https://crsreports.congress.gov
Updated October 12, 2022
Data Protection and Privacy Law: An Introduction
Recent controversy surrounding how third parties protect
the privacy of individuals in the digital age has raised
national concerns over legal protections of Americans’
electronic data. The current legislative paradigms governing
cybersecurity and data privacy are complex and technical
and lack uniformity at the federal level. This In Focus
provides an introduction to data protection laws and an
overview of considerations for Congress. (For a more
detailed analysis, see CRS Report R45631, Data Protection
Law: An Overview, by Stephen P. Mulligan, Wilson C.
Freeman, and Chris D. Linebaugh.)
Defining Data Protection
As a legislative concept, data protection melds the fields of
data privacy (i.e., how to control the collection, use, and
dissemination of personal information) and data security
(i.e., how to protect personal information from unauthorized
access or use and respond to such unauthorized access or
use). Historically, many laws addressed these issues
separately, but more recent data protection initiatives
indicate a trend toward combining data privacy and security
into unified legislative schemes.
Federal Data Protection Laws
While the Supreme Court has interpreted the Constitution to
provide individuals with a right to privacy, this right
generally guards only against government intrusions. Given
the limitations in constitutional law, Congress has enacted a
number of federal laws designed to provide statutory
protections of individuals’ personal information. However,
these statutory protections are not comprehensive in nature
and primarily regulate certain industries and subcategories
of data. These laws—which differ based on their scope,
who enforces them, and their associated penalties—include:
Children’s Online Privacy Protection Act: provides
data protection requirements for children’s information
collected by online operators.
Communications Act of 1934: includes data protection
provisions for common carriers, cable operators, and
satellite carriers.
Computer Fraud and Abuse Act: prohibits the
unauthorized access of protected computers.
Consumer Financial Protection Act: regulates unfair,
deceptive, or abusive acts in connection with consumer
financial products or services.
Electronic Communications Privacy Act: prohibits
the unauthorized access or interception of electronic
communications in storage or transit.
Fair Credit Reporting Act: covers the collection and
use of data contained in consumer reports.
Federal Securities Laws: may require data security
controls and data breach reporting responsibilities.
Federal Trade Commission (FTC) Act: prohibits
unfair or deceptive acts or practices.
Gramm-Leach-Bliley Act: regulates financial
institutions’ use of nonpublic personal information.
Health Insurance Portability and Accountability Act:
regulates health care providers’ collection and
disclosure of protected health information.
Video Privacy Protection Act: provides privacy
protections related to video rental and streaming.
Of these laws, the FTC Act’s prohibition of “unfair or
deceptive acts or practices” (UDAPs) is especially
important in the context of data protection. The FTC has
brought hundreds of enforcement actions based on the
allegation that companies’ data protection practices violated
this prohibition. One of the well-settled principles in FTC
practice is that companies are bound by their data privacy
and data security promises. The FTC has taken the position
that companies act deceptively when they handle personal
information in a way that contradicts their posted privacy
policies or other statements or when they fail to adequately
protect personal information from unauthorized access
despite promises that they would do so. In addition to
broken promises, the FTC has maintained that certain data
protection practices are unfair, such as when companies
have default privacy settings that are difficult to change or
when companies retroactively apply revised privacy
policies. However, while the FTC’s enforcement of the
UDAP prohibition fills in some statutory gaps in federal
data protection law, its authority has limits. In contrast to
many of the sector-specific data protection laws, the FTC
Act does not require companies to abide by specific data
protection policies or practices and has historically been
interpreted not to reach entities that have not made explicit
promises concerning data protection. In August 2022, the
FTC issued an advance notice of proposed rulemaking and
request for public comment (87 FR 51273) on whether it
should implement more comprehensive data protection
regulations.
State Data Protection Laws
Adding to the complex patchwork of federal laws, some
states have developed their own statutory frameworks for
data protection. Every state has passed some form of data
breach response legislation, and many states have consumer
protection laws of various types. In addition, California
created one of the first state-level comprehensive data
protection regimes through the California Consumer
Privacy Act (CCPA).