Data Protection and Privacy Law: An Introduction
Updated October 12, 2022
Data Protection and Privacy Law: An Introduction
Recent controversy surrounding how third parties protect
Federal Securities Laws: may require data security
the privacy of individuals in the digital age has raised
controls and data breach reporting responsibilities.
national concerns over legal protections of Americans’
Federal Trade Commission (FTC) Act: prohibits
electronic data. The current legislative paradigms governing
unfair or deceptive acts or practices.
cybersecurity and data privacy are complex and technical
and lack uniformity at the federal level. This In Focus
Gramm-Leach-Bliley Act: regulates financial
provides an introduction to data protection laws and an
institutions’ use of nonpublic personal information.
overview of considerations for Congress. (For a more
Health Insurance Portability and Accountability Act:
detailed analysis, see CRS Report R45631, Data Protection
regulates health care providers’ collection and
Law: An Overview, by Stephen P. Mulligan, Wilson C.
disclosure of protected health information.
Freeman, and Chris D. Linebaugh.)
Video Privacy Protection Act: provides privacy
Defining Data Protection
protections related to video rental and streaming.
As a legislative concept, data protection melds the fields of
Of these laws, the FTC Act’s prohibition of “unfair or
data privacy (i.e., how to control the collection, use, and
deceptive acts or practices” (UDAPs) is especially
dissemination of personal information) and data security
important in the context of data protection. The FTC has
(i.e., how to protect personal information from unauthorized
brought hundreds of enforcement actions based on the
access or use and respond to such unauthorized access or
allegation that companies’ data protection practices violated
use). Historically, many laws addressed these issues
this prohibition. One of the well-settled principles in FTC
separately, but more recent data protection initiatives
practice is that companies are bound by their data privacy
indicate a trend toward combining data privacy and security
and data security promises. The FTC has taken the position
into unified legislative schemes.
that companies act deceptively when they handle personal
Federal Data Protection Laws
information in a way that contradicts their posted privacy
policies or other statements or when they fail to adequately
While the Supreme Court has interpreted the Constitution to
protect personal information from unauthorized access
provide individuals with a right to privacy, this right
despite promises that they would do so. In addition to
generally guards only against government intrusions. Given
broken promises, the FTC has maintained that certain data
the limitations in constitutional law, Congress has enacted a
protection practices are unfair, such as when companies
number of federal laws designed to provide statutory
protections of individuals’ personal information.
have default privacy settings that are difficult to change or
However,
when companies retroactively apply revised privacy
these statutory protections are not comprehensive in nature
policies. However, while the FTC’s enforcement of the
and primarily regulate certain industries and subcategories
UDAP prohibition fills in some statutory gaps in federal
of data. These laws—which differ based on their scope,
data protection law, its authority has limits. In contrast to
who enforces them, and their associated penalties—include:
many of the sector-specific data protection laws, the FTC
Children’s Online Privacy Protection Act: provides
Act does not require companies to abide by specific data
data protection requirements for children’s information
protection policies or practices and has historically been
collected by online operators.
interpreted not to reach entities that have not made explicit
promises concerning data protection. In August 2022, the
Communications Act of 1934: includes data protection
FTC issued an advance notice of proposed rulemaking and
provisions for common carriers, cable operators, and
request for public comment (87 FR 51273) on whether it
satellite carriers.
should implement more comprehensive data protection
Computer Fraud and Abuse Act: prohibits the
regulations.
unauthorized access of protected computers.
State Data Protection Laws
Consumer Financial Protection Act: regulates unfair,
Adding to the complex patchwork of federal laws, some
deceptive, or abusive acts in connection with consumer
states have developed their own statutory frameworks for
financial products or services.
data protection. Every state has passed some form of data
Electronic Communications Privacy Act: prohibits
breach response legislation, and many states have consumer
the unauthorized access or interception of electronic
protection laws of various types. In addition, California
communications in storage or transit.
created one of the first state-level comprehensive data
protection regimes through the California Consumer
Fair Credit Reporting Act: covers the collection and
Privacy Act (CCPA).
use of data contained in consumer reports.
https://crsreports.congress.gov
Data Protection and Privacy Law: An Introduction
The CCPA governs any company doing business in
given its significant experience. However, there are several
California that meets certain minimum thresholds,
legal constraints on its enforcement ability. In particular,
including companies with websites accessible there. The
the FTC cannot seek monetary penalties for first-time
law provides consumers with three main “rights.” First,
UDAP violations but may seek only cease-and-desist orders
consumers have a right to know information that businesses
or injunctions. It may generally seek only civil penalties
have collected or sold about them, requiring businesses to
after a company has violated a cease-and-desist order or
inform consumers about the personal data being collected.
settlement agreement. The FTC also lacks jurisdiction over
Second, the CCPA provides consumers with a right to opt
certain entities including banks, nonprofits, and common
out of the sale of their personal information. Third, the
carriers.
CCPA gives consumers the right, in certain cases, to
request that a business delete any information collected
Federalism and Preemption. Another legal issue Congress
about the consumer (i.e., right to delete). The CCPA is
may need to consider with respect to any federal data
enforced via civil penalties in enforcement actions brought
protection program is how to structure the federal-state
by the California attorney general.
regime—that is, how to balance whatever federal program
is enacted with the programs and policies in the states. If
Foreign Data Protection Law
Congress seeks to adopt a relatively comprehensive system
In addition to U.S. states such as California, some foreign
for data protection, Congress could expressly preempt many
nations have enacted comprehensive data protection
state laws related to a particular subject matter. Congress
legislation. The EU, in particular, has long applied a more
could alternatively take a more modest approach to state
wide-ranging data protection regulatory scheme, and its
law by expressly preserving state laws in some ways and
data protection law, the General Data Protection Regulation
preempting them in others. Congress has the option to
(GDPR), has served as a model for other jurisdictions
generally leave intact state schemes parallel to or narrower
developing data protection policy. The GDPR requires any
than the federal scheme or to render such parallel regulation
entity that processes personal data to identify a legal basis
invalid.
for its action (such as consent or “legitimate interests”), and
it enumerates eight data privacy rights afforded to
First Amendment. Although legislation on data protection
individuals. The regulation also includes data breach
could take many forms, several approaches that would
notification requirements, data security standards, and
regulate the collection, use, and dissemination of personal
conditions for cross-border data flows outside the EU.
information online may have to confront possible
limitations imposed by the First Amendment of the U.S.
Issues for Congress
Constitution. While the Supreme Court has recognized that
Data protection policy proposals are constantly evolving,
data protection regulation can implicate the First
and there is no agreed-upon menu of data protection
Amendment, this does not mean such laws would be
options. Depending on the contours of a particular proposal,
invalid. Instead, the validity of a given information privacy
federal-level data protection legislation could implicate
law may depend upon the nature of the law it regulates
various legal concerns, including constitutional limitations.
(e.g., commercial matters can be subject to less scrutiny
from a court) and whether the law singles out particular
Conceptual Issues. A primary conceptual point of debate
viewpoints or speakers for regulation.
in data protection policy is whether to use a “prescriptive”
approach in which the law defines data protection rules and
Private Rights of Action. Finally, Congress may seek to
obligations or an “outcome-based” model where legislation
establish a private right of action allowing a private plaintiff
focuses on the outcomes of organizational practices rather
to bring a lawsuit based on a violation of the new data
than dictating what those practices should be. Both the
protection law. However, it may be difficult to prove that
GDPR and the CCPA use a prescriptive approach, but some
someone has been harmed by many of the violations that
observers advocate for an outcome-based paradigm.
might occur under a hypothetical data protection regime.
Another overarching issue is how to define the contours of
Victims of data breaches and other privacy violations,
the data that the federal government proposes to protect or
generally speaking, are not always clearly harmed. This
the specific entities or industries that it proposes to regulate.
obstacle could run up against the limits of the federal
Whereas some federal proposals would cover all “personal”
courts’ “judicial power” under Article III of the U.S.
information, others have sought to avoid dual layers of
Constitution. Any federal private right of action, therefore,
regulation by stating that the proposed requirements would
would be limited in its application to cases in which
not apply if regulated by existing federal privacy law.
individuals can show a concrete and particularized harm
from a statutory violation.
Enforcement. Agency enforcement is another key issue.
There are multiple federal agencies responsible for
Stephen P. Mulligan, Legislative Attorney
enforcing the myriad federal data protection laws, such as
Chris D. Linebaugh, Legislative Attorney
the FTC, Consumer Financial Protection Bureau, Federal
Communications Commission, and Department of Health
IF11207
and Human Services. Of these agencies, the FTC is often
viewed as the leading data protection enforcement agency
https://crsreports.congress.gov
Data Protection and Privacy Law: An Introduction
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11207 · VERSION 3 · UPDATED