May 9, 2019
Data Protection and Privacy Law: An Introduction
Recent controversy surrounding how third parties protect
ï‚· Federal Securities Laws: may require data security
the privacy of individuals in the digital age has raised
controls and data breach reporting responsibilities.
national concerns over legal protections of Americansâ€™
ï‚· Federal Trade Commission (FTC) Act: prohibits
electronic data. The current legislative paradigms governing
â€œunfair or deceptive acts or practices.â€
cybersecurity and data privacy are complex and technical,
and lack uniformity at the federal level. This In Focus
ï‚· Gramm-Leach-Bliley Act: regulates financial
provides an introduction to data protection laws and an
institutionsâ€™ use of nonpublic personal information.
overview of considerations for Congress. (For a more
ï‚· Health Insurance Portability and Accountability Act:
detailed analysis, see CRS Report R45631, Data Protection
regulates health care providersâ€™ collection and
Law: An Overview, by Stephen P. Mulligan, Wilson C.
disclosure of protected health information.
Freeman, and Chris D. Linebaugh).
ï‚· Video Privacy Protection Act: provides privacy
Defining Data Protection
protections related to video rental and streaming.
As a legislative concept, data protection melds the fields of
Of these laws, the FTC Actâ€™s prohibition of â€œunfair or
data privacy (i.e., how to control the collection, use, and
deceptive trade practicesâ€ (UDAPs) is especially important
dissemination of personal information) and data security
in the context of data protection. The FTC has brought
(i.e., how to (1) protect personal information from
hundreds of enforcement actions based on the allegation
unauthorized access or use and (2) respond to such
that companiesâ€™ data protection practices violated this
unauthorized access or use). Historically, many laws
prohibition. One of the well-settled principles in FTC
addressed these issues separately, but more recent data
practice is that companies are bound by their data privacy
protection initiatives indicate a trend toward combining
and data security promises. The FTC has taken the position
data privacy and security into unified legislative schemes.
that companies act deceptively when they handle personal
Federal Data Protection Laws
information in a way that contradicts their posted privacy
policy or other statements, or when they fail to adequately
While the Supreme Court has interpreted the Constitution to
protect personal information from unauthorized access
provide individuals with a right to privacy, this right
despite promises that that they would do so. In addition to
generally guards only against government intrusions. Given
broken promises, the FTC has maintained that certain data
the limitations in constitutional law, Congress has enacted a
protection practices are unfair, such as when companies
number of federal laws designed to provide statutory
protections of individualsâ€™ personal information.
have default privacy settings that are difficult to change or
However,
when companies retroactively apply a revised privacy
these statutory protections are not comprehensive in nature
policy. However, while the FTCâ€™s enforcement of the
and primarily regulate certain industries and subcategories
UDAP prohibition fills in some statutory gaps in federal
of data. These laws, which differ based on their scope, who
data protection law, its authority has limits. In contrast to
enforces them, and their associated penalties, include:
many of the sector-specific data protection laws, the FTC
ï‚· Childrenâ€™s Online Privacy Protection Act: provides
Act does not require companies to abide by specific data
data protection requirements for childrenâ€™s information
protection policies or practices, and generally does not
collected by online operators.
reach entities that have not made explicit promises
ï‚·
concerning data protection.
Communications Act of 1934: includes data protection
provisions for common carriers, cable operators, and
State Data Protection Laws
satellite carriers.
Adding to the complex patchwork of federal laws, some
ï‚· Computer Fraud and Abuse Act: prohibits the
states have developed their own statutory frameworks for
unauthorized access of protected computers.
data protection. Every state has passed some form of data
ï‚·
breach response legislation, and many states have consumer
Consumer Financial Protection Act: regulates unfair,
protection laws of various types. In addition, California has
deceptive, or abusive acts in connection with consumer
created a comprehensive data protection regime through the
financial products or services.
California Consumer Privacy Act (CCPA), which goes into
ï‚· Electronic Communications Privacy Act: prohibits
effect on January 1, 2020.
the unauthorized access or interception of electronic
communications in storage or transit.
The CCPA governs any company doing business in
ï‚·
California that meets certain minimum thresholds,
Fair Credit Reporting Act: covers the collection and
including companies with websites accessible there. The
use of data contained in consumer reports.
law provides consumers with three main â€œrights.â€ First,
consumers have a â€œright to knowâ€ information that
https://crsreports.congress.gov

Data Protection and Privacy Law: An Introduction
businesses have collected or sold about them, requiring
legal constraints on its enforcement ability. In particular,
businesses to inform consumers about the personal data
the FTC cannot seek monetary penalties for first-time
being collected. Second, the CCPA provides consumers
UDAP violations, but may only seek cease-and-desist
with a â€œright to opt outâ€ of the sale of their personal
orders or equitable relief. It may generally only seek civil
information. Third, the CCPA gives consumers the right, in
penalties after a company has violated a cease-and-desist
certain cases, to request that a business delete any
order or settlement agreement. The FTC also lacks
information collected about the consumer (i.e., â€œright to
jurisdiction over certain entities including banks,
deleteâ€). The CCPA will be enforced via civil penalties in
nonprofits, and common carriers.
enforcement actions brought by the California Attorney
General.
Federalism and Preemption. Another legal issue Congress
may need to consider with respect to any federal data
Foreign Data Protection Law
protection program is how to structure the federal-state
In addition to U.S. states like California, some foreign
regimeâ€”that is, how to balance whatever federal program
nations, including Brazil, South Korea, and Japan have
is enacted with the programs and policies in the states. If
enacted comprehensive data protection legislation. The EU,
Congress seeks to adopt a relatively comprehensive system
in particular, has long applied a more wide-ranging data
for data protection, Congress could expressly preempt many
protection regulatory scheme, and its most recent data
state laws related to a particular subject matter. Congress
protection law, the General Data Protection Regulation
could alternatively take a more modest approach to state
(GDPR), has served as a model for other jurisdictions
law by expressly preserving state laws in some ways and
developing data protection policy. The GDPR requires any
preempting them in others. Congress has the option to
entity that processes personal data to identify a legal basis
generally leave intact state schemes parallel to or narrower
for its action (such as consent or â€œlegitimate interestsâ€), and
than the federal scheme, or to render such parallel
it enumerates eight data privacy rights afforded to
regulation invalid.
individuals. The regulation also includes data breach
notification requirements, data security standards, and
First Amendment. Although legislation on data protection
conditions for cross-border data flows outside the EU.
could take many forms, several approaches that would seek
to regulate the collection, use, and dissemination of
Issues for the 116th Congress
personal information online may have to confront possible
Data protection policy proposals are constantly evolving,
limitations imposed by the First Amendment of the U.S.
and there is no agreed-upon menu of data protection
Constitution. While the Supreme Court has recognized that
options. Depending on the contours of a federal proposal, it
data protection regulation can implicate the First
could implicate various legal concerns, including
Amendment, this does not mean such laws would be
limitations imposed by the U.S. Constitution.
invalid. Instead, the validity of a given information privacy
law may depend upon the nature of the law it regulates
Conceptual Issues. A primary conceptual point of debate
(e.g., commercial matters can be subject to less scrutiny
in data protection policy is whether to utilize a so-called
from a court) and whether the law singles out particular
â€œprescriptiveâ€ approach in which the law defines data
viewpoints or speakers for regulation.
protection rules and obligations, or an â€œoutcome-basedâ€
model where legislation focuses on the outcomes of
Private Rights of Action. Finally, Congress may seek to
organizational practices, rather than dictating what those
establish a private right of action allowing a private plaintiff
practices should be. Both the GDPR and CCPA use a
to bring a lawsuit based on a violation of the new data
prescriptive approach, but some observers and Trump
protection law. However, it may be difficult to prove that
Administration officials have advocated for an outcome-
someone has been harmed by many of the violations that
based paradigm. Another overarching issue is how to define
might occur under a hypothetical data protection regime.
the contours of the data that the federal government
Victims of data breaches and other privacy violations,
proposes to protect or the specific entities or industries that
generally speaking, are not always clearly harmed. This
it proposes to regulate. Whereas some federal proposals
obstacle could run up against the limits of the federal
would cover all â€œpersonalâ€ information, others have sought
courtsâ€™ â€œjudicial powerâ€ under Article III of the U.S.
to avoid dual layers of regulation by stating that the
Constitution. Any federal private right of action, therefore,
proposed requirements would not apply if regulated by
would be limited in its application to cases in which
existing federal privacy law.
individuals can show a concrete and particularized harm
from a statutory violation.
Enforcement. Agency enforcement is another key issue.
There are multiple federal agencies responsible for
Stephen P. Mulligan, Legislative Attorney
enforcing the myriad federal data protection laws, such as
Chris D. Linebaugh, Legislative Attorney
the FTC, Consumer Financial Protection Bureau, Federal
Wilson C. Freeman, Legislative Attorney
Communications Commission, and Department of Health
and Human Services. Of these agencies, the FTC is often
IF11207
viewed as the leading data protection enforcement agency,
given its significant experience. However, there are several

https://crsreports.congress.gov

Data Protection and Privacy Law: An Introduction

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRSâ€™s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF11207 Â· VERSION 1 Â· NEW