- Privacy can have many meanings
- There are four broad categories of privacy:
- (1) Information privacy
- (2) Bodily privacy
- (3) Communication privacy
- (4) Territorial privacy
CIPP/US
0%
Table of Contents
Welcome
I. Introduction to the Privacy Landscape
Section A: General Introduction to Privacy Concepts
0/5
1. Introduction to Privacy Itself as a Concept
2. The Concept of Personal Information
a. Identified vs. Identifiable Individuals
b. Sensitive Personal Information
c. The Role of Encryption, Anonymization, and Pseudonymization
d. The Source of Information
e. Data Subjects, Controllers, and Processors
3. Fair Information Practices
a. FIPs in the United States
i. Early Adoption of FIPs
ii. The 2012 White House Report
iii. The 2012 FTC Report
b. Examples of FIPs in International Frameworks
i. The Organization of Economic Co-operation and Development (OECD) Guidelines (1980)
ii. The Council of Europe Convention for the Protection of Individuals With Regard to the Automatic Processing of Personal Data (1981)
iii. The Madrid Resolution (2009)
c. Common Themes
i. Individual Data Subject Rights
ii. Organizational Management
4. Sources of Privacy Protection and Privacy Protection Regimes
a. Sources of Privacy Protection
b. Privacy Protection Regimes
Section I.A Review
Section B: Structure of U.S. Law
0/6
1. Branches of the U.S. Government
a. Three Branches: Legislative, Executive, and Judicial
b. Checks and Balances
2. Sources of Law
a. Constitutional Law
b. Statutory Law
c. Regulations and Administrative Rulemaking
d. Common Law (a/k/a Case Law)
e. Contractual Law
f. International Law
3. Legal Terms and Definitions
4. Regulatory Authorities
a. Federal Regulatory Authorities
b. State Regulatory Authorities
c. Self-Regulatory Authorities
5. Understanding and Interpreting Laws
Section I.B Review
Section C: Enforcement of Privacy and Data Security Laws
0/6
1. Criminal vs. Civil Enforcement
2. Theories of Legal Liability
a. Contract Liability
b. Tort Liability
i. Types of Torts
ii. Privacy-Related Torts
c. Civil Enforcement of Statutory Law
d. The Concept of Negligences
3. Administrative Enforcement
a. Federal Enforcement Actions
b. State Enforcement Actions
c. The California Privacy Protection Agency
4. Cross-Border Enforcement
5. Self-Regulatory Enforcement
Section I.C Review
Section D: Information Management and Privacy Program Development
0/15
1. Introduction
2. Data Assessments
a. Data Inventory
b. Data Flow Maps
c. Data Classification
d. Developing Data Inventories, Maps, and Classification Schema
3. Privacy Professionals and Privacy Roles in an Organization
a. Privacy as an Organization-Wide Undertaking
b. The Roles on a Privacy Team
4. Privacy Program Development
a. Balancing Risks
b. Understanding Organizational Goals
c. Privacy Program Frameworks
i. Privacy Policies
ii. Privacy Program Activities
iii. Implementation
iv. Measuring a Privacy Program
d. The Privacy Operational Life Cycle
5. Managing User Preferences
a. Types of User Consent
i. Opt-in Consent
ii. Opt-out Consent
iii. “No Option” Consent
b. Managing User Consent
c. Consumer Access
6. Privacy Notices
a. The Legal Implications of a Privacy Notice
b. Updating a Privacy Notice
c. Designing an Effective Privacy Notice
i. Common Elements
ii. Layered Notices
iii. Just-In-Time Notices
iv. Privacy Dashboards
v. Privacy Icons and Visualization Tools
vi. One or Multiple Privacy Notices?
7. Workplace Training
a. The Importance of Workforce Training
b. Legal Requirements
8. The Accountability Principle
9. Data Retention and Destruction
10. Incident Response Programs
a. Data Breach Incident Response
i. Preliminary Step: Confirm the Breach
ii. Step 1: Secure Operations and Contain the Breach
iii. Step 2: Analyze and Fix Vulnerabilities
iv. Step 3: Notify Appropriate Parties
v. Step 4: Take Proactive Steps to Avoid Future Breaches
11. Vendor Management
a. Choosing a Third-Party Data Vendor
b. Vendor Contracts
c. Vendor Incident Response
d. Cloud Computing Issues
e. Third-Party Data Sharing
12. Privacy Impact Assessments
a. What is a PIA?
b. How to Conduct a PIA
13. International Data Transfers
a. The Risks of International Data Transfers
b. The Surprise Minimization Rule
c. Data Transfers from the E.U. to the U.S. Under the GDPR
i. Adequacy Decisions with Respect to the U.S.
ii. Appropriate Safeguards
iii. Derogations
iv. The Implications of Schrems II and Transfer Impact Assessments
14. Other Considerations for U.S.-Based Multinational Companies
a. Additional GDPR Requirements
i. Individual Data Subject Rights
ii. Organizational Obligations
iii. Breach Notification Requirements
b. The Asia-Pacific Economic Cooperation (APEC) Privacy Framework (2004)
c. Global Cross-Border Privacy Rules
d. Multinational Compliance Conflicts
Section I.D. Review
Section E: The Basics of Privacy Technology
0/11
1. Introduction
2. Security as a Cornerstone of Privacy Protection
a. The CIA Triad
b. Security Controls
i. Purpose of Controls: Preventative, Detective, and Corrective
ii. Types of Controls: Physical, Administrative, and Technical
c. ISO Standards 27001 and 27002
d. Privacy Incidents vs. Data Breaches
e. Causes of Data Breaches
3. Internet Technology and Web-Based Concepts
a. How the Internet Works
i. Packets
ii. Internet Protocols and Communication
iii. IP Addresses and the Internet “Phonebook”
iv. Logging, Cache, and Other Concepts
b. Introduction to Web-Based Programming Languages
4. Additional Concepts Related to Online Technology
a. Client-Server Architecture
b. Cloud Computing
c. Edge Computing
d. Email Protocols
e. Text Message Protocols
5. Digital Surveillance and Tracking
a. Data Collection on the Internet
b. Third Party Website Interactions
c. Types of Internet Monitoring
i. Deep Packet Inspection
ii. Wi-Fi Eavesdropping
iii. Employee and Student Monitoring
6. Cookies and Other Webtracking Technologies
a. Web Cookies
i. Types of Cookies
ii. Legal Regulations Concerning the Use of Cookies
iii. Best Practices
iv. Third-Party Cookie Deprecation
b. Online Tracking Techniques
i. Web Beacons
ii. Digital Fingerprinting
iii. URL Rewriting
iv. Tracking on Social Media and Search Engines
v. Email Tracking
c. Tracking Users Across the Internet
d. Children’s Online Privacy
7. Location Tracking
a. Types of Location Tracking
i. GPS Tracking
ii. Wi-Fi, Cell Tower, and Bluetooth Tracking
iii. RFID Chips
iv. Other Sources of Location Data
v. IP Addresses
b. Location-Based Services
c. Preventing Location Tracking
8. Other Types of Surveillance on Mobile and IoT Devices
a. Mobile Devices
b. Internet of Things (IoT) Devices
9. Cybersecurity and Online Threats
a. Types of Online Threats
b. Cybersecurity Threat Management
c. Threat Modeling
d. Best Practices
e. The Role of Human Error
10. Privacy-Enhancing Technologies
a. Identification and De-Identification of Data
b. Anonymization Techniques
c. Aggregation and Differential Privacy
d. Encryption
i. What is Encryption?
ii. Symmetric vs. Asymmetric Encryption
iii. Hashing
Section I.E. Review
Knowledge Review #1
II. Limits on the Private Sector Use of Personal Information
Introduction
Section A: Cross-Sector FTC Privacy Regulation
0/6
1. Federal Trade Commission Act
a. FTC Authority
b. Enforcement Actions
c. Consent Decrees
2. FTC Privacy Enforcement Actions
a. Deceptive Trade Practices
b. Unfair Trade Practices
c. Rulemakings Under Section 18(a)(1)(B) of the FTC Act
3. FTC Security Enforcement Actions
4. Children's Online Privacy Protection Act of 1998 (COPPA)
a. Scope of COPPA
b. Notice Requirements
c. “Verifiable Parental Consent”
d. Parental Access
e. Internal Procedures
f. Safe Harbor
g. Enforcement
h. 2023 Proposed Rulemaking
5. The Future of Federal Enforcement
a. Commercial Surveillance and the Modern Data Environment
b. Privacy and Data Security Updates
c. Additional FTC Guidance
i. Data Portability
ii. Health App Developer Guidelines
iii. Dark Patterns
d. “Unfair Methods of Competition”
e. Comprehensive Federal Privacy Legislation
Section II.A Review
Section B: Healthcare Privacy
0/9
1. Introduction
2. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
a. Scope of HIPAA’s Privacy and Security Rules
b. HIPAA Privacy Rule
i. Limits on Disclosure of PHI
ii. Privacy Notices
iii. Patient Access
iv. Right to Amend
v. Right to Accounting of Disclosures
vi. Administrative Requirements (i.e., Accountability)
c. HIPAA Security Rule
d. Enforcement of the Privacy and Security Rules
e. 2021 HIPAA Safe Harbor Bill
f. Online Tracking Technologies
g. Contact Tracing
3. Health Insurance Technology for Economic and Clinical Health Act of 2009 (HITECH)
a. What Constitutes a Data Breach?
b. Data Breach Notice Requirements
c. Additional Amendments to HIPAA
4. Genetic Information Nondiscrimination Act of 2008 (GINA)
5. The 21st Century Cures Act of 2016
a. Compassionate Sharing of Mental Health and Substance Abuse Information
b. Exemptions for Disclosure from Biomedical Research and “Certificates of Confidentiality”
c. Remote Viewing of PHI by Researchers
d. Prohibition on “Information Blocking”
e. Certification of Health IT Developers and Portability
6. Confidentiality of Substance Use Disorder Patient Records Rule
a. The Scope of Part 2
b. Disclosure Restrictions
c. Use Restrictions
d. Administrative Requirements
7. FTC Health Breach Notification Rule
8. Consumer Medical Technology
a. The Importance of Accurate and Effective Notice to Consumers
b. Federal Food, Drug, and Cosmetic Act
Section II.B Review
Section C: Financial Privacy
0/7
1. Introduction
2. Fair Credit Reporting Act of 1970 (FCRA)
a. Who and What the FCRA Applies To
b. Regulation of Consumer Reporting Agencies (CRAs)
i. Permissible Purpose
ii. Report Accuracy
iii. Compliance Procedures
iv. Consumer Access
v. Consumer Disputes
c. Regulation of “Users” of Consumer Reports
i. Permissible Purpose
ii. Notice of Adverse Action
iii. Prohibition on Re-Selling
iv. Pre-Screened Lists
d. Regulation of “Furnishers” of Information Used in Consumer Reports
e. Regulation of Companies Extending Credit
f. Investigative Consumer Reports
g. Enforcement and Rulemaking
3. Fair and Accurate Credit Transactions Act of 2009 (FACTA)
a. Disposal Rule
b. “Red Flags” Rule
i. Who It Applies To
ii. Developing a “Red Flags” Program
iii. Accountability Provisions
4. Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act / GLBA)
a. Scope of the GLBA
b. GLBA Privacy Rule
i. Notice Requirements
ii. Disclosure Restrictions and Consumer Choice
iii. Additional Restrictions
iv. Safe Harbor
v. Exceptions to the Privacy Rule
c. GLBA Safeguard Rule
i. Appointment of a Qualified Individual
ii. Conducting Risk Assessments
iii. Implementing Safeguards
iv. Additional Requirements
d. Enforcement and Rulemaking under the GLBA
e. Exemptions Under State Laws for Data Regulated Under the GLBA
5. Dodd-Frank and the Consumer Financial Protection Bureau (CFPB)
a. Specific CFPB “Authorities”
i. “Unfair, Deceptive, and Abusive Acts or Practices”
ii. Disclosures
iii. Consumer Access
b. Enforcement Against Covered Persons and Service Providers
6. Online Banking
Section II.C Review
Section D: Education Privacy
0/5
1. Introduction
2. Family Education Rights and Privacy Act of 1974 (FERPA)
a. Education Records, Students, and Exceptions
b. Substantive Policies Under FERPA
i. Right to Access and Review Education Records
ii. Right to Contest Record Accuracy
iii. Rights Regarding Directory Information
iv. Disclosure Restrictions
v. Notice of Rights
c. FERPA Enforcement; Student and Parent Complaints
d. Interplay Between FERPA and HIPAA’s Privacy Rule
3. Protection of Pupil Rights Amendment of 1978 (PPRA)
4. Education Technology
a. Application of FERPA
b. Application of COPPA
c. Self-Regulation of EdTech
Section II.D Review
Section E: Marketing and Telecommunications Privacy
0/12
1. Introduction
2. Telemarketing Sales Rule (TSR), Telephone Consumer Protection Act of 1991, and the Do-Not-Call Registry
a. To Whom and To What the TCPA and the TSR Apply
b. Who May Be Called?
i. Do-Not-Call Registry
ii. TCPA Prohibitions
c. How Calls Can Be Made
i. “Prompt” Oral Disclosures
ii. Required Disclosure of Material Terms
iii. Prohibition on Misrepresentations and Material Omissions
iv. “Express Verifiable Authorization”
v. Call Abandonment Prohibition
vi. Prohibition on Pre-Recorded Messages
vii. Prohibition on Unauthorized Billing
viii. Prohibition on Fraudulent Transactions
ix. Caller-ID Transmission
x. Credit Card Laundering Prohibited
xi. Assisting or Facilitating Violations of the TSR
d. Record-Keeping Requirements
e. Business-to-Business Telemarketing Calls
f. Enforcement of Telemarketing Rules
i. Enforcement of the TSR
ii. Enforcement of TCPA
3. Junk Fax Protection Act of 2005 (JFPA)
4. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) and the Wireless Domain Registry
a. Scope of CAN-SPAM
b. Prohibitions Under CAN-SPAM
c. Enforcement
d. Wireless Message Rules
e. Wireless Domain Registry
5. Telecommunications Act of 1996 and Customer Proprietary Network Information (CPNI)
a. Limitations on the Use of CPNI
b. Administrative and Technical Safeguards
c. Data Breach Notification Rules
d. Enforcement
6. Cable Communications Policy Act of 1984
a. Privacy Notices
b. Prohibition on Collection
c. Prohibition on Disclosure
d. Subscriber Access
e. Data Destruction
f. Enforcement
7. Video Privacy Protection Act of 1998 (VPPA) and Video Privacy Protection Act Amendments of 2012 (H.R. 6671)
a. Prohibition on Disclosure
b. Data Destruction
c. Enforcement
8. Driver’s Privacy Protection Act (DPPA)
a. Prohibition on Disclosure
b. Exceptions to Disclosure
c. Enforcement
9. Digital Advertising
a. Lack of Federal Regulation
b. State Regulation of Digital Advertising
c. Self-Regulation of Digital Advertising
10. Data Ethics
a. What is Data Ethics?
b. Specific Examples of Ethical Principles
c. Avoiding “Dark Patterns”
11. Web Scraping
a. Privacy-Related Challenges
b. Application of Computer Fraud and Abuse Act
c. Preventing Web Scraping
Section II.E Review
Knowledge Review #2
III. Government Access to Personal Information
Introduction
Section A: Law Enforcement and Privacy
0/8
1. Introduction
2. Right to Financial Privacy Act of 1978
a. When Disclosure is Permitted
i. Customer Authorization
ii. Administrative Subpoena or Summons
iii. Search Warrant
iv. Judicial Subpoena
v. Formal Written Request
b. Obligations Imposed on Financial Institutions
c. Enforcement
3. Bank Secrecy Act of 1970 (BSA)
a. Record-Keeping Requirements
b. Reporting Requirements
i. Suspicious Activity Reports (“SARs”)
ii. Additional Reporting Requirements
iii. Enforcement of Reporting Requirements
c. Anti-Money Laundering Provisions
i. Anti-Money Laundering Program Development
ii. “Know Your Customer” Requirements
iii. Prohibition on Correspondent Accounts With Foreign Banks
iv. The Corporate Transparency Act
4. The Fourth Amendment
5. The Wiretap Act
a. Wire, Oral, and Electronic Communications
b. Court Order Requirement
c. One-Party vs. Two-Party Consent
d. Enforcement
6. Electronic Communications Privacy Act (ECPA)
a. The Stored Communications Act (SCA)
i. Prohibition on Obtaining, Altering, or Blocking
ii. Remote Computing Services and Government Access
iii. The CLOUD Act
iv. Enforcement
b. The Pen Register and Trap and Trace Statute
7. Communications Assistance to Law Enforcement Act of 1994 (CALEA)
a. Who It Applies To
b. Design Mandate
c. Enforcement
Section III.A Review
Section B: National Security and Privacy
0/5
1. Introduction
2. Foreign Intelligence Surveillance Act of 1978 (FISA)
a. The History of FISA and Its Amendments
b. FISA Orders and the Foreign Intelligence Surveillance Court (FISC)
c. Section 215 Orders: Production of “Any Tangible Thing”
d. Section 217: Computer Trespassers
e. Section 702: Persons Outside the United States Other Than United States Persons
f. Secrecy and Transparency Under FISA
3. National Security Letters (NSLs)
4. Cybersecurity Information Sharing Act of 2015 (CISA)
Section III.B Review
Section C: Civil Litigation and Privacy
0/4
1. Introduction
2. Discovery and E-Discovery
a. Discovery Devices
b. Privileges
c. E-Discovery Rules
d. Discovery Conflicts and Foreign Discovery
e. Public Access to Court Records
3. Privacy Protection Act of 1980
Section III.C Review
Knowledge Review #3
IV. Privacy in the Workplace
Section A: Introduction to Workplace Privacy
0/4
1. Workplace Privacy Concepts
2. U.S. Agencies Regulating Workplace Privacy
a. Federal Trade Commission
b. Department of Labor
c. Occupational Safety and Health Administration
d. Equal Employment Opportunity Commission
e. National Labor Relations Board
3. Anti-Discrimination Laws
a. Title VII of the Civil Rights Act of 1964
i. Prohibited Discrimination
ii. Enforcement and the EEOC
b. Americans With Disabilities Act (ADA)
i. When it Applies
ii. Congressional Clarification of “Disability”
iii. Determining What Constitutes a “Disability”
iv. Enforcement
c. Genetic Information Nondiscrimination Act of 2008 (GINA)
i. Prohibited Discrimination
ii. Enforcement
iii. State Complements to GINA
Section IV.A Review
Section B: Privacy Before, During, and After Employment
0/7
1. Automated Employment Decision Tools
a. Regulation of Automated Employment Decision Tools
i. Illinois’s Artificial Intelligence Video Interview Act
ii. Maryland HB 1202
iii. New York City Regulation
b. EEOC Guidance
i. ADA Guidance
ii. The iTutorGroup, Inc. Case
2. Employee Background Screening
a. Restrictions Under the Fair Credit Reporting Act (FCRA)
b. Methods of Pre-Employment Screening
i. Personality and Psychological Evaluations
ii. Polygraph Testing
iii. Drug and Alcohol Testing
iv. Social Media and Lifestyle Discrimination
v. “Ban the Box” Laws and the Fair Chance Act
3. Employee Monitoring
a. Requirements Under the Wiretap Act and the Electronic Communications Privacy Act of 1996 (“ECPA”)
i. Telephone Monitoring
ii. Video Monitoring
iii. Email Monitoring
b. Technology and Specific Types of Monitoring Activity
i. Postal Mail
ii. Location-Based Monitoring
iii. “Bring Your Own Device” and Remote Work
c. Unionized Workforce Issues Concerning Monitoring in the U.S. Workplace
4. Investigating Employee Misconduct
a. The Importance of Written Policies
b. The Vail Letter and FACTA Amendments
5. Confidentiality of Employee Health Records
a. HIPAA, ADA, and GINA
b. Family Medical Leave Act (“FMLA”)
6. Termination of Employment
Section IV.B Review
Knowledge Review #4
V. State Privacy Laws
Section A: State Laws
0/11
1. Federal vs. State Authority
a. State "Nexus"
b. State Law as a Complement to Federal Law
c. Interaction Between State and Federal Law
d. State Attorneys General
e. California Privacy Protection Agency (CPPA)
i. The CPPA Board
ii. Agency Functions and Enforcement Actions
2. State Marketing Laws
a. Telemarketing
b. Email Marketing
c. Do-Not-Track Mechanisms
3. Financial Data
a. Credit History
b. California Financial Information Privacy Act (California SB-1)
c. New York Department of Financial Services (“NYDFS”) Cybersecurity Regulations
d. NYDFS Cryptocurrency Regulations
4. Data Privacy and Security Laws
a. Overview of State Data Privacy and Security Laws
b. Minimum Security Standards
c. The Use of Social Security Numbers
d. Data Destruction Laws
e. Data Broker Laws
f. Cookie and Online Tracking Regulations
5. Data Breach Notification Laws
a. Introduction to State Data Breach Notification Laws
b. Key Definitions
i. Covered Entities
ii. Personal Information
iii. Data Breach
c. Notification Requirements
i. Whom to Notify
ii. When to Notify
iii. Notice Contents
iv. How Notice is Provided
d. Exceptions to Notification
e. Penalties, Enforcement, and Data Subject Rights
6. California Data Privacy and Security Laws
a. California’s Data Breach Notification Law (SB-1386)
b. California’s Data Security Law (AB-1950)
c. The California Consumer Privacy Act (“CCPA”) and The California Privacy Rights Act (“CPRA”)
i. The Scope of the CCPA
ii. Individual Data Subject Rights
iii. Controller Obligations
iv. California Privacy Protection Agency
v. Enforcement of the CCPA
vi. The Road Ahead
d. The California Age-Appropriate Design Code Act (AB-2273)
e. California Delete Act (SB 362)
7. The Structure of State Comprehensive Privacy Laws
a. Introduction to State Comprehensive Privacy Laws
b. The General Structure of Comprehensive Privacy Legislation)
i. Scope and Key Definitions
ii. Data Subject Rights
iii. Responsibilities of Controllers and Processors
iv. Enforcement
8. Specific State Comprehensive Privacy Laws
a. Virginia Consumer Data Protection Act (“VCDPA”) (2021)
i. Scope of the VCDPA
ii. Responsibilities of Controllers and Processors
iii. Individual Consumer Rights
iv. Enforcement
b. Colorado Privacy Act (2021)
i. Scope of the CPA
ii. Responsibilities of Controllers and Processors
iii. Data Subject Rights and the Right to Appeal
iv. Enforcement
c. Utah Consumer Privacy Act (2022)
d. Connecticut Personal Data Privacy and Online Monitoring Act (2022)
e. Additional Comprehensive Privacy Legislation
9. Recent Developments: State Privacy and Data Security Laws
a. Facial Recognition and Biometric Data Regulation
i. Illinois Biometric Information Privacy Act (BIPA)
ii. Texas Capture or Use of Biometric Identifier Act (CUBI)
iii. Washington Biometric Privacy Law (2017)
b. Health Data Rules
i. Geofencing Bans and Restrictions
ii. Washington My Health, My Data (MHMD) Act (2023)
iii. Nevada Consumer Health Data Privacy Law (SB 370) (2023)
iv. Illinois Genetic Information Privacy Act (GIPA) (2023)
c. AI Bias Laws
i. Automated Decision-Making Rules and Regulations
ii. Colorado AI Legislation
d. Additional State Privacy Laws
i. California Electronic Communications Privacy Act (2015)
ii. Delaware Online Personal Privacy Protection Act (2016)
iii. Nevada Privacy of Information Collected on the Internet From Consumers Act – SB 538 (2017), SB 220 (2019), and SB 260 (2021)
iv. Illinois Geolocation Privacy Protection Act and the Right to Know Act (2017)
v. New Jersey Personal Information and Privacy Protection Act (2017)
vi. New York’s SHIELD Act
vii. Illinois Student Online Personal Protection Act (“SOPPA”)
10. Recent Developments: State Data Breach Notification Laws
a. Tennessee SB 2005 (2016)
b. Illinois HB 1260
c. New Mexico HB 15
d. South Dakota Data Breach Law
e. Massachusetts HB 4806
f. Utah S.B. 127 Cybersecurity Amendments
g. Pennsylvania S.B. 696
Section V.A Review
Knowledge Review #5
Conclusion
Full Exam #1
Full Exam #2
Introduction to Privacy Itself as a Concept
The word “privacy” has many different meanings. It has been defined, for example, as “[t]he quality, state, or condition of being free from public attention to intrusion into or interference with one’s acts or decisions.”1 As far back as 1890, future Supreme Court Justice Louis D. Brandeis put it more succinctly: he said that privacy is, simply, the “right to be let alone.”2 Privacy can also be thought of in terms of the interests that it seeks to protect, including the individual interest in avoiding public disclosure of private matters and the interest in being afforded the ability to independently make certain kinds of decisions.3
The alternative ways in which one can define privacy are important for understanding how the concept of privacy is used throughout the legal and regulatory landscape. The protection of individual privacy is infused throughout American law; it is incorporated into a broad range of statutes and regulations, at both the state and federal levels. The State of California has even incorporated the protection of individual privacy into its state constitution. Article 1, Section 1 of the California Constitution reads: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”4
In the United States, legal protections over private information are commonly referred to as “data privacy” or “information privacy” laws. In other countries, and in particular throughout the European Union, legal protections are commonly referred to as “data protection” laws.
In order to understand privacy—and the various ways in which it is used in the law—it can be helpful to think in terms of four broad categories: (1) information privacy; (2) bodily privacy; (3) communication privacy; and (4) territorial privacy.5
Information Privacy refers to the collection and handling of personal information.6
Bodily Privacy refers to the protection of the physical body from intrusion.7
Communication Privacy includes the protection of written, oral, and electronic correspondence.8
And, finally, Territorial Privacy refers to the protection of one’s environment, such as one’s home or place of employment.9
To some extent, each of these interests is protected under law. For example, the Employee Polygraph Protection Act of 1988 (“EPPA”)10 prohibits employers from forcing employees to take a lie detector test in most cases. This can be thought of as protecting an employee’s bodily privacy. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects information privacy by placing restrictions on the disclosure of “protected health information.”11 Both of these statutes, and many others, are discussed later in this study guide. For now, however, it is important to understand that the concept of privacy has many different components and many different meanings.
Exercise 1: Categories of Privacy Protection
Question 1
The Federal Wiretap Act's prohibition on intercepting wire or oral correspondence without the knowledge of the individuals being eavesdropped upon protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 2
The Americans With Disabilities Act's prohibition on most forms of pre-employment medical examinations protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 3
The Cable Communication Policy Act of 1984's prohibition on disclosing personally identifiable data on customers without consent protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 4
The Children's Online Privacy Protection Act's requirement to obtain "verifiable parental consent" prior to processing the personal data of a child protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 5
The Fourth Amendment's requirement that police obtain a warrant prior to searching a suspect's house protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 6
The 21st Century Cures Act exempted from disclosure information related to biomedical research; this protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 7
The prohibition on disclosing student records under the Family Education Rights and Privacy Act protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 8
The Telemarketing Sales Rule's limitation on when telemarketing calls can be made protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 9
Title II of the Genetic Information Nondiscrimination Act of 2008 prohibits employment discrimination on the basis of a person's genetic information. This protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Question 10
The prohibition on the disclosure of personally identifiable information by video tape service providers under the Video Privacy Protection Act of 1988 protects what type of privacy interest?
A
Information Privacy
B
Bodily Privacy
C
Communication Privacy
D
Territorial Privacy
Submit
Next
Key Points
Sources
1. Privacy, Black’s Law Dictionary (11th ed. 2019).
2. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).
3. Whalen v. Roe, 429 U.S. 589, 599-600 (1977).
4. Cal. Const. art. I, § 1.
5. David Banisar and Simon Davies, Global Trends in Privacy Protection” An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments, 18 J. Marshall J. Computer & Info. L. 1, 6 (1999).
6. David Banisar and Simon Davies, Global Trends in Privacy Protection” An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments, 18 J. Marshall J. Computer & Info. L. 1, 6 (1999).
7. David Banisar and Simon Davies, Global Trends in Privacy Protection” An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments, 18 J. Marshall J. Computer & Info. L. 1, 6 (1999).
8. David Banisar and Simon Davies, Global Trends in Privacy Protection” An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments, 18 J. Marshall J. Computer & Info. L. 1, 6 (1999).
9. David Banisar and Simon Davies, Global Trends in Privacy Protection” An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments, 18 J. Marshall J. Computer & Info. L. 1, 6 (1999).
10. 29 U.S.C. § 2002.
11. 45 C.F.R. §§ 160.103.45, 164.502(a).