Info & Data Privacy Protection

Request a consultation or call (703) 520-1326

Info & Data Privacy Protection

The monetization of information and data obtained from consumers in the United States alone is a multi-billion industry. Antiquated regulations are rapidly evolving given a legislative call for transparency in the way information and data is monetized by companies and accountability by companies that fail to safeguard or improperly use such information and data. It is important for companies to know their responsibilities in emerging regulations and for consumers to know their rights with respect the information and data they share with or are otherwise collected by companies, historically often without a consumer’s actual knowledge.

Current U.S. Federal Laws Governing Information and Data

The Federal Trade Commission Act (“FTC Act”)

The FTC Act is the principal federal statute that addresses consumer protection in the United States. The FTC Act attempts to protect consumers from deceptive or unfair acts or practices by a company that fails to protect a consumer’s information. While it does not expressly require a company to draft or publish a Privacy Policy, once a company subject to the FTC Act does publish a Privacy Policy, the FTC Act can have varying degrees of impact on a company with respect to its data and information practices. Many companies fail to realize the importance of a properly drafted and published Privacy Policy as well as the ramifications for not following such Privacy Policy or properly notifying consumers of changes to such Privacy Policy. Violations of the FTC Act by a company subject to the FTC Act may result in varying degrees of consequences typically imposed by the federal government. While consumers in nearly all known circumstances have no private right of action (ability to file a lawsuit) against a company under the FTC Act, many states have passed laws that parallel the FTC Act and provide for a private right of action.

The Children’s Online Privacy Protection Act (“COPPA”)

COPPA applies to commercial websites, mobile applications, and other online services with respect to information and data collected from children under the age of 13. Many companies fail to include an appropriate COPPA provision in their Privacy Policy when and where applicable. Violations of COPPA by a company subject to COPPA may result in varying degrees of consequences typically imposed by the federal government. While consumers in nearly all known circumstances have no private right of action (ability to file a lawsuit) against a company under COPPA, legal causes of action under some state laws and common laws, including, but not limited to, various state consumer protection laws or through the tort of intrusion upon seclusion, if applicable, may expose a company to a private cause of action by an individual.

The Health Insurance Portability and Accountability Act (“HIPAA”)

HIPPA, which many consumers are familiar with as to its existence, applies to health-related industries with respect to a consumer’s, often a patient’s, individually identifiable health information, which while not expressly used under HIPPA, is often termed, as applicable, Personal or Protected Health Information (“PHI”) or Personally Identifiable Information (“PII”), given other compliance regulations. Violations of HIPPA by a company subject to HIPPA may result in varying degrees of consequences typically imposed by the federal government. While consumers in nearly all known circumstances have no private right of action (ability to file a lawsuit) against a company under HIPPA, legal causes of action under some state laws and common laws, such as negligence, breach of contract, breach of confidentiality and breach of an implied contract, may still expose a company to a lawsuit by a private individual in some states.

The Fair Credit Reporting Act (“FCRA”), as amended by, the Fair and Accurate Credit Transactions Act (“FACTA”)

The FCRA limits the ways consumer reports and credit card account numbers may be used and disclosed. Violations of the FCRA by a company subject to the FCRA may result in varying degrees of consequences typically imposed by the federal government. Moreover, in some circumstances, consumers are afforded a private cause of action under the FCRA for specific violations.

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”)

Most companies and consumers in the U.S. are familiar with spam email. The CAN-SPAM Act attempts to regulate the collection and use of email addresses for commercial purposes, typically as it relates to marketing. Violations of the CAN-SPAM Act by a company subject to the CAN-SPAM Act may result in varying degrees of consequences typically imposed by the federal government. While consumers in most circumstances have no private right of action (ability to file a lawsuit) against a company under the CAN-SPAM Act, a company may have exposure for a private right of action from another company that is deemed an internet access services provider. In addition, some consumer protection acts in various states may permit a private cause of action for certain violations of the CAN-SPAM Act.

The Gramm-Leach-Bliley Act (“GLBA”)

The GLBA impacts financial institutions with respect to Nonpublic Personal Information (“NPI”) of its customers. Violations of the GBLA by a company subject to the GBLA may result in varying degrees of consequences typically imposed by the federal government. While consumers in most circumstances have no private right of action (ability to file a lawsuit) against a company under the GBLA, many states have passed laws that do provide for a private right of action for improper disclosure of NPI.

Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”)

The Dodd-Frank Act relates to financial privacy, its authority derived under the GBLA and seeks to protect consumers that use financial products and services from unfair, deceptive and abusive practices. Violations of the Dodd-Frank Act by a company subject to the Dodd-Frank Act may result in varying degrees of consequences typically imposed by the federal government. While consumers in most circumstances have no private right of action (ability to file a lawsuit) against a company under the Dodd-Frank Act, whistleblower employees in the financial industry do have a private cause of action who suffer retaliation, typically in the form of termination of employment, an employer subject to the Dodd-Frank Act for disclosing information regarding unlawful conduct of his or her employer, as applicable, regarding certain financial products and services.

Practice Group