US Information Privacy
The Privacy Problem
The idea of “privacy,” especially when it comes to personal data, continues to change at a breakneck pace. It’s no secret that almost every social media platform or search engine collects millions of points of data about their users. The data are used for countless applications ranging from mostly harmless (targeted ads) to downright diabolical (selling data to other users).
Further complicating the issue is that many users have come to accept this privacy violation as simply the “cost of doing business.” General public apathy has allowed information privacy to disappear more and more as time goes on.
The U.S. finds itself facing a new problem: how to define and regulate information privacy. The privacy problem is one that lawmakers of the 20th century never could have predicted. Who “owns” information? Additionally, the privacy problem’s scope goes way beyond private citizens. What does “privacy” mean when it comes to information about government offices, national labs, or private businesses?
What laws exist to protect this information? And what rights for privacy exist in the U.S. legal system? The unfortunate truth is that there is no one comprehensive law regarding information privacy.
Some answers to these questions are found in the Constitution, its amendments, and various laws. Other answers have yet to be determined, and fierce battles are being fought in courtrooms across the U.S today. Which in turn means there is an urgent need for IT professionals educated in U.S. information privacy policy. The U.S. desperately needs workers that can both keep information safe and ensure information is shared legally. A cumbersome patchwork of laws and legislation exists regarding information privacy. Data privacy professionals are urgently needed to understand and apply these rules.
The goal of this article is to explain what information privacy means in the U.S. and what rights to privacy exist in the U.S. We will begin with a general background of information privacy law. Next, we will look at some of the major laws that exist to keep information private. Finally, we will explore what comes next in this field.
Information Privacy, the U.S. Constitution, and the Right to Privacy
The idea of information privacy, unsurprisingly, did not make it into the original Constitution. However, it does show up early in U.S. history with the passing of the Fourth Amendment, which grants “the right of the people to be secure in their persons, houses, papers, and effects…” However, this amendment does not provide for who and how this right is enforced.
Here, “papers” can be extrapolated to include digital documents. However, digital documents exist not just on paper but also in cyberspace. Meaning, if someone stores a digital document on a server, what rights to that information does the host have? Or, if someone provides digital information to a company, what rights does the company have to distribute that information? And what legal obligation does the company have to keep that information private?
Much later, The Supreme Court recognized in a 1965 case that the Due Process Clause of the Fourteenth Amendment (written in 1868) provides a due process right to privacy. Which again, only raises further questions. Does the right to privacy include all privacy or just privacy of information regarding criminal actions?
On top of the mountain of questions we already have, let’s add one more to the list: Who is supposed to enforce all these privacy regulations? Again, without a comprehensive law, the responsibility defaulted to the Federal Trade Commission. The FTC has the mission to prevent “unfair or deceptive acts or practices in or affecting commerce.” In the case of privacy, “unfair or deceptive” is taken to mean abuse of information. For example, are targeted ads based on browser history information “unfair”?
That’s not to say we’re all flying blind when it comes to protecting privacy. More help came in the 1960s through tort reforms. Tort reforms themselves are changes to the civil justice system. Which raises the question: how did tort reform protect privacy? The next section will answer that very question.
Prosser’s Four Privacy Torts
William Prosser was a legal scholar of the mid-1900s and has long been considered one the leading experts on tort law. He is responsible for how tort law was viewed and enacted for a generation of lawyers. For our article, we will only discuss how his tort reforms changed information privacy in the U.S.
Prosser sought to legally define the idea of “invasion of privacy.” He leaves behind a mixed legacy that bolsters information privacy while also stunted its advancement. On the one hand, he created tort laws that define and protect information privacy. On the other hand, he so narrowed the definitions of information privacy that further legal reform has been difficult. In 1960, he developed four torts, which are discussed below.
Prosser’s First Tort: Intrusion of solitude and seclusion
Intrusion of solitude essentially means making public the details of someone’s private life. By 1960, cases had been heard in court regarding what was an invasion of privacy and what was free speech. Prosser pulled from these precedents in writing his first tort. A good example of this is using the facts of someone else’s life in a fictional work without their permission. Hence the “any similarity to actual persons or events is unintended” disclaimer that shows up in books and movies.
Similarly, intrusion of seclusion means physically (or digitally) accessing someone’s private information. This could mean anything from breaking into someone’s house and stealing a checkbook to recording a private citizen in their home without their knowledge. Intrusion of seclusion has the caveat that the offended party had an expectation of privacy.
Prosser’s Second Tort: Public disclosure of private facts
Prosser’s second tort has two parts. First, it requires making a person’s private information public. Second, the revealed information must not be on public records or of “no public interest” while also being offensive to a “reasonable person.” Additionally, this tort refers to public dissemination of information, such as a public interview or widespread publication.
Prosser’s Third Tort: False light
False light is similar legally to defamation. However, defamation involves disclosing false information with the intent to harm. False light involves disclosing true and/or misrepresented information with intent to harm. False light and defamation also differ in the punishment. Defamation is considered in cases in which no real harm is done. False light is persecuted only when damage is done as a result of the violation of privacy.
However, false light is very hard to legally prove. The tort is enforced differently across states, cases, and circumstances. For example, the number of people required to make the private information “public” varies. In some states or situations, revealing the information to 5 people merits false light. In others, the information has to be published in a public medium (newspaper, news station, etc). Moreover, different regulations apply to certain government employees.
For these reasons, this tort is rarely invoked.
Prosser’s Fourth Tort: Appropriation of name or likeness
This tort makes illegal the use of someone’s name or likeness “without consent for the commercial benefit of another person.” Or in other words, appropriation of name or likeness occurs when one person uses another’s identity for commercial gain. It works a lot like copyright law: a person’s name and image are owned by them alone and cannot be used without their permission.
Prosser’s torts marked a major step in protecting privacy. But, as mentioned above, they also provide narrow definitions of “privacy”. By focusing on “invasions of privacy,” these torts don’t allow for non-malicious breaches in privacy. Going back to our targeted ad example, based on Prosser’s torts, using private information to create ads doesn’t technically violate privacy.
Other Privacy Concerns
So, we have a decent idea of what privacy means, what information is, and what rights exist. Now it’s time to make things complicated again.
As the United States of America, each state can also have its own privacy laws. Privacy laws across states can vary wildly. Some states, such as California with the new California Consumer Privacy Act, are aggressively enacting new privacy laws. On the other hand, over half of states have no recent or active legislation regarding privacy nor any plans to attempt any. All this to say, a data privacy worker will need to know both federal and state laws.
Moreover, information privacy varies across applications. For example, the Health Insurance Portability and Accountability Act (HIPPA) provides one set of laws regarding medical information. The Children's Online Privacy Protection Act restricts what data can be collected, shared, or sold about children who are under the age of 13. Likewise, privacy laws exist regarding scientific data, financial data, and educational data.
Meanwhile, there are specific laws regarding data breaches. Security breach notification laws provide another set of laws governing information privacy. Not surprisingly, these laws also deviate from state to state and between applications. In general, these laws govern who, how, and how fast to inform citizens when their personal information has been unlawfully accessed.
Working in data privacy requires layers of understanding and training. A data privacy professional needs to know federal, state, and application laws. A data privacy professional additionally needs to know how to actually enforce these laws. Additionally, a data privacy professional needs to understand state and federal privacy breach notification laws.
Working in Data Privacy
Information / data privacy is a special type of data security that differs from data security. Data privacy doesn’t handle keeping data safe. It deals with:
Whether or not data can be shared with a third party.
How data is shared with a third party.
How data is collected.
How data is stored.
Regulatory restrictions on data.
Information privacy rights.
Finding qualified data privacy professionals is a growing concern for modern businesses and government organizations. In fact, many sources have shown that there is a global shortage of data privacy experts. Businesses are learning that data is their greatest resource and their greatest liability. Meanwhile, businesses are also learning that they are wildly unprepared to understand and ensure data privacy.
As this article shows, the need for data privacy experts is dire. IT professionals are critical to government offices and private businesses. They need data security professionals who can safeguard their data from not just cyber attacks but also legal violations. Cybrary offers several course curricula that will kick-start your career in data privacy. Get started today by signing up at https://www.cybrary.it/login/ and exploring the course catalog.