The Right to Remain Private: Where U.S. Law Lets You Down
With no law like Europe's GDPR to protect personal data, Americans have to rely on a patchwork of regulations
“There are shockingly few legal privacy protections in the United States,” says Maureen Mahoney, a policy analyst at Consumer Reports.
No federal law provides the kind of broad consumer rights granted in 2018 by the European Union’s General Data Protection Regulation. But scandals involving Facebook, Google, and other tech giants are helping to raise interest in such legislation.
For instance, 63 percent of Facebook users say the company shouldn’t be allowed to collect data on them when they’re not using Facebook, according to a January 2019 CR nationally representative survey of more than 2,000 U.S. adults.
“We still have a long way to go nationally,” Mahoney says. “But a number of state legislatures have stepped up and passed privacy laws of their own.” (See details, below.)
For now, the following national laws provide some protections for consumers.
Federal Trade Commission Act
This law prohibits “unfair or deceptive” business practices. That means companies are prohibited from making misleading statements about how they handle your data.
Health Insurance Portability and Accountability Act
HIPAA limits what healthcare providers can do with your medical data, preventing doctors, insurance companies, and billing firms from disclosing that info without permission. But it doesn't necessarily protect info collected by a smartwatch, reproductive health app, or direct-to-consumer genetic testing service. Unless the info ends up in a healthcare provider’s files, it has the same limited protections as other data about you.
Children’s Online Privacy Protection Act
COPPA requires companies to get verifiable parental consent before collecting info from children younger than 13. Firms must also explain how the data might be used, properly secure the information, and provide parents with the means to delete it. Yet once consent is granted, such data is fair game, albeit generally off-limits to third parties. The problem is that digital toys and apps are often useless without a quick sign-off. Additionally, YouTube has been accused of violating COPPA. Despite its many child-oriented videos, YouTube says in its terms of service that the site is intended for teens and adults.
A number of states are pressing ahead with laws that could become models for national legislation. Here are a few examples:
The California Consumer Privacy Act is on track to become the country’s most sweeping privacy law when it takes effect Jan. 1. The law gives consumers the right to access, delete, and opt out of the sale of personal data.
The Biometric Information Privacy Act, passed in 2008, governs companies that collect and use fingerprints and facial recognition data. Amazon, Facebook, Google, and Six Flags have been sued over alleged violations. Texas and Washington have similar laws, minus the individual’s right to sue.
The Act to Protect the Privacy of Online Customer Information, signed into law this year, places new restrictions on the state’s internet service providers. They generally can’t use or sell residents’ personal information unless the customer opts in. And they can’t charge people more for refusing.
HB 2395 mandates “reasonable security features” for most products that connect to the web. That can include supplying unique passwords or requiring users to create one, practices that could help prevent malicious strangers from hijacking baby monitors and home security cameras.
Act 171 of 2018 is the country’s only law to specifically regulate data brokers, those companies that stealthily collect and monetize people’s personal information. The firms are required to register with the state and provide annual updates on their business practices.
Editor's Note: This article also appeared in the October 2019 issue of Consumer Reports magazine.