Order Code RS21229
Updated July 8, 2002
CRS Report for Congress
Received through the CRS Web
Remedies for the Improper Disclosure of
Personal Information
name redacted
Legislative Attorney
American Law Division
Summary
This report provides an overview of the available remedies in selected federal
privacy laws. This report will be updated as events warrant.
Applicable federal statutes provide a wide array of remedies for improper disclosure
of certain personal information. Some provide criminal penalties including fines ranging
from $5,000 to $250,000 and/or imprisonment from 6 months to 10 years depending on
whether the violation was committed under false pretenses or for commercial advantage,
personal gain or malicious harm. Other statutes provide private rights of action for
aggrieved individuals and award actual damages, compensatory damages and punitive
damages for willful, intentional or knowing violations. Other statutes provide that State
attorneys general may bring civil actions on behalf of the residents of a state. A few of
the privacy statutes do not provide for private or state rights of action. Instead, other
agencies, such as the Federal Trade Commission (FTC) are charged with enforcement.
In these instances, the FTC is authorized to bring enforcement actions and impose civil
penalties for violations as unfair and deceptive trade acts or practices under the Federal
Trade Commission Act.1
1 15 U.S.C. §§ 41 et seq.
Congressional Research Service ˜ The Library of Congress
CRS-2
Title
Applies To
Records
Private Right of Action
Civil Penalty
Criminal Penalty
Covered
Fair Credit Reporting
Consumer
Consumer
An aggrieved consumer may
Actual damages of not less than $100 and
Under false pretenses, a
Act of 1970 - 15 U.S.C.
reporting
credit reports.
file suit within two years from
not more than $1,000, punitive damages for
defendant is subject to a fine,
§§ 1681 et seq.
agencies.
the date on which liability
willful noncompliance, litigation costs and
imprisonment for not more
arises for impermissible
attorney fees. For negligent noncompliance,
than 2 years, or both.
disclosure, use or receipt of a
actual damages and litigation costs and
consumer credit report.2
attorney fees. Under false pretenses,
defendant shall be liable to the consumer
reporting agency for the greater of actual
damages or $1,000.
Video Privacy
Videotape
Video rental
An aggrieved person may bring
Actual damages (not less than $2,500),
None.
Protection Act of 1988 -
service
records.
suit within two years from the
punitive damages, litigation costs and
18 U.S.C. § 2710.
providers.
discovery of the alleged
attorney fees.
violations for impermissible
disclosure of personally
identifiable information.
Right to Financial
Financial
Financial
An aggrieved customer may
Actual damages, punitive damages for
None.
Privacy Act of 1978 -
Institutions.
records.
bring suit within three years
willful or intentional disclosure, litigation
12 U.S.C. §§ 3401 et
after discovery of
costs and attorney fees.
seq.
impermissible disclosure to a
government authority.
Telephone Consumer
Tele-
Unsolicited
An aggrieved person or entity
The greater of actual damages or $500 for
None.
Protection Act - 47
marketers.
telephone
may bring suit. State attorneys
each violation. For willful or knowing
U.S.C. § 227.
calls.
general may bring civil action.
violations, the court may award up to treble
damages.
2 See TRW v. Andrews, 122 S. Ct. 441 (2001) (holding that the statute of limitations begins to run when inaccurate disclosures occur, and
not when the victim learns of the disclosures).
CRS-3
Title
Applies To
Records
Private Right of Action
Civil Penalty
Criminal Penalty
Covered
Privacy Act of 1974-
Federal
Individually
An aggrieved individual must
Actual damages (not less than $1,000),
For willful disclosure,
5 U.S.C. § 552a.
agencies.
identifiable
bring suit within two years
litigation costs and attorney fees.
misdemeanor offense and fine
federal agency
after discovery of
of not more than $5,000.
records.
impermissible disclosure.
Family Educational
Educational
Student
No.3
None. An institution with a policy or
None.
Rights and Privacy Act
institutions
records.
practice of improper disclosure shall lose
- 20 U.S.C. § 1232g.
receiving
federal funds.
federal
funds.
Health Insurance
Health
Individually
No. Individuals have the right
None.
For simple violations, fine up
Portability &
plans,
identifiable
to file a formal complaint with
to $50,000 and/or
Accountability Act - 42
health care
health
a covered provider or health
imprisonment of up to one
U.S.C. §§ 1320d et seq.
providers
information.
plan, or with the Department of
year. For violations committed
and
Health and Human Services.
under false pretenses, fine up
clearing-
to $100,000 and/or
houses.
imprisonment up to 5 years.
For offenses committed for
commercial advantage,
personal gain, or malicious
harm, fine up to $250,000
and/or imprisonment up to 10
years.
Cable Communication
Cable
Cable
Any person aggrieved may
Actual damages (but not less than liquidated
None.
Policy Act of 1984 - 47
television
television
bring a civil action for
damages computed at the rate of $100 a day
U.S.C. § 551.
service
subscriber
improper disclosure of
or $1,000, whichever is higher), punitive
providers.
records.
personally identifiable
damages, litigation costs and attorney fees.
information.
3 In Gonzaga v. Doe, the United States Supreme Court held that FERPA provisions create no personal rights to enforce under 42 U.S.C.§
1983. No. 01-679, slip op. at 3-15 (June 20, 2002).
CRS-4
Title
Applies To
Records
Private Right of Action
Civil Penalty
Criminal Penalty
Covered
Telecommunications
Telecomm-
Consumer
No express private right of
FTC authorized to bring enforcement actions
None.
Act of 1996 - 47 U.S.C.
unications
proprietary
action.4
and impose civil penalties for violations as
§ 222.
carriers.
network infor-
unfair and deceptive trade acts or practices
mation.
under the Federal Trade Commission Act.
Electronic
Providers
Telecomm-
An aggrieved individual may
Actual damages (not less than $1,000),
Fine up to $250,000 for
Communications
of
unications, e-
bring a civil action within two
punitive damages for knowing or intentional
individuals and $500,000 for
Privacy Act of 1986 -
electronic
mails and
years of discovery of improper
noncompliance, litigation costs and attorney
organizations, imprisonment of
18 U.S.C. §§ 2510-2522.
comm-
stored
interception or disclosure of
fees.
not more than five years or
unications
computer data.
wire, oral, or electronic
both.
service.
communications.
Computer Fraud and
Anyone.
Computers in
An aggrieved person may bring
Compensatory damages and injunctive
For simple violations ,
Abuse Act - 18 U.S.C. §
which there is
suit within two years after
relief. Damages are limited to economic
imprisonment up to one year
1030
a federal
violation occurs or discovery
damages.
and/or fine. For violations for
interest.
of the damage.
gain or involving more than
$5,000, imprisonment up to
five years and/or fine. For
repeat offenders, imprisonment
up to 10 years and/or fine.
Gramm-Leach-Bliley
Financial
Non-public
No. Consumers can complain
FTC authorized to bring enforcement actions
Fine, imprisonment for not
Act - 15 U.S.C. §§ 6801-
institutions
personal
to one of the seven federal
and impose civil penalties for violations as
more than 5 years, or both.
6809.
financial
agencies that have jurisdiction
unfair and deceptive trade acts or practices
Enhanced penalties for
records.
and enforcement authority over
under the Federal Trade Commission Act.
aggravated cases.
financial institutions.5
4 See, Conboy v. AT&T Corp., 241 F.3d 242,251 (2d Cir. 2001)(finding that Section 222 of the Act did not provide for the recovery of
presumed , or “statutory,” damages).
5 The seven federal agencies which enforce the privacy provisions are: (1) the Federal Deposit Insurance Corporation; (2) the Federal
Reserve; (3) the Office of Thrift Supervision; (4) the Office of the Comptroller of the Currency; (5) the National Credit Union
Administration; (6) the Securities and Exchange Commission; and (7) the Federal Trade Commission.
CRS-5
Title
Applies To
Records
Private Right of Action
Civil Penalty
Criminal Penalty
Covered
Driver’s Privacy
State
Department of
An aggrieved person may bring
Actual damages (not less than $2,500),
Fine for a person who
Protection Act - 18
department
motor vehicle
a civil action for improper use,
punitive damages for willful or reckless
knowingly violates the law.
U.S.C. § 2721.
of motor
records.
disclosure or receipt of
disregard of the law, and reasonable
vehicles
personal information.
attorneys’ fees and other litigation costs.
The Attorney General may impose a civil
penalty of not more than $5,000 a day for
substantial noncompliance.
Federal Trade
Persons,
Deceptive
No.
If the FTC finds that a practice violates the
None.
Commission Act - 15
partner-
practices and
Act it may issue a cease and desist order.
U.S.C. §§ 41 et seq.
ships, and
unfair
Judicial review available.
corpor-
methods.
Injunctive relief or penalty up to $10,000 for
ations.
each violation.
Children’s Online
Commer-
Personally
No - State attorneys general
The FTC is authorized to bring enforcement
None.
Privacy Protection Act
cial
identifiable
may bring civil action on
actions and impose civil penalties for
- 15 U.S.C. §§ 6501et
websites or
information of
behalf of the residents to:
violations as unfair and deceptive trade acts
seq.
online
minors.
- enjoin practice
or practices under the Federal Trade
services
- enforce compliance
Commission Act.
targeted at
- obtain damage, restitution,
children.
or other compensation.
Stored Wire and Elec-
Anyone.
Stored
An aggrieved person may bring
Damages equal to the loss and gain
For violations committed for
tronic Communications
electronic
suit.
associated with the offense but not less than
malicious and mercenary
and Transactional
comm-
$1,000
purposes, imprisonment up to
Records Access Act - 18
unications.
one year and/or fine up to
U.S.C. § 2701 et seq.
$250,000. For lesser offenses,
imprisonment of not more than
six months and/or fine of not
more than $5,000.
EveryCRSReport.com
The Congressional Research Service (CRS) is a federal legislative branch agency, housed inside the
Library of Congress, charged with providing the United States Congress non-partisan advice on
issues that may come before Congress.
EveryCRSReport.com republishes CRS reports that are available to al Congressional staff. The
reports are not classified, and Members of Congress routinely make individual reports available to
the public.
Prior to our republication, we redacted names, phone numbers and email addresses of analysts
who produced the reports. We also added this page to the report. We have not intentional y made
any other changes to any report published on EveryCRSReport.com.
CRS reports, as a work of the United States government, are not subject to copyright protection in
the United States. Any CRS report may be reproduced and distributed in its entirety without
permission from CRS. However, as a CRS report may include copyrighted images or material from a
third party, you may need to obtain permission of the copyright holder if you wish to copy or
otherwise use copyrighted material.
Information in a CRS report should not be relied upon for purposes other than public
understanding of information that has been provided by CRS to members of Congress in
connection with CRS' institutional role.
EveryCRSReport.com is not a government website and is not affiliated with CRS. We do not claim
copyright on any CRS report we have republished.