Federal Laws to Protect Privacy

• FCRA

• FACTA

• HIPAA

• GLBA

• FERPA

• COPPA

• DPPA

U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA U.S. state data breach notification and select state laws Regulation of privacy in the U.S. workplace: FCRA, EPP, ADA and ECPA.

• Statutes – local, state or federal laws that have been enacted by Congress

• Regulations – published by regulatory agencies (e.g. FTC; Federal Trade Commission)

False

Online Behavioral Advertising (OBA) involves the tracking of consumer's online activities not personal information in order to deliver personal advertising. They do not use personal information.

This practice allows business to specifically target their advertisements towards individual customers.

The data collected is generally not personal identity information, but data relating to their browsing history.

• Collecting complaints

• Conducting investigations

• Suing companies and people that break the law

• Developing rules to maintain a fair marketplace.

Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.

The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule.

Financial Privacy Rule

Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to "opt out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule?

See: How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act

See US Approach to Privacy

See P37 Section 1.10.2 Sectoral Model (United States)

1.10.2 Sectoral Model (United States) This framework protects personal information by enacting laws that address a particular industry sector.³⁶ For example, in the United States, different laws delineate conduct and specify the requisite level of data protection for video rental records, consumer financial transactions, credit records, law enforcement and medical records. In a comprehensive model, laws addressing specific market segments may be enacted to provide more specific protection for data particular to that segment, such as the healthcare sector.

Supporters of the sectoral approach emphasize that different parts of the economy face different privacy and security challenges; it is appropriate, for instance, to have stricter regulation for medical records than for ordinary commerce. Supporters also underscore the cost savings and lack of regulatory burden for organizations outside of the regulated sectors.

See US Approach to Privacy

See P38 Section 1.10.3 Sectoral Model (United States)

The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. Under both approaches, a mix of government and nongovernment institutions protects personal information.

The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One U.S. example is the Children’s Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC.

Financial institutions are required to take steps to protect the privacy of consumers’ finances under a federal law called the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act.

The FTC is one of the federal agencies that enforces provisions of Gramm-Leach Bliley, and the law covers not only banks, but also securities firms, and insurance companies, and companies providing many other types of financial products and services. Under the law, agencies enforce the Financial Privacy Rule.

Financial Privacy Rule

Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to "opt out" if they don't want their information shared with certain third parties. Is your company following the requirements of the Privacy Rule?

See: How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act

e - all of the above

See: FTC Enforcement Actions

Under the Privacy Rule a patient has the right to: Notice of a covered entity’s privacy practices which include the type of information collected and its intended use. Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information. Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records. Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy. Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient‟s information.

E. all of the above are authorized.

See EveryCRSReport.com site

See section 6.5

C - there are no federal data breach notification laws at all.

6.5 Lack of Federal Data Breach Law With massive, high-profile data breaches making the front pages, calls for a uniform federal data breach law have continued. ³⁵ These discussions began at the national level in 2003, when Senator Diane Feinstein of California introduced the first federal breach notification bill. In 2015, President Obama proposed the Personal Data Notification Act,³⁶ which he said would correct the “patchwork problem” of laws that are said to be confusing for consumers and for companies.³⁷ The proposal was criticized by state attorneys general and privacy advocates because it would preempt stricter state laws. As of the writing of this book, no federal legislation has been enacted.³⁸ Reaching consensus on such a law is difficult—privacy advocates have generally supported approaches that would match federal law to the strictest state laws, while businesses have generally supported a federal law with fewer regulatory requirements as well as preemption of stricter state laws.

6.8 Conclusion - The United States lacks comprehensive private- sector information security and data breach notification statutes, leading some observers to suggest the nation is less stringent about protection of personal data than other jurisdictions, notably Europe.

b. Online Resellers

The FACTA applies to any person or company that maintains or retains consumer information, such as consumer reports, for a business purpose. Examples of those who would be impacted by the FACTA include: Consumer reporting agencies (CRAs) Resellers of consumer reports Lenders Insurers Employers Landlords Government agencies Mortgage brokers Auto dealers Waste disposal companies

The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act

Under the Privacy Rule: A customer must receive a copy of the financial institution‟s privacy notice upon entering the relationship and once every year for the duration of the relationship. A new copy of the notice must be provided upon the modification of any of the privacy policies. The Privacy Notice must contain the type of information collected by the financial institution how it is used, notice of possible third party disclosures and a statement regarding the safeguarding of their personal information. The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act. Financial Institutions are prohibited from sharing customer account numbers with nonaffiliated third parties.

Safeguards Rule Text

C. FTC Has enforcement authority but that safeguard is not listed as part of the GLBA rules.

Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.