U.S. Privacy Legislation

Overview
Personal privacy is considered by most Americans to be a fundamental right. The Supreme Court ruled in 1965 that the Ninth Amendment is the constitutional source of a right to privacy. Others point to the Third Amendment’s prohibition of quartering troops in private homes during peacetime; the Fourth Amendment’s prohibition of warrantless search and seizure; and the Fifth Amendment privilege against self-incrimination.

The Twentieth Century saw dramatic changes to the concept of privacy with the introduction of new technologies from the camera to the telephone to the microphone to the computer. In addition, the advent of a credit economy brought about an implicit trade of privacy for credit. These new technologies, whether in the hand of government, private industry, or private citizens altered our perception of the meaning of privacy, and how that right should be protected. It is not surprising then that Congress responded with legislation.

The 1970s
While the Privacy Act of 1974 was the preeminent privacy law of the 1970s, it was preceded by the Fair Credit Reporting Act of 1970 and the Crime Control Act of 1973. That decade also saw the passage of the Family Education Rights and Privacy Act of 1974 and the Financial Privacy Act of 1978.

The Fair Credit and Reporting Act of 1970 authorized consumers to request from consumer credit reporting agencies the nature and scope of all information regarding that individual, as well as the identity of the sources of the information and the name of any recipient of the information. This Act also grants the consumer the right to correct or amend the credit report by supplying supplemental information. The Family Education Rights and Privacy Act of 1974 is similar in that it grants parents to right to inspect, correct, amend, and control the disclosure of information in the educational records of their children.

The Privacy Act of 1974, which is more familiar to most people, governs the relationship between the government and the public. Citizens and aliens lawfully admitted for permanent residence are given access to information about them that is held by the government, and the right to correct that information. The Privacy Act establishes principles of fair information practice, including conditions for the disclosure of private information, requirement for accounting for disclosure, and the requirement that agencies specify the authority and purpose for collecting personally identifiable information. The Privacy Act discourages the use of secondary sources for information on individuals. Finally, the Privacy Act requires that records of information on individuals must be maintained with accuracy, timeliness, and completeness to assure fair treatment of the individual.

The 1980s
The 1980s saw the passage of the Cable Communications Policy Act of 1984, the Electronic Communications Privacy Act of 1986, and the Computer Matching and Privacy Protection Act of 1988. Again, the theme of an individual’s right to control information held about him or her pervades these laws.

The Cable Communication Policy Act of 1984 gives cable subscribers the right of access to all personally identifiable information collected or maintained by their cable company. Again the right of correction is granted to the individual. The Electronic Communications Privacy Act extends the principles of telephone privacy to cell phones and e-mail, and prohibits unauthorized interception of electronic communications. The Computer Matching and Privacy Protection Act of 1988 amends the 1974 Privacy Act to regulate the use of computer matching of information contained in a system of records subject to the Privacy Act.

The 1990s
One of the most significant privacy laws passed in the 1990s was the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act. This Act prohibits financial institutions from disclosing nonpublic information to unaffiliated third parties without providing customers the opportunity to decline such disclosure. This Act also is responsible for requiring businesses to disclose their privacy policies in what have now become almost routine privacy flyers that accompany credit card statements and insurance bills.

Equally important was the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. The Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.