The Privacy Law Problem: Why United States Privacy Protection Falls Short

Abby Sokolowski*

The amount of data is growing exponentially and expected to continue to grow over the next five years, and US privacy law is failing to keep up.¹ As data explodes, the flaws of the current US privacy framework becomes clearer, emphasizing the need for a comprehensive federal framework. The current data privacy framework in the US consists of sector specific laws, enforcement by the Federal Trade Commission (FTC), and state privacy laws. Because of these sectoral privacy laws, overreliance on the FTC, and limitations of state privacy laws, US privacy protection has significant gaps. While efforts are underway to create a federal comprehensive privacy law,² the growing concern over data privacy means the US must act fast.  

Sector-Specific Privacy Laws  

The US does not have an all-encompassing federal legislation that provides protection and privacy on how personal data is used, stored, or shared. Instead, the US has sector-specific privacy laws.³ These laws protect data that concern certain sectors of the economy.⁴ The laws cover sectors ranging from health data, genetic information, student records and information, financial information to even protecting video tape rental records.⁵ Some of these sector-specific laws go by popular acronyms such as HIPAA or FCRA.⁶ Even the Privacy Act of 1974—despite its comprehensive-sounding title—applies only to the government sector or government controlled entities, and not private companies.⁷ While these sector-specific laws cover specific areas extensively, they leave other sectors open and nearly unprotected. This is where the FTC comes in.   

Reliance on the Federal Trade Commission as a Privacy Agency 

The US relies on the FTC to provide broad protection of consumer privacy where the sector specific laws do not reach.⁸ However, the FTC was not created to enforce privacy rights. It is the lead enforcement agency charged with protecting consumers’ privacy, despite nothing in its statutory authority listing the word “privacy.”⁹ When it was created in 1914, the FTC’s job was to ensure fair competition in commerce.¹⁰ A significant expansion of the FTC came from Section 5 of the Federal Trade Commission Act (FTC Act).¹¹ Section 5 expanded the Commission’s jurisdiction to “prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.”¹² The FTC’s reach expanded in the late 90s when the internet was created, and concern arose over the amount of data collected from searching the web.¹³ The FTC then became involved in consumer privacy issues at the wish of Congress.¹⁴ Congress also granted the FTC authority to enforce several of the sector-specific privacy policies that make up the U.S. privacy framework.¹⁵ This put the FTC into the privacy realm. However, the FTC’s crackdowns on unfair or deceptive acts and practices are more reactive than proactive and do not have a significant impact. Additionally, Congress has made it difficult for the FTC to exercise its rule-making authority by stagnating the passage of rules by the Commission for many years.¹⁶  

As a practical matter, FTC enforcement of privacy violations is quite limited. An act or practice is considered unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”¹⁷ A deceptive act or practice is when a representation, omission, or practice misleads or is likely to mislead the consumer, a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances, and the misleading representation, omission or practice is material.¹⁸ Even though the statutory authority given to the FTC does not mention the word “privacy,” the acts or practices it is concerned with are privacy related.¹⁹ Therefore, there are two ways the FTC finds a privacy violation: an unfair trade practice or a deceptive trade practice.²⁰ The main goal of the FTC is to protect consumers, not to protect privacy.  

If a company lacks a privacy policy, then the FTC has nothing to enforce, because the FTC can only enforce FTC Act violations and infringements like the unfair or deceptive trade practices mentioned above.²¹ Without a comprehensive federal privacy law, companies are under no obligation to promise protection or to have a privacy policy at all, unless the company is subject to a sector-specific privacy law, or a state specific law. This means the FTC’s enforcement is restricted to solely focusing on actual and enforced policies.²² Additionally, while the FTC protects consumers from unfair trade practices, it does not concern itself with non-deceptive use of private data, or where the data falls outside of a consumer relationship.²³ An example of data that falls outside of a consumer relationship is when a photo is taken of you by a city government for purposes of government surveillance. Because the U.S. has a privacy agency that is unable to have a wide-reaching impact, some states have taken privacy matters into their own hands.  

State Comprehensive Privacy Laws  

With this gap in federal regulation and lack of complete and proactive enforcement, states have begun to enact their own privacy laws. Currently, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia are the states that have enacted their own comprehensive privacy laws.²⁴ Several others have proposed laws.²⁵ This list only consists of states that have their own comprehensive laws; however, more may have their own sector-specific privacy laws.²⁶ With states enacting their own legislation, data privacy looks different all over the country. This sometimes causes conflicting protection.  

State privacy laws protect the privacy of individuals who reside in that state, regardless of what state the company is located in.²⁷ Due to the modernization of technology, it is rare that an individual’s digital footprint remains contained within one state.²⁸ This can create confusion for consumers when certain privacy products or features are not available to them.²⁹ For individuals who reside in a state with a comprehensive data privacy law, it may create confusion about what rights apply to them and when.³⁰ For companies, compliance costs may rise as more resources need to be spent to figure out what laws apply.³¹ In some scenarios, the cost may come from creating features that require compliance with a state law.³² Overall, with the patchwork of laws surrounding data privacy, consumers are unsure how protected they are and when they are protected. For companies, they are required to spend vast amounts of resources in complying with various laws and run the heightened risk of getting it wrong.³³  

Data privacy law in the US needs work. With the growing mass of data, privacy is of utmost importance. For many years, the US privacy framework has relied on sector-specific privacy laws and the FTC to crack down on unfair or deceptive trade practices. Recently, states began to act in creating state comprehensive privacy laws. This ultimately contributed to the problem—a patchwork of laws that make compliance difficult and consumer protection confusing. Ultimately, the framework in the US has a huge gap. In order to close this gap, the US needs to pass a comprehensive federal data privacy law.  

---

* Abby Sokolowski, J.D. Candidate, University of St. Thomas School of Law Class of 2024, Submission Editor of the University of St. Thomas Law Journal.

1. See Petroc Taylor, Amount of Data Created, Consumed, and Stored 2010-2020, with Forecasts to 2025, Statista (Nov. 16, 2023), https://www.statista.com/statistics/871513/worldwide-data-created/. ↩︎
2. See Andrew Folks, US State Privacy Legislation Tracker, iapp (Dec. 8, 2023), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/. ↩︎
3. See Shawn Marie Boyne, Data Protection in the United States, 66 Am. J. Compar. L. 299, 299 (2018); Conor Murray, U.S. Data Privacy Protection Laws: A Comprehensive Guide, Forbes (Apr. 21, 2023, 9:02 AM EDT), https://www.forbes.com/sites/conormurray/2023/04/21/us-data-privacy-protection-laws-a-comprehensive-guide/?sh=6e6dad695f92. ↩︎
4. See Shawn Marie Boyne, Data Protection in the United States, 66 Am. J. Compar. L. 299, 299 (2018). ↩︎
5. Id. at 301–02, 308. ↩︎
6. See id. at 302. ↩︎
7. Id. at 300; see 5 U.S.C. § 552(f) (defining “agency” as “any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government…or any independent regulatory agency.”). ↩︎
8. See Stephen P. Mulligan & Chris D. Linebaugh, Cong. Rsch. Serv., RL45631, Data Protection Law: An Overview 2 (2019). ↩︎
9. See Boyne, supra note 3, at 301; Trust and Trade, A Brief History of Privacy Enforcement by the FTC, Am. Bar Ass’n, at 00:48 (Nov. 20, 2023), https://www.americanbar.org/groups/antitrust_law/resources/podcasts/trust-and-trade/brief-history-privacy-enforcement-by-ftc/. ↩︎
10. Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 598 (2014). ↩︎
11. Id. ↩︎
12. Federal Trade Commission Act, 15 U.S.C. §§ 41–58. ↩︎
13. See Solove & Hartzog, supra note 10, at 590. ↩︎
14. Solove & Hartzog, supra note 10, at 598. ↩︎
15. Boyne, supra note 3, at 301 (listing the Truth in Lending Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act). ↩︎
16. See Dan Bosch, Primer: The FTC and Magnuson-Moss Rulemaking, Am. Action F. (Sept. 21, 2022), https://www.americanactionforum.org/insight/primer-the-ftc-and-magnuson-moss-rulemaking/#:~:text=THE%20MAGNUSON%2DMOSS%20PROCESS,-Congress%20gave%20the&text=In%201980%2C%20Congress%20enacted%20additional,targeted%20enforcement%20of%20specific%20abuses. ↩︎
17. 15 U.S.C. § 45. ↩︎
18. Fed. Reserve Bd., Federal Trade Commission Act, Section 5: Unfair or Deceptive Acts or Practices, Consumer Compliance Handbook 1 (Dec. 31, 2017) https://www.federalreserve.gov/boarddocs/supmanual/cch/200806/ftca.pdf; see Federal Trade Commission, FTC Policy Statement on Deception (Oct. 14, 1983) https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf. ↩︎
19. See Solove & Hartzog, supra note 10, at 598–99. ↩︎
20. Solove & Hartzog, supra note 10, at 599; Boyne supra note 3, at 301. ↩︎
21. Solove & Hartzog, supra note 10, at 599. ↩︎
22. Solove & Hartzog, supra note 10, at 599. ↩︎
23. See The FTC is Currently the Primary Privacy Enforcer but Its Enforcement Is Limited, New Am., https://www.newamerica.org/oti/reports/enforcing-new-privacy-law/the-ftc-is-currently-the-primary-privacy-enforcer-but-its-authority-is-limited/ (last visited Dec. 28, 2023). ↩︎
24. Folks, supra note 2. ↩︎
25. Caroline Wills, Bridging the Gap Between Policy and Technology: Statewide Data Privacy Laws, CSG (Feb. 6, 2023), https://www.csg.org/2023/02/06/bridging-the-gap-between-policy-and-technology-statewide-data-privacy-laws/#:~:text=As%20of%20January%202023%2C%20the,or%20specific%20kinds%20of%20data. ↩︎
26. Folks, supra note 2. ↩︎
27. Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. Times (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/. ↩︎
28. Jennifer Huddleston & Gent Salihu, The Patchwork Strikes Back: State Data Privacy Laws After the 2022–2023 Legislative Session, CATO Inst. (July 6, 2023, 1:25 PM), https://www.cato.org/blog/patchwork-strikes-back-state-data-privacy-laws-after-2022-2023-legislative-session-0. ↩︎
29. Id. ↩︎
30. See id. ↩︎
31. Id. ↩︎
32. Id. ↩︎
33. This concern does not extend to businesses who only serve customers residing in the businesses home state. However, this might disincentivize businesses to expand. ↩︎