US Privacy Laws: Data Protection Act and Privacy Laws in the United States

What do you consider private information? What does your neighbor? Phrases like "in the privacy of your own home" are tossed about with reckless abandon even though, in a number of states, what transpires there may still be subjected to public law.

A great deal of what we consider to be private falls under a "reasonable expectation of privacy." From this vague notion, it is clear that we live in a transparent world, but the question becomes just who's watching.

Private Sector Privacy Laws

Unlike the public sector, the private sector is subjected to a great deal of federal, state, and local regulation as to the legality of sharing, selling reviewing financial and healthcare data. Over the past 100 years, the U.S. government has become increasingly involved in the establishment of civil rights regarding consumer privacy.
 
The 70s saw a blur of activity in Congress expanding and clarifying the powers of the Federal Trade Commission (FTC), with the first part of the decade focusing on the regulating credit reporting agencies and the second limiting the power of government investigations investigators.

Data Protection Acts

While the Federal Trade Commission (FTC) shares its regulatory powers with federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission and state insurance authorities, the laws pertaining to data exchange and privacy protection are taking on a more universal tone.

Actions such as the Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act of 2003 (FACT), the Right to Financial Privacy Act of 1978 (RFPA) and The Gramm-Leach-Bliley Act (GLB Act) have combined to create a relatively thorough protection of both financial data and personal information.

In terms of protection, it is important to note that, under the GLB Act, an individual who obtains or has obtained a financial product or service is a consumer. Those with a continuous relationship are customers. Recently, data protection has expanded to include healthcare information.

What is Nonpublic Information?

Current regulations state that information-collection and information-sharing practices must be disclosed at the beginning of a relationship with a customer or consumer. Nonpublic personal information cannot be disclosed without written consent. An individual has a right to a copy of his credit report and to know who has received his credit report over the last year (or two, for employment purposes).

Nonpublic personal information collected includes, but is not limited to, data from the consumer, the consumer's transactions with a financial institution or its affiliate, from nonaffiliated third parties about the consumer's transactions with them and from credit reporting agencies.

Nonpublic personal information disclosed by financial institutions includes "above line" application data (i.e. name, address and social security number), transaction data (i.e. account number and balances, payment history and credit card usage) and CRA score and credit history.

A financial institution cannot assume that information is publicly available. Therefore, they must take steps to determine if the information is generally available to the public.

Collected information must be securely protected, but it does not apply to business or commercial activities generated data.

Data Protection and the Opt-out Option

All financial institutions are required to provide consumers with a notice and opt-out opportunity before they may disclose information to nonaffiliated third parties outside of what is permitted under the exceptions. They must also provide consumers with ample time to opt-out before disclosing data to nonaffiliated third parties.

Account numbers from a credit card or bank account cannot be shared with a nonaffiliated third party for use in telemarketing, direct mail marketing or email marketing, even if the individuals have not opted-out of sharing the information for marketing purposes.

They can, however, be used by a service provider for marketing of the institution's own products or services, as long as that agent cannot authorize charges to the account. These data can also be used in a private label credit card program or an affinity program where the participants are identified when the customer enters the program.

Consumer opt-outs must be acted upon at the soonest, reasonable opportunity. Any changes to a privacy policy must be provided to a consumer and an accurate privacy policy must be provided to customers at least annually. State data protection laws may not be "inconsistent" with federal law, though they may differ if they allow "greater protection" to consumers.

A financial institution may not release data to a government authority unless records sought are noted with reasonable specificity in a warrant or subpoena and a copy of the writ has been served upon the customer. This is true unless the request falls under articles of the U.S. Patriot Act wherein the subject is a suspected terrorist.

Health Insurance Portability and Accountability Act (HIPAA)

First established in 1996 by the Department of Health and Human Services (HHS), Congressional pressure called for the HHS to draft resolutions explicitly protecting patient privacy rights. The Standards for Privacy of Individually Identifiable Health Information were implemented in April 2004. The updated regulation states:
  • Healthcare information cannot be shared with current or future employers without written consent of the patient.
  • Patients are informed on how their information may be used and shared in advance.
  • Signed authorization by the patient is required for the sharing of their information for marketing purposes including sales calls and advertising.
  • Signed authorization by the patient is required for the release of medical information to a marketing firm, financial institution, insurance agent or any other business or person for purposes not related to healthcare.