Privacy laws of the United States

Early years The early years in the development of privacy rights began with English common law, protecting "only the physical interference of life and property". The Castle doctrine analogizes a person's home to their castle – a site that is private and should not be accessible without permission of the owner. The development of tort remedies by the common law is "one of the most significant chapters in the history of privacy law". Those rights expanded to include a "recognition of man's spiritual nature, of his feelings and his intellect." Eventually, the scope of those rights broadened even further to include a basic "right to be let alone," and the former definition of "property" would then comprise "every form of possession – intangible, as well as tangible." By the late 19th century, interest in privacy grew as a result of the growth of print media, especially newspapers. Samuel D. Warren and Louis D. Brandeis, partners in a new law firm, feared that this new small camera technology would be used by the "sensationalistic press." Seeing this becoming a likely challenge to individual privacy rights, they wrote the "pathbreaking" According to legal scholar Roscoe Pound, the article did "nothing less than add a chapter to our law", and in 1966 legal textbook author, Harry Kalven, hailed it as the "most influential law review article of all". Attempts to improve consumer privacy protections in the U.S. in the wake of the 2017 Equifax data breach, which affected 145.5 million U.S. consumers, failed to pass in Congress. ==Modern tort law==

In the United States,"invasion of privacy" is a commonly used cause of action in legal pleadings. Modern tort law, as first categorized by William Prosser, includes four categories of invasion of privacy: • Intrusion of solitude: physical or electronic intrusion into one's private quarters • Public disclosure of private facts: the dissemination of truthful private information which a reasonable person would find objectionable • False light: the publication of facts which place a person in a false light, even though the facts themselves may not be defamatory • Appropriation: the unauthorized use of a person's name or likeness to obtain some benefits Intrusion of solitude and seclusion Intrusion of solitude occurs where one person intrudes upon the private affairs of another. In a famous case from 1944, author Marjorie Kinnan Rawlings was sued by Zelma Cason, who was portrayed as a character in Rawlings' acclaimed memoir, Cross Creek. The Florida Supreme Court held that a cause of action for invasion of privacy was supported by the facts of the case, but in a later proceeding found that there were no actual damages. Intrusion upon seclusion occurs when a perpetrator intentionally intrudes, physically, electronically, or otherwise, upon the private space, solitude, or seclusion of a person, or the private affairs or concerns of a person, by use of the perpetrator's physical senses or by electronic device or devices to oversee or overhear the person's private affairs, or by some other form of investigation, examination, or observation intrude upon a person's private matters if the intrusion would be highly offensive to a reasonable person. Hacking into someone else's computer is a type of intrusion upon privacy, as is secretly viewing or recording private information by still or video camera. In determining whether intrusion has occurred, one of three main considerations may be involved: expectation of privacy; whether there was an intrusion, invitation, or exceedance of invitation; or deception, misrepresentation, or fraud to gain admission. Intrusion is "an information-gathering, not a publication, tort ... legal wrong occurs at the time of the intrusion. No publication is necessary". Restrictions against the invasion of privacy encompasses journalists as well: The First Amendment has never been construed to accord newsmen immunity from torts or crimes committed during the course of newsgathering. The First Amendment is not a license to trespass, to steal, or to intrude by electronic means into the precincts of another's home or office. Public disclosure of private facts Public disclosure of private facts arises where one person reveals information which is not of public concern, and the release of which would offend a reasonable person. "Unlike libel or slander, truth is not a defense for invasion of privacy." If a publication of information is false, then a tort of defamation might have occurred. If that communication is not technically false but is still misleading, then a tort of false light might have occurred. For this wrong, money damages may be recovered from the first person by the other. At first glance, this may appear to be similar to defamation (libel and slander), but the basis for the harm is different, and the remedy is different in two respects. First, unlike libel and slander, no showing of actual harm or damage to the plaintiff is usually required in false light cases, and the court will determine the amount of damages. Second, being a violation of a Constitutional right of privacy, there may be no applicable statute of limitations in some jurisdictions specifying a time limit within which period a claim must be filed. Consequently, although it is infrequently invoked, in some cases false light may be a more attractive cause of action for plaintiffs than libel or slander, because the burden of proof may be less onerous. What does "publicity" mean? A newspaper of general circulation (or comparable breadth) or as few as 3–5 people who know the person harmed? Neither defamation nor false light has ever required everyone in society be informed by a harmful act, but the scope of "publicity" is variable. In some jurisdictions, publicity "means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge." Moreover, the standards of behavior governing employees of government institutions subject to a state or national Administrative Procedure Act (as in the United States) are often more demanding than those governing employees of private or business institutions like newspapers. A person acting in an official capacity for a government agency may find that their statements are not indemnified by the principle of agency, leaving them personally liable for any damages. Example: If someone's reputation was portrayed in a false light during a personnel performance evaluation in a government agency or public university, one might be wronged if only a small number initially learned of it, or if adverse recommendations were made to only a few superiors (by a peer committee to department chair, dean, dean's advisory committee, provost, president, etc.). Settled cases suggest false light may not be effective in private school personnel cases, but they may be distinguishable from cases arising in public institutions. Appropriation of name or likeness Although privacy is often a common-law tort, most states have enacted statutes that prohibit the use of a person's name or image if used without consent for the commercial benefit of another person. Appropriation of name or likeness occurs when a person uses the name or likeness of another person for personal gain or commercial advantage. Action for misappropriation of right of publicity protects a person against loss caused by appropriation of personal likeness for commercial exploitation. A person's exclusive rights to control their name and likeness to prevent others from exploiting without permission is protected in similar manner to a trademark action with the person's likeness, rather than the trademark, being the subject of the protection. Appropriation is the oldest recognized form of invasion of privacy involving the use of an individual's name, likeness, or identity without consent for purposes such as ads, fictional works, or products. ==Federal privacy laws==

Fair Credit Reporting Act The Fair Credit Reporting Act became effective on April 25, 1971, and implemented limitations on the information that could be collected, stored, and utilized by agencies such as credit bureaus, tenant screenings, and health agencies. The law also defined the rights granted to individuals in regards to their financial information including the right to obtain a credit score; the right to know what information is in your financial file; the right to know when your information is being accessed and used; and the right to dispute any inaccurate or incorrect information. Privacy Act of 1974 The Privacy Act of 1974 established a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. Right to Financial Privacy Act The Right to Financial Privacy Act of 1978 gives customers of financial institutions the right to some level of privacy from government searches. Privacy Protection Act of 1980 The Privacy Protection Act of 1980 protects journalists and newsrooms from search by government officials. Electronic Communications Privacy Act The Electronic Communications Privacy Act of 1986 extended restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer, added new provisions prohibiting access to stored electronic communications (the Stored Communications Act), and added so-called pen trap provisions that permit the tracing of telephone communications. Video Privacy Protection Act The Video Privacy Protection Act of 1988 (VPPA) was signed into law by President Ronald Reagan to preserve the privacy of people's information collected when they rented, purchased, or delivered audio visual materials, and specifically videotapes. The law arose out of the Bork tapes controversy surrounding the Washington City Paper's publication of a list of films rented by Robert Bork, a U.S. District of Columbia Circuit Court of Appeals Judge who had been nominated to fill a seat on the United States Supreme Court at the time. The law prohibits the disclosure of personal information collected by video tape service providers unless it falls under certain exceptions. The VPPA became a focus of attention in the legal industry once again around 2022. Its revival came as part of a larger trend in consumer class actions filed based on privacy law violations, both through new laws like the California Consumer Privacy Act and older laws like the VPPA and wiretapping statutes. Health Insurance Portability and Accountability Act Signed in law on August 21, 1996, Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation passed in the United States that limits the amount and types of information that can be collected and stored by healthcare providers. This includes limits on how that information can be obtained, stored, and released. HIPAA also developed data confidentiality requirements that are a part of "The Privacy Rule." Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act (GLA) is a federal law that was signed into effect on November 12, 1999. This act placed increased limits and requirements for data collection by financial institutions, as well as limited how that information could be collected and stored. It focused on requiring financial institutions to take specific measure to increase the safety and confidentiality of the information being collected. In addition to this, the law also put limitations on what type of data could be collected by financial institutions and how they could use that information. A core provision under COPPA is that a website operator must "obtain verifiable parental consent before any collection, use, or disclosure of personal information from children." Health Information Technology for Economic and Clinical Health Act The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is an important piece of legislation in the United States that relates to the privacy of health-related information. Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information. Public Law 118-50 ==Constitutional basis for right to privacy==

Federal Although the word "privacy" is actually never used in the text of the United States Constitution, there are Constitutional limits to the government's intrusion into individuals' right to privacy. This is true even when pursuing a public purpose such as exercising police powers or passing legislation. The Constitution, however, only protects against state actors. Invasions of privacy by individuals can only be remedied under previous court decisions. The First Amendment protects the right to free assembly, broadening privacy rights. The Fourth Amendment to the Constitution of the United States ensures that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The Fourth Amendment was the Framers' attempt to protect each citizen's spiritual and intellectual integrity. A government that violates the Fourth Amendment in order to use evidence against a citizen is also violating the Fifth Amendment. The Ninth Amendment declares that "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people." State Alaska On August 22, 1972, the Alaska Right of Privacy Amendment, Amendment 3, was approved with 86% of the vote in support of the legislatively referred constitutional amendment. Article I, Section 22 of Alaska's constitution states, "The right of the people to privacy is recognized and shall not be infringed. The legislature shall implement this section." California The California Constitution articulates privacy as an inalienable right. CA SB 1386 expands on privacy law and guarantees that if a company exposes a Californian's sensitive information this exposure must be reported to the citizen. This law has inspired many states to come up with similar measures. California's "Shine the Light" law (SB 27, CA Civil Code § 1798.83), operative on January 1, 2005, outlines specific rules regarding how and when a business must disclose use of a customer's personal information and imposes civil damages for violation of the law. California's Reader Privacy Act was passed into law in 2011. The law prohibits a commercial provider of a book service, as defined, from disclosing, or being compelled to disclose, any personal information relating to a user of the book service, subject to certain exceptions. The bill would require a provider to disclose personal information of a user only if a court order has been issued, as specified, and certain other conditions have been satisfied. The bill would impose civil penalties on a provider of a book service for knowingly disclosing a user's personal information to a government entity in violation of these provisions. This law is applicable to electronic books in addition to print books. The California Privacy Rights Act created the California Privacy Protection Agency, the first data protection agency in the United States. Florida Article I, §23 of the Florida Constitution states that "Every natural person has the right to be let alone and free from governmental intrusion into the person's private life except as otherwise provided herein. This section shall not be construed to limit the public's right of access to public records and meetings as provided by law." Montana Article 2, §10 of the Montana Constitution states that "The right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest". Washington Article 1, §7 of the Washington Constitution states that "No person shall be disturbed in his private affairs, or his home invaded, without authority of law". • Law enforcement are required to obtain a warrant before using IMSI-catcher technology. • Private individual's text messages are protected from warrantless searches. ==State privacy laws==

The right to privacy is protected also by more than 600 laws in the states and by a dozen federal laws, like those protecting health and student information, also limiting electronic surveillance. As of 2024, over a dozen states had data privacy laws. =="Opt-out" requirements==

Several of the US federal privacy laws have substantial "opt-out" requirements, requiring that the individual specifically opt-out of commercial dissemination of personally identifiable information (PII). In some cases, an entity wishing to "share" (disseminate) information is required to provide a notice, such as a GLBA notice or a HIPAA notice, requiring individuals to specifically opt-out. These "opt-out" requests may be executed either by use of forms provided by the entity collecting the data, with or without separate written requests. ==See also==