Privacy law protects individual privacy by creating four procedural and substantive rights in personal data. It safeguards privacy by limiting data matching programs between federal agencies.
In the United States, privacy laws are based on a Western concept of the individual as sovereign over their private lives. This includes their right to know what information entities have on them and the right to correct inaccuracies.
Privacy laws deal with the regulating, storing and using of personal information such as medical records or financial data. The main tenet of privacy law is the principle of consent, which stipulates that individuals have a right to control and limit access to their personal information. In addition, privacy laws prohibit unauthorized surveillance and the use of personal information for unconnected purposes without consent. Finally, privacy laws ensure that individuals can have access to and correct erroneous data about them.
Other State laws deal with specific types of information, such as the Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions, which include banks, credit unions, and insurance agencies, to safeguard consumer information. The COPPA, on the other hand, regulates how companies collect and use personal information from children online.
Reasonable Expectations of Privacy
A fundamental tenet of privacy law is the concept that there are places and activities in which you have a reasonable expectation of privacy, and when this is violated you may sue. Generally, this involves private homes and curtilage, although some states also protect garages, sheds, yards, or any additional structures attached to the home. Privacy law is closely associated with property law, and courts tend to use real or personal property laws when defining what is protected by the Fourth Amendment protection against unreasonable searches and seizures.
To successfully bring a privacy claim, a plaintiff must establish two things: First, that she possessed a “subjective” expectation of privacy in the subject matter of her complaint. Second, that her subjective expectation was one that society is willing to recognize as reasonable. This two-prong test is the primary way that privacy law distinguishes itself from traditional tort law.
In some cases, courts have found that people do not have a subjective expectation of privacy. For example, the Supreme Court has determined that public employees do not have a right to privacy in their place of work. Additionally, some courts have found that certain actions can destroy a person’s reasonable expectation of privacy.
Scholars have identified that gendered privacy norms have not been taken into account in the reasonable expectation of privacy inquiry. They argue that this is partly because the majority of privacy-related cases involve men, and that constitutional criminal procedure law makes the mistake of treating women and men the same for purposes of the reasonable person analysis, despite extensive empirical psychological evidence that men and women behave differently from each other.
To successfully bring a privacy tort claim, the plaintiff must allege and prove the following essential elements:
The defendant intentionally invaded the plaintiff’s seclusion or private matters. This element can be met either literally, by physically entering on private property, or figuratively, when the defendant uses special equipment, such as zoom lenses or sensitive eavesdropping devices, to photograph or record a person in places where they expect privacy. It can also be met when the defendant publicizes private facts about the plaintiff in a manner that would be highly offensive to a reasonable person.
Finally, the defendant must have caused the plaintiff emotional distress, or anguish, as a result of the intrusion. An anguish claim can be successful even if the plaintiff did not suffer a monetary loss, such as when someone discovers photos of them doing something in their bathroom or bedroom.
While the federal government has no comprehensive privacy statute, some states have introduced and passed comprehensive state laws. For example, California’s Children’s Online Privacy Protection Act (“COPPA”) imposes extensive duties on anyone who collects personal information about children. It requires these businesses to clearly notify consumers when their information will be collected, provides an opportunity for them to “opt-out” of data collection and limits how the collected data can be used. Other states are considering similar legislation.
In states where the right to privacy is regulated solely by statute, damages are available for violation of such laws. For example, the New York State Consumer Privacy Law provides statutory damages up to $500 for an intentional intrusion into private matters such as credit report violations, sale of personal financial information, and “pretexting,” or obtaining private information under false pretenses. Federal statutes such as the Gramm-Leach-Bliley Act and the Telephone Consumer Protection Act (TCPA) also provide privacy-related remedies for consumers. The TCPA in particular has become the focus of many class action lawsuits, with one plaintiff winning a record $925 million judgment for violations related to pestilent robocalls and slow processing of do-not-call lists.
The Restatement of Torts states that a cause of action for invasion of privacy arises when someone publishes a matter concerning an individual’s private affairs which is not of legitimate public concern and does so in a way that would be highly offensive to a reasonable person of ordinary sensibilities. In addition, the misappropriation of another’s name or likeness can give rise to a claim for invasion of privacy.
In addition to statutory damages, some states have privacy laws that impose substantial duties on businesses that collect personal data. These provisions include requiring disclosure of how the information will be used, providing an opportunity to opt out of data collection and limiting how that information may be sold or otherwise transferred to third parties. The Connecticut Consumer Privacy Act, for instance, requires businesses to notify consumers of how their personal data will be collected and use it, and permit them to access that information and correct it as necessary.