US Private Sector Privacy Chapter 02 PDF

Summary

This document is a chapter from a course on U.S. privacy law, covering the U.S. legal framework as of January 5, 2024. It outlines the legal branches and different aspects of the U.S. legal system, including constitutions, legislation, case law, and more.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP

CHAPTER 2
U.S. Legal Framework
This chapter introduces basic concepts and terms used by privacy professionals in the United States.
Much of the material in this chapter will be familiar to lawyers. Privacy compliance in most
organizations today, however, involves substantial participation by nonlawyers, including people
whose primary background ranges from marketing, information technology (IT) and human
resources to public relations and other areas. For all readers, the goal of this chapter is to provide a
helpful introduction to the terminology used by privacy professionals.

2.1 Branches of the Government
The U.S. Constitution establishes the framework of the legal system, creating three branches of
government. The three branches—legislative, executive and judicial—are designed to provide a
separation of powers with a system of checks and balances among the branches. These three
branches are also generally found at the state (and often the local) levels. 1 The legislative branch is
made up of elected representatives who write and pass laws. The executive branch’s duties are to
enforce and administer the law. The judicial branch interprets the meaning of a law and how it is
applied, and may examine such issues as a law’s constitutionality and the intent behind its creation.
Table 2-1: Three Branches of U.S. Government

Legislative Branch

Executive Branch

Judicial Branch

Purpose

Makes laws

Enforces laws

Interprets laws

Who

Congress (House and
Senate)

President, vice
president, cabinet,
federal agencies
(such as FTC)

Federal courts

Checks and
Balances

Congress confirms
presidential
appointees, can
override vetoes

President appoints
federal judges, can
veto laws passed by
Congress

Determines whether
the laws are
constitutional

The U.S. Congress, consisting of the Senate and the House of Representatives, is the legislative
branch. Aside from passing laws, Congress can override presidential vetoes; the Senate confirms
presidential appointees. When enacting legislation, Congress may also delegate the power to
promulgate regulations to federal agencies. For example, Congress has enacted several laws that
give the U.S. Federal Trade Commission (FTC) the authority to issue regulations to implement the
laws.
The executive branch consists of the president, the vice president, the president’s cabinet, and
federal agencies that report to the president. The agencies implement the laws through rule making
and enforce the laws through civil and criminal procedures. In addition, the president has veto
power over laws passed by Congress and the power to appoint federal judges.

1
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP
The judicial branch encompasses the federal court system. The lowest courts in the federal
system are the district courts, which serve as federal trial courts. Cases decided by a district court
can be appealed to a federal appellate court, also referred to as a circuit court. The federal circuit
courts are not trial courts but serve as the appeals courts for federal cases. The appeals courts are
divided into 12 regional circuits, and each district court is assigned to a circuit; appeals from a
district court are considered by the appeals court for that circuit. In addition, there are special
courts such as the U.S. Court of Federal Claims and the U.S. Tax Court.
At the top of the federal court system is the U.S. Supreme Court, which hears appeals from the
circuit courts and decides questions of federal law, including interpreting the U.S. Constitution. In
certain circumstances, the Supreme Court may also hear appeals from the highest state courts. In
rare instances, the Supreme Court also has the ability to function as a trial court.
As mentioned above, when given the authority by Congress, federal agencies may promulgate
and enforce rules pursuant to law. In this sense, agencies may wield power that is characteristic of
all three branches of government. This means that agencies may operate under statutes that give
them legislative power to issue rules, executive power to investigate and enforce violations of rules
and statutes, and the judicial power to settle particular disputes.

2.2 Sources of Law in the United States
The numerous sources of law in the United States include federal and state constitutions,
legislation, case law, contract law, tort law, regulations issued by agencies, and consent decrees.

2.2.1 Constitutions
The supreme law in the United States is the U.S. Constitution, drafted originally by the
Constitutional Convention in 1787. The Constitution does not contain the word privacy. Some parts
of the Constitution directly affect privacy, such as the Fourth Amendment limits on government
searches. The Supreme Court has also recognized an individual’s right to privacy over certain
personal decisions, by discussing a “penumbra” of unenumerated constitutional rights arising from
numerous constitutional provisions as well as the more general protections of due process of law. 2
In 2022, the U.S. Supreme Court overturned Roe v. Wade, which had provided constitutional
restraints on the ability of state governments to outlaw abortion. The 2022 decision overturning
Roe v. Wade explicitly stated that the decision was limited to the topic of abortion. 3 Constitutional
scholars and privacy advocates, however, have expressed concern that the 2022 Dobbs decision
could affect previous decisions of the Supreme Court that found a constitutional right to privacy to
protect an individual’s use of contraception, to marry a person of a different race, and to marry a
person of the same sex. These other right-to-privacy decisions were based on the “penumbra” of
privacy rights relied upon in Roe v. Wade. 4 This is an area for privacy professionals to watch for
developments.
State constitutions are also sources of law and may create stronger rights than are provided in
the U.S. Constitution. For example, the California Constitution states, “All people are by nature free
and independent and have inalienable rights. Among these are enjoying and defending life and
liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety,
happiness, and privacy.” 5 As of the writing of this book, 11 states – including California – expressly
recognize a right to privacy. 6

2
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP

2.2.2 Legislation
Both the federal Congress and the state legislatures have enacted a variety of privacy and security
laws. These regulate many different matters, including certain applications of information (such as
use of information for marketing or preemployment screening), certain industries (such as financial
institutions or healthcare providers), certain data elements (such as Social Security numbers or
driver’s license information) or specific harms (such as identity theft or children’s online privacy).
In the United States, law-making power is shared between the national and state governments.
The U.S. Constitution states that the Constitution, and laws passed pursuant to it, is “the supreme
law of the land.” Where federal law does not prevent it, the states have power to make law. Under
the Tenth Amendment to the Constitution, “the powers not delegated to the United States by the
Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the
people.” In understanding the effect of federal and state laws, it is important to consider whether a
federal law “preempts,” or overrides, any state laws on the subject. In many instances, such as for
the Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule, states may
pass privacy or other laws with stricter requirements than federal law. In other instances, such as
the limits on commercial emails in the Controlling the Assault of Non-Solicited Pornography and
Marketing (CAN-SPAM) Act, federal law preempts state law, and the states are not permitted to
pass stricter provisions. 7
Aside from this governmental ability to make and enforce laws and regulations, the U.S. legal
system relies on legal precedent based on court decisions, the doctrines implicit in those decisions,
and their customs and uses. Two key areas of the common law are contracts and torts, discussed in
Sections 2.2.4 and 2.2.5.

2.2.3 Case Law
Case law refers to the final decisions made by judges in court cases. When similar issues arise in the
future, judges look to past decisions as precedents and decide the new case in a manner that is
consistent with past decisions. The following of precedent is known as stare decisis (a Latin term
meaning “to let the decision stand”). As time passes, precedents often change to reflect
technological and societal changes in values and laws.
Common law refers to legal principles that have developed over time in judicial decisions (case
law), often drawing on social customs and expectations. Common law contrasts with law created by
statute. For privacy, the common law has long upheld special privilege rules such as doctor-patient
or attorney-client confidentiality, even in the absence of statutes protecting that confidentiality.

2.2.4 Contract Law
A contract is a legally binding agreement enforceable in a court of law. The contract may include
provisions on issues such as data usage, data security, breach notification, jurisdiction and damages.
For example, a company often has a contract with its service providers requiring the latter to
implement privacy and security protections when processing personal data provided by the first
company.
However, not every agreement is a legally binding contract. There are certain fundamental
requirements for forming a binding contract: 8

3
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP
• An offer is the proposed language to enter into a bargain. An offer must be communicated
to another person, and it remains open until it is accepted, rejected, retracted or has
expired. Some terms of an offer, such as price, quantity and description, must be specific
and definite. Note: A counteroffer ends the original offer.
• Acceptance is the assent or agreement by the person to whom the offer was made that the
offer is accepted. This acceptance must comply with the terms of the offer and must be
communicated to the person who proposed the deal.
• Consideration is the bargained-for exchange. It is the legal benefit received by one person
and the legal detriment imposed on the other person. Consideration usually takes the form
of money, property or services. Note: an agreement without consideration is not a contract.
A breach of contract occurs when one party fails to meet its obligations under the contract. The
injured party can file a lawsuit asking a court to award monetary damages for the injured party’s
losses or to enforce the terms of the contract. 9
It is important to understand that contracts that would otherwise be valid may be unenforceable
due to reasons such as misrepresentation or conflict with public policy. 10
A privacy notice may be a contract if a consumer provides data to a company based on the
company’s promise to use the data in accordance with the terms of the notice.

2.2.5 Tort Law
Torts are civil wrongs recognized by law as the grounds for lawsuits. These wrongs result in an injury
or harm that constitutes the basis for a claim by the injured party. Primary goals of tort law are to
provide relief for damages incurred and deter others from committing the same wrongs.
There are three general tort categories:
1. Intentional torts. These are wrongs that the defendant knew or should have known would
occur through their actions or inactions; for example, intentionally hitting a person or
stealing personal information.
2. Negligent torts. These occur when the defendant’s actions were unreasonably unsafe; for
example, causing a car accident by not obeying traffic rules or not having appropriate
security controls.
3. Strict liability torts. These are wrongs that do not depend on the degree of carelessness by
the defendant but are established when a particular action causes damage. 11 Product
liability torts fall into this category since they concern potential liability for making and
selling defective products, without the need for the plaintiff to show negligence by the
defendant.
Historically, the concept of a personal privacy tort has been a part of U.S. jurisprudence since the
late 1890s. 12 Privacy torts continue today for actions such as intruding on seclusion, public
revelation of private facts, interfering with a person’s right to publicity, and casting a person in a
false light. These traditional privacy torts, however, are often subject to the defense that the
speaker is exercising free speech rights under the First Amendment. In addition, courts in recent
years have considered a range of other privacy-related torts, such as allegations that a company
was negligent for failing to provide adequate safeguards for personal information and thus caused

4
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP
harm due to disclosure of the data. The lack of adequate safeguards thus may expose a company to
damages under tort law. Privacy torts remain an unsettled area of law, and courts across the United
States have not taken a uniform approach in applying tort principles to privacy-related cases.

2.2.6 Regulations and Rules
As described further in Section 2.4, some federal laws require regulatory agencies such as the FTC
or the Federal Communications Commission (FCC) to issue regulations and rules. These place
specific compliance expectations on the marketplace. For example, in 2003 the U.S. Congress
passed the CAN-SPAM Act, which requires the senders of commercial email messages to offer an
“opt-out” option to recipients of these messages. CAN-SPAM provides the FTC and the FCC with the
authority to issue regulations that set forth exactly how the opt-out mechanism must be offered
and managed.
Aside from promulgating rules and enforcing them, agencies provide guidance in the form of
formal opinions. Agency opinions do not necessarily carry the weight of law but do give specific
guidance to interested parties trying to interpret agency rules and regulations. 13 Agencies often
provide even more informal guidance through published reports, content on their websites,
congressional testimony, and speeches at conferences or industry gatherings. These channels are
not so much explicit requirements as they are valuable insight into the agency’s mindset, view of
the law, and priorities in enforcement.

2.2.7 Consent Decrees
A consent decree is a judgment entered by consent of the parties whereby the defendant agrees to
stop alleged illegal activity, typically without admitting guilt or wrongdoing. 14 This legal document is
approved by a judge and formalizes an agreement reached between a federal (or state) agency and
an adverse party. The consent decree describes the actions the defendant will take, and the decree
itself may be subject to a public comment period. Once approved, the consent decree has the effect
of a court decision.
In the privacy enforcement sphere, for example, the FTC has entered into numerous consent
decrees with companies as a result of alleged violations of privacy laws, such as the Children’s
Online Privacy Protection Act (COPPA). 15 These consent decrees generally require violators to pay
money to the government and agree not to violate the relevant law in the future.

2.3 Key Definitions for Understanding the U.S. Privacy Law Framework
Here are a few legal terms and definitions that are important for understanding the framework of
U.S. privacy law:
• Person. Any entity with legal rights, including an individual (a “natural person”) or a
corporation (a “legal person”).
• Jurisdiction. The authority of a court to hear a particular case. A court must have jurisdiction
over both the type of dispute (“subject matter jurisdiction”) and the parties (“personal
jurisdiction”). Government agencies have jurisdictional limits also.
• General versus specific authority. A governmental body can have two types of authority.
“General authority” is blanket authority to regulate a field of activity. “Specific authority” is
5
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP
targeted at singular activities that are outlined by legislation. Many agencies have both
types of authority. For example, the FTC has general authority over “unfair and deceptive
trade practices” and specific authority to enforce COPPA.
• Preemption. A superior government’s ability to have its laws supersede those of an inferior
government. 16 For example, the U.S. federal government has mandated that state
governments cannot regulate email marketing. The federal CAN-SPAM Act preempts state
laws that might impose greater obligations on senders of commercial electronic messages.
• Private right of action. The ability of an individual harmed by a violation of a law to file a
lawsuit against the violator.
It is also useful to review the concepts of notice, choice and access in the context of U.S. privacy
law.

2.3.1 Notice
Notice is a description of an organization’s information management practices. Notices have two
purposes: (1) consumer education and (2) corporate accountability. The typical notice tells the
individual what information is collected, how the information is used and disclosed, how to exercise
any choices about uses or disclosures, and whether the individual can access or update the
information. However, it is important to note that many U.S. privacy laws have additional notice
requirements. With the states enacting breach notification laws that have varying requirements for
notice, the federal government is now considering a preemptive law to standardize breach-related
notification. In addition, for most industries, the promises made in a company’s privacy notice are
legally enforceable by the FTC and the states.
Privacy notices may also be called privacy statements or even privacy policies, although the term
privacy policy is often used to refer to the internal standards used within the organization, whereas
notice refers to an external communication issued to consumers, customers or users. Additionally,
protocols, standards and instructions are used by companies to direct their employees to comply
with data privacy laws. 17

2.3.2 Choice
Choice is the ability to specify whether personal information will be collected and/or how it will be
used or disclosed. Choice can be express or implied.
The term opt-in means an affirmative indication of choice based on an express act of the person
giving the consent. For example, a person opts in if they say yes when asked, “May we share your
information?” Failure to answer would result in the information not being shared.
The term opt-out means a choice can be implied by the failure of the person to object to the use
or disclosure. For example, if a company states, “unless you tell us not to, we may share your
information,” the person has the ability to opt out of the sharing by saying no. Failure to answer
would result in the information being shared.
Choice is not always appropriate, but if it is offered, it should be meaningful—that is, it should be
based on a real understanding of the implication of the decision.

6
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP

2.3.3 Access
Access is the ability to view personal information held by an organization. This may be
supplemented by allowing updates or corrections to the information. U.S. laws often provide for
access and correction when the information is used for substantive decision-making, such as for
credit reports.

2.4 Regulatory Authorities Focused on Privacy Issues in the Private
Sector
At the federal level, a number of agencies engage in regulatory activities concerning privacy in the
private sector. The FTC has general authority to enforce against unfair and deceptive trade
practices, notably including the power to bring “deception” enforcement actions where a company
has broken a privacy promise. 18 In certain areas, such as marketing communications and children’s
privacy, the FTC has specific regulatory authority.
Other federal agencies have regulatory authority over particular sectors. These include the
federal banking regulatory agencies (such as the Consumer Financial Protection Bureau, Federal
Reserve, and Office of the Comptroller of the Currency), the FCC, the U.S. Department of
Transportation (DOT), and the U.S. Department of Health and Human Services (HHS), through its
Office of Civil Rights. The U.S. Department of Commerce (DOC) does not have regulatory authority
for privacy, but often plays a leading role in privacy policy for the executive branch.
At the state level, state attorneys general have traditionally brought a variety of privacy-related
enforcement actions, often pursuant to state laws prohibiting unfair and deceptive practices. 19 Each
state attorney general serves as the chief legal advisor to the state government and as the state’s
chief law enforcement officer. 20 Many states have successfully pursued such actions, including
Washington and Minnesota. 21 California, under the California Privacy Rights Act (CPRA), is the first
state in the nation to stand up an independent agency dedicated to enforcing its state
comprehensive law, similar to the data protection authorities (DPAs) found in Europe to enforce the
General Data Protection Regulation (GDPR). 22

2.5 Self-Regulation
As discussed in Chapter 3, self-regulatory regimes play a significant role in governing privacy
practices in various industries. Examples include the Network Advertising Initiative, the Direct
Marketing Association and the Children’s Advertising Review Unit. 23 Some trade associations also
issue rules or codes of conduct for members. In some regulatory settings, government-created rules
expect companies to sign up for self-regulatory oversight.

2.6 Keys to Understanding Laws
To understand any law, statute or regulation, it is important to ask six key questions:
1. Who is covered by this law?
2. What types of information (and what uses of information) are covered?
3. What exactly is required or prohibited?

7
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP
4. Who enforces the law?
5. What happens if I don’t comply?
6. Why does this law exist?
The first two questions relate to the scope of the law. Even if an organization or person is not
subject to the law, it may still be useful to understand it. For example, the law may suggest good
practices that an organization or individual would want to emulate. It may provide an indication of
legal trends. It may also provide a proven way to achieve a particular result, such as protecting
individuals in a given situation.
Assuming one is subject to the law, question three explains how to comply with it. Questions four
and five help the individual or corporation assess the risks associated with noncompliance or less
than perfect compliance. In most cases, companies do what it takes to be materially compliant with
applicable laws. There may, however, be a situation where the costs of compliance outweigh the
risks of noncompliance for a particular period of time. For example, if a system that is not
appropriately compliant with a new law is going to be replaced in a few months, a company may
decide that the risks of noncompliance outweigh the costs and risks of trying to accelerate the
system transition.
The final question helps foster understanding of the motivation behind the law. Most companies
try to comply with both the letter and the spirit of the law. Knowing why the law was written helps
them understand the spirit of the legislation and can also help improve other processes and thus
achieve desired results. It may also help companies anticipate regulatory trends.
As an example, consider the security breach notification law in California (California SB 1386),
which was the first such law enacted and covers the largest population. 24
• Who is covered? This law regulates entities that do business in California and that own or
license computerized data, including personal information. It applies to natural persons,
legal persons and government agencies.
Those that do business only in Montana or New York are not subject to this law (although
they may wish to be careful about what counts as “doing business”). Even if they conduct
business in California, they are not subject to this law if they don’t have computerized data.
• What is covered? This law regulates the computerized personal information of California
residents. “Personal information” is an individual’s name in combination with any one or
more of the following: (1) Social Security number; (2) California identification card number;
(3) driver’s license number; or (4) financial account, credit, or debit card number in
combination with security code, access code, or password information required to permit
access to an individual’s financial account, when either the name or the data elements are
not encrypted.
Databases that contain only names and addresses or only encrypted information are not
subject to this law. 25
• What is required or prohibited? This law requires all persons to disclose any breach of
system security to any resident of California whose unencrypted personal information was
or is reasonably believed to have been acquired by an unauthorized person. A breach of the
security of the system means unauthorized acquisition of computerized data that

8
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 2 – as of 01/05/2024
© IAPP
compromises the security, confidentiality or integrity of personal information maintained by
the person. The disclosure must be made in as expedient a manner as possible.
There is an exception for the good faith acquisition of personal information by an employee
or agent of the business, provided the personal information is not used or subject to further
unauthorized disclosure. One may also delay providing notice, if law enforcement requests
such a delay.
• Who enforces the law? The California attorney general enforces the law, and there is a
private right of action.
• What is the consequence for noncompliance? The California attorney general or any citizen
can file a civil lawsuit against a noncompliant party seeking damages and forcing
compliance.
• Why does this law exist? SB 1386 was enacted because security breaches of computerized
databases are feared to cause identity theft—and individuals should be notified about these
breaches so they can take steps to protect themselves. Anyone with a security breach that
puts people at real risk of identity theft should consider notifying them even if they are not
subject to this law.

2.7 Conclusion
This chapter has introduced legal concepts and terminology about basic topics, including the
structure of the U.S. government and legal system. Privacy compliance requires knowing the
applicable legal rules as well as fulfilling each organization’s policies and goals. The next chapter
examines the structure of enforcement actions for alleged privacy violations in the United States.
1 “The U.S. Constitution mandates that all states uphold a ‘republican form’ of government, although the threebranch structure is not required.” The White House: President Barack Obama, State & Local Government; see
U.S. Constitution, Article 4, Section 4, https://www.archives.gov/founding-docs/constitution-transcript
(accessed January 2020).
2 Many of the cases relevant to this discussion have their foundation in protecting private sexual conduct. The
term “penumbra” was introduced in the case of Griswold v. Connecticut (1965), voiding a state statute
preventing the use of contraceptives. The legal theory introduced in Griswold was followed in multiple U.S.
Supreme Court cases, including Roe v. Wade (1973), overturning state law that barred abortion; and Lawrence
v. Texas (2003), striking down antisodomy laws. See “The Right to Privacy,” Section 3.4, Criminal Law, Open
Textbooks at University of Minnesota Libraries, http://open.lib.umn.edu/criminallaw/chapter/3-4-the-right-toprivacy/.
3
Dobbs v. Jackson Women’s Health Organization, Supreme Court of the United States, June 24, 2022,
https://www.oyez.org/cases/2021/19-1392. For the full opinion, read Dobbs v. Jackson Women’s Health
Organization, Slip Opinion, Supreme Court of the United States, June 24, 2022,
https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf.
4
“Roe v. Wade Overturned,” The New York Times, June 24, 2022, https://www.nytimes.com/2022/06/24/us/roewade-overturned-supreme-court.html (accessed July 2022); Jedidiah Bracy, “Leaked Roe v. Wade Opinion Sparks
Right-to-Privacy Concerns,” IAPP Privacy Advisor, May 2, 2022, https://iapp.org/news/a/leaked-roe-v-wadeopinion-sparks-right-to-privacy-concerns/ (accessed July 2022).

9
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.