2.2 Sources of Law in the United States

1. Constitutions (US + State)

   1. The Constitution does not contain the word privacy.

   2. Some parts of the Constitution directly affect privacy, such as the Fourth Amendment limits on government searches.

   3. State - also a source and CA constitution contains privacy rights.

2. Legislation (Federal and State Legislation)

   1. Federal Congress and the state legislatures have enacted a variety of privacy and security laws.

   2. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act

   3. Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule, states may pass privacy or other laws with stricter requirements than federal law.

3. Regulations and Rules

   1. Regulatory Agencies issue regulations and rules.

   2. FTC or the Federal Communications Commission (FCC) issue regulations and rules to comply with laws passed by Congress.

   3. These place specific compliance expectations on the marketplace.

   4. For example, in 2003 the U.S. Congress passed the CAN-SPAM Act, which requires the senders of commercial email messages to offer an “opt-out”.

4. Case Law (Case + Common law)

   1. Case Law - Precedents

      1. Final decisions made by judges in court cases.

      2. When similar issues arise in the future, judges look to past decisions as precedents and decide the new case in a manner that is consistent with past decisions.

   2. Common Law - Principles

      1. Refers to legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations.

      2. the common law, has long upheld special privilege rules such as doctor-patient or attorney-client, confidentiality, even in the absence of statutes protecting that confidentiality.

5. Consent Decree

   1. Judgment entered by consent of the parties whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing.

   2. This legal document is approved by a judge and formalizes an agreement reached between a federal or state agency and an adverse party

6. Contract law

   1. legally binding agreement enforceable in a court of law.

   2. The contract may include provisions on issues such as data usage, data security, breach notification, jurisdiction and damages

   3. Offer is the proposed language to enter into a bargain.

   4. Acceptance is the assent or agreement by the person to whom the offer was made that the offer is accepted.

   5. Consideration is the bargained-for exchange. It is the legal benefit received by one person and the legal detriment imposed on the other person.

7. Tort Law

. Intentional torts. ese are wrongs that the defendant knew or should

have known would occur through their actions or inactions; for

example, intentionally hi ing a person or stealing personal

information.

2. Negligent torts. These occur when the defendant’s actions were

unreasonably unsafe; for example, causing a car accident by not

obeying tra c rules or not having appropriate security controls.

3. Strict liability torts. ese are wrongs that do not depend on the

degree of carelessness by the defendant but are established when a

particular action causes damage.5

Product liability torts fall into this

category since they concern potential liability for making and selling

defective products, without the need for the plainti to show

negligence by the defendant.

2.3 Key Definitions

1. Person

   1. Any entity with legal rights, including an individual (a “natural person”) or a corporation (a “legal person”).

2. Jurisdiction

   1. Any entity with legal rights, including an individual (a “natural person”) or a corporation (a “legal person”).

3. General Vs Specific Authority

   1. A governmental body can have two types of authority.

   2. “General authority” is blanket authority to regulate a field of activity.

   3. “Specific authority” is targeted at singular activities that are outlined by legislation.

   4. Many agencies have both types of authority. For example, the FTC has general authority over “unfair and deceptive trade practices” and specific authority to enforce COPPA. Preemption.

4. Preemption

   1. A superior government’s ability to have its laws supersede those of an inferior government.

   2. For example, the U.S. federal government has mandated that state governments cannot regulate email marketing.

   3. The federal CAN-SPAM Act preempts state laws that might impose greater obligations on senders of commercial electronic messages

5. Private right of action.

   1. The ability of an individual harmed by a violation of a law to file a lawsuit against the violator.

6. Notice

   1. Description of an organization’s information management practices.

   2. Notices have two purposes: (1) consumer education and (2) corporate accountability.

   3. Privacy notices may also be called privacy statements or even privacy policies,

7. Choice

   1. The ability to specify whether personal information will be collected and/or how it will be used or disclosed.

   2. Choice can be express or implied.

   3. Express -The term opt in means an affirmative indication of choice based on an express act of the person giving the consent.

      1. For example, a person opts in if he or she says yes when asked, “May we share your information?” Failure to answer would result in the information not being shared.

   4. The term opt out means a choice can be implied by the failure of the person to object to the use or disclosure.

      1. For example, if a company states “unless you tell us not to, we may share your information,” the person has the ability to opt out of the sharing by saying no.

      2. Failure to answer would result in the information being shared.

8. Access

   1. Ability to view personal information held by an organization.

   2. This may be supplemented by allowing updates or corrections to the information.

2.4 Regulatory Authorities

1. At the federal level, a number of agencies engage in regulatory activities concerning privacy in the private sector

   1. FTC has general authority to enforce against unfair and deceptive trade practices.

   2. In certain areas, such as marketing communications and children’s privacy, the FTC has specific regulatory authority.

2. Other federal agencies have regulatory authority over particular sectors.

   1. These include the federal banking regulatory agencies (such as the Consumer Financial Protection Bureau, Federal Reserve, and Office of the Comptroller of the Currency), the FCC, the U.S. Department of Transportation, and the U.S. Department of Health and Human Services, through its Office of Civil Rights.

3. The U.S. Department of Commerce does not have regulatory authority for privacy, but often plays a leading role in privacy policy for the executive branch

4. State level, state attorneys general bring a variety of privacy-related enforcement actions, often pursuant to state laws prohibiting unfair and deceptive practices.

   2. 1. 1. May take enforcement action on violations of HIPAA, GLBA, Telemarketing Sales Rule and violation of breach notification laws

5. Self-regulatory regimes play a significant role in governing privacy practices in various industries. Examples include the Network Advertising Initiative, the Direct Marketing Association and the Children’s Advertising Review Unit.

2.5 Self-Regulation

1. Self-regulatory

   1. Self-regulatory regimes play a significant role in governing privacy practices in various industries.

   2. Government-created rules expect companies to sign up for self-regulatory oversight.

   3. Examples

      1. Network Advertising Initiative

      2. Direct Marketing Association

      3. Children’s Advertising Review Unit.

2.6 Understanding Laws (HITECH, HIPAA, CCPA, GDPR, FINTECH, TCPA … )

1. Who is covered by this law?

   1. Example - law regulates entities that do business in California and that own or license computerized data, including personal information.

2. What types of information (and what uses of information) are covered?

   1. This law regulates the computerized personal information of California residents. “Personal information” is an individual’s name in combination

3. What exactly is required or prohibited?

   1. This law requires all persons to disclose any breach of system security to any resident of California whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.

4. Who enforces the law?

   1. California attorney general enforces the law, and there is a private right of action.

5. What happens if I don’t comply?

   1. California attorney general or any citizen can file a civil lawsuit against a noncompliant party seeking damages and forcing compliance.

6. Why does this law exist?

   1. SB 1386 was enacted because security breaches of computerized databases are feared to cause identity theft—and individuals should be notified about these breaches so they can take steps to protect themselves.