I've been at this privacy thing for a while now. While many things have changed, such as technology, what hasn't changed is the general lack of public awareness of what laws are on the books protecting privacy and the shock when a new violation of privacy comes to light. People turn to me regularly, and ask, "Scot, surely this is against the law, right?" Well, in true attorney form, I will respond, "It depends." As I have written and spoken about, there are quite a few privacy laws and regulations in place. Indeed, it's not as if legislators have turned a deaf ear to protecting privacy in certain cases. However, what remains to be seen is an omnibus, all-in-one law that safeguards Americans' privacy and establishes a baseline position against disclosing, using, or collecting one's personal information without an individual's consent. And, until people get upset enough to demand one, there never will be.
1. Constitution of the United States of America
"Wait, Scot, the U.S. Constitution protects my privacy." Well, the Constitution protects your privacy in limited cases against action by the federal or state government actors. (Indeed, the word "privacy" does not even appear in the U.S. Constitution.) The protections of the U.S. Constitution have no applicability to your privacy from intrusions by other private citizens or businesses. Rather, a right to privacy has been cobbled together through the case law of the Supreme Court of the United States over the past 100 years. We have bodily privacy, most commonly associated with the right to abortion under Roe v Wade and preceding cases involving contraception, sex, and other private matters. The privacy of religion and other beliefs has been held to be protected under the First Amendment. The privacy of the home is protected against state action under the Third Amendment. The privacy of possessions and person against state action are protected under the Fourth Amendment. The liberty clause under the Fourteenth Amendment was used to protect privacy in many cases, including the privacy of the bedroom in overturning a state law in Lawrence v Texas. Collectively these cases and related Amendments have carved out some protections, or "prenumbras" for privacy, but there remains no explicit omnibus right to one's privacy.
2. State Constitutions
Each of the 50 states has adopted their own constitutions. However, only 10 states have expressly protected the privacy of their citizens in their constitutions. And even with those ten states, the specificity with which privacy is to be protected varies considerably from a rehashing of the 4th Amendment in Illinois to the broad protection for privacy as an inalienable right in California. At best and most generously, there are protections in 20% of the states; hardly an inalienable right.
3. Federal Regulations
In the United States, our capitalistic economy drives privacy by the sectors of business in which personal information is used. We have the Health Insurance Portability and Accountably Act ("HIPAA") for medical information. We have the Gramm Leach Bliley Act ("GLBA") and the Fair Credit Reporting Act ("FCRA") for financial and credit information, respectively. There is the Driver's Privacy Protection Act ("DPPA") to safeguard the personal information retained by state motor vehicle departments. The Privacy Act of 1974 protects the personal information submitted to and used by the U.S. Government on your behalf. And then we have the Child Online Privacy Protection Act ("COPPA") for the protection of the privacy of children under the age of 13 while online (you didn't think Facebook came up with that age on their own, did you?). And the segmented list goes on and on. The unfortunate reality is that this is but a patchwork of laws, and one can easily see how the protections for personal information could fall into the cracks between these laws providing no protection or recourse at all.
4. State Laws and Regulations
As with constitutions, states have come up with their own privacy laws. Some regulatory frameworks are quite extensive, such as that in California. As my colleague Zack Heck recently wrote, California seems to be committed to being the leader in this space with a fresh batch of laws under consideration. Other state laws explicitly protecting privacy are virtually nonexistent, or grouped in with other general consumer protection laws. Each state also has its own flavor of tort law providing remedies for intrusion upon one's seclusion, false light, appropriation of likeness, and public disclosure of private facts. But, again, these are legal remedies for specific harms, and do not establish an overarching expectation of privacy in which the default right for any individual is against the disclosure, collection or use of personal information without consent.
5. Industry Standards
Beyond the law, many industries have adopted best practices for privacy and security if not only for protection against general liability, but as an investment in consumer loyalty for when the inevitable data breach compromises their customer base. And, this effort should not be dismissed as not having an impact on truly protecting the personal information of consumers. But, unless all entities are required to do this, it remains a segmented, patchwork solution.
So what is the answer? For my two cents, to really make privacy a fundamental right as it is in many other developed countries, it will require no less than an amendment to the United States Constitution. Such an amendment must explicitly protect privacy and forever remove any conditions or limitations created by the particular actors in any situation, the industry in which the information is collected, or the "prenumbras" in which privacy has already obtained a modest level of protection. Will this happen anytime soon? No. As with any major legislative or cultural change, the offense and outrage will have to move the needle for those legislators seeking to satisfy the people they represent. Can this happen? Yes, I believe it can, as we saw in the case of the display of the Confederate flag on the state house in South Carolina. If citizens are concerned enough, any change can be possible. We also saw this with the pushback on the Patriot Act leading to significant revisions to the law and prohibitions on various programs collecting information on American citizens. Indeed, Edward Snowden's disclosure did push the needle. As with any change, the question is when the value for privacy will finally tip the scales on protecting privacy as a fundamental and inalienable human right.