability and Accountability Act of 1996
- Children’s Online Privacy Protection Act of 1998.
U.S. Privacy Act of 1974
This Act regulates the government’s collection and use of personally identifiable information about individuals. Prohibited disclosure of this information is punishable by criminal penalties. The Act statesat 5 U.S.C. section 552a(i)(1):
“Any officer or employee of an agency, who by virtue of [their] employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.”
While this privacy law provides criminal penalties, it creates no private right of action.
Federal Educational Rights and Privacy Act of 1974
The privacy of student education records is protected under this Act. It applies to educational institutions that receive funds from the United States Department of Education. The law also gives students (18 or over) or their parents (students under 18) certain rights. These include the right to:
- Inspect and review the student’s academic record maintained by the school.
- Request correction of records that the parent or eligible student believes are incorrect. If the school declines to modify the academic record, a formal hearing is available to the parent of eligible students.
There is no private right of action under this Act. However, if a parent or eligible student believes their privacy rights have been violated, they may file a complaint with the Department of Education. If this department finds a violation, it may issue a corrective action to the educational institution and even end funding.
Video Privacy Protection Act of 1988 (VPPA) and Amendments
This narrow law protects consumers against the following:
- Disclosure, without written, informed consent, of personally identifiable information related to the rental of videos.
- Disclosure, without a warrant or court order, of information to law enforcement.
- Long-term retention of consumer rental records by video rental stores.
The VPPA, at 18 U.S.C. section 2710(c)(1), allows the following civil action:
(1) Any person aggrieved by any act of a person in violation of this section may bring a civil action in a United States district court.(2)The court may award …actual damages but not less than liquidated damages in an amount of $2,500; …punitive damages;… reasonable attorneys’ fees and other litigation cost reasonably incurred; and…such other preliminary and equitable relief as the court determines to be appropriate.
Therefore, unlike many federal privacy laws, the VPPA provides consumers a private right of action. Today, with videotapes being obsolete, there is an emerging area of law applying this Act to modern technology such as digital videos and online streaming services. There is little settled law and ample scope for creativity by the data privacy lawyer.
Driver’s Privacy Protection Act of 1994 (DPPA)
This Act requires the states to protect the personal information in a person’s motor vehicle record, such as name, address, phone number, weight, height, photo, and Social Security Number. Exceptions exist for disclosure to law enforcement, civil and criminal proceedings, motor vehicle safety, and other legitimate government functions.
DPPA provides a private right of action against those who knowingly disclose protected information. Remedies include:
- Actual damages
- Punitive damages if the disclosure was willful or in reckless disregard of the law
- Reasonable attorneys’ fees and litigation costs
- Equitable relief.
DPPA also provides for fines levied against state departments of motor vehicles of up to $5,000 for substantial noncompliance.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This law protects a patient’s medical information from being disclosed to unauthorized parties. Noncompliance with HIPAA can ruin a business. HIPAA imposes fines ranging up to $50,000 per violation, with a cumulative limit of $1.5 million per year. Criminal penalties are also available under the law. No private right of action exists.
Children’s Online Privacy Protection Act of 1998 (COPPA)
COPPA requires the Federal Trade Commission to promulgate and enforce rules pertaining to children’s privacy online. Its primary focus is to control the type of information collected from minors under 13 years of age. COPPA applies to commercial websites and online services that target minors and use collected data from the children for business purposes.
Both the federal and state governments can take enforcement actions against commercial websites and online services operators, with civil penalties ranging up to $43,792 per violation. COPPA only allows the federal government and state Attorneys General to enforce the law. There is no private right of action.
Opportunities for the Data Privacy Attorney Under Federal Privacy Laws
Those data privacy attorneys who represent clients whose privacy has been violated have minimal options under federal privacy law. This is due to two reasons. First, there is no comprehensive federal privacy legislation – instead, there is an incomplete patchwork of laws. Second, with a few narrow exceptions (VPPA and DPPA), there is no right of private action to compensate clients who have had their privacy violated.
To seek full redress and compensation, the data privacy lawyer looks to state law to provide appropriate remedies.
State Data Privacy Laws
Unlike the federal government, many states have or are considering comprehensive privacy laws
This stateis the leader in the field. The Golden State has the 2018 California Consumer Privacy Act (CCPA). It provides a private right of action for both monetary and equitable relief. CCPA, at California Civil Code section 1798. 150(a), states:
“(1)Any consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.”
Remedies available to the consumer include the greater of up to $750 per incident or actual damages. Equitable relief is also available.
Texas Business and Commercial Code section 521.051(a) provides:
“A person may not obtain, possess, transfer, or use personal identifying information of another person without the other person’s consent and with intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person’s name.”
A person has a right to bring an action under this statute.
Other State Laws
While many states consider specific laws providing comprehensive data privacy protections, other state laws provide causes of action for violation of privacy. These include the torts of negligence and invasion of privacy.
Opportunities for the Data Privacy Lawyer Under State Law
A client who has had their private information wrongfully disclosed hires the data privacy lawyer to seek redress. This is not an easy task, as there is no comprehensive federal data privacy law and few state laws explicitly provide rights of action for data privacy breaches. Therefore, the data privacy lawyer must research specific federal legislation and the case law regarding torts to find the law that best provides causes of action for the client.
How Do I Become a Data Privacy Lawyer?
Like all careers practicing law, membership in a state bar is required. Many data privacy lawyers work for large law firms, and these companies typically require three to five years of prior legal experience.