Legal Privacy Protections in the Internet Age - Module 2 of 5

Module 2: Legal Privacy Protections in the Internet Age

            Privacy is not only a moral prerogative, it’s a legal right guaranteed by the Constitution, at least when it comes to government interference. However, in the modern age, technology has evolved to a point where much of our personal information is shared as data. Sometimes, we offer this information up voluntarily. Other times, it’s collected from our online activities. Regardless, personal information shared publicly raises important legal issues regarding privacy rights and the security of our virtual activities.

         This module begins with an overview of the constitutional foundations of the right to privacy in the United States, particularly as they have been applied in the age of electronic surveillance. The discussion then turns to the federal approach to online privacy and personal electronic data protection, including what the government does to protect private information it collects and stores electronically. The module closes with a discussion of national and state-level online privacy protection laws, which often function to protect consumers even across jurisdictional lines.

The Constitutional Right to Privacy

            The right to privacy against government interference stems from various constitutional provisions, most importantly the protection against unreasonable searches and seizures in the Fourth Amendment. However, this provision addresses only physical interferences with tangible things, specifically “persons, houses, papers, and effects.”[1] This leaves open the question of whether the constitutional right to privacy should extend to virtual interference with intangible things, like private communications and personal data.

           The landmark Supreme Court case of Katz v. United States in 1967 was the first major decision dealing with how technological advancements impact our right to privacy. [2]  The case involved an electronic listening device secretly installed on a public payphone by the FBI. The surveillance technology recorded Katz making illegal gambling wagers by phone. The FBI didn’t have a warrant for the device, so Katz challenged the evidence collected against him, claiming it was a violation of his Fourth Amendment rights. The Supreme Court agreed with Katz, holding that the Constitutional right to privacy extends to anyone who has a “reasonable expectation” that their information is private.[3]

           Since Katz, the courts have grappled with how new methods of physical detection impact the right to privacy. In Kyllo v. United States, [4] a federal law enforcement agent used a mobile thermal imager – a device created to detect heat signatures – to determine that the defendant was likely growing marijuana in his home.[5] The defendant argued that the heat signature evidence violated the Fourth Amendment because the thermal imager effectively searched his home without a warrant. The lower courts dismissed Kyllo’s argument, ruling that the defendant had no objectively reasonable expectation of privacy, as the thermal imager “did not expose any intimate details of Kyllo’s life.”[6] On appeal, however, the Supreme Court reversed. The Court held that the thermal imaging of Kyllo’s house constituted an intrusion into his home. Activities done behind closed doors, the Court ruled, are performed with a reasonable expectation of privacy even if technology allows infiltration without a physical intrusion.

           Over time, the courts have repeatedly considered which methods of government surveillance raise constitutional privacy concerns. This is an evolving field of law and whether a right to privacy is violated remains a case-by-case determination largely dependent on what is a reasonable expectation under the circumstances. Activities performed behind closed doors are presumed private, as evidenced by the very act of shielding them from view.

          But in the digital age, applying the concept can be murky. Things like metadata and digital cookies often collect data on our online activities even when we are using private computers on personal internet connections in the sanctity of our own homes. Although Supreme Court precedent has developed ways to protect people’s privacy from intrusions based on modern technology, case law has left several questions regarding cyber-privacy unresolved. As a result, state and federal legislators have developed laws designed to protect people’s rights to digital privacy.

Privacy Laws Regulating Government Activity

         The landmark Katz decision kicked off the development of several state and federal laws to protect privacy rights. In 1968, immediately following the Katz case, Congress enacted the Wiretap Act to protect privacy while also affording law enforcement the ability to intercept telephone communications under appropriate circumstances.[7] However, the Supreme Court ruled that the Act only covered the interception of telephone or oral communications, excepting a broad range of potentially private information that could be collected incident to the wiretap.[8] This caused Congress to expand the protections of the Wiretap Act, which it accomplished through the Electronic Communications Privacy Act of 1986.[9]

        This Act amended the existing statute regulating wiretaps to include the digital transmission of electronic data, creating an additional level of protection against the disclosure of electronic communications. The law outlaws the unauthorized interception of wire, oral, or electronic communications and lists the procedures the government must follow when using electronic surveillance devices. The law also includes the Stored Communications Act, which focuses on the privacy of stored electronic communications and the government’s access to them.[10]Congress enacted the law to update federal privacy laws to reflect recent advances in electronic communication technology.[11] All of the sudden, personal information was being recorded and transferred by mass e-mail operations, cell phones, computer-to-computer transmissions, teleconferencing software and a growing list of new technologies designed to facilitate communication.[12] The Electronic Communications Privacy Act preceded the World Wide Web, but it foreshadowed the legal issues raised by the long-term storage of data conducted by many modern online service providers.[13]

       As progressive as it was for its time, the Electronic Communications Privacy Act has recently attracted substantial criticism by technology companies and privacy advocates. Critics claim that the laws are not useful in the digital era because they fail to provide adequate privacy protections against evolving technologies that make use of personal information.[14]

      Over the past few years, there have been attempts at updating the Electronic Communications Privacy Act. In 2011, the Senate introduced a set of amendments that would have required law enforcement to obtain a search warrant before accessing the content of any electronic communication, no matter how long it had been stored and even if it had never been retrieved by the recipient.[15] In 2013, Representative Kevin Yoder introduced a similar bill in the House. However, these amendments never passed.[16] Proposed amendments to the Electronic Communications Privacy Act and Email Privacy Act were reintroduced in 2015, and they are still pending.[17]

       The Homeland Security Act of 2002, originally introduced in the aftermath of the September 11 terrorist attacks, represented one significant development in federal electronic privacy protections.  The primary mission of the Homeland Security Act was to prevent terrorist attacks in the United States, reduce the vulnerability of the United States to terrorism and minimize damage and assist in recovery from terrorist attacks that do occur.[18] However, the law also included staunch privacy protections designed to ensure that domestic citizens’ privacy rights remain intact despite the increase in law enforcement efforts. The law’s privacy-related objectives regulate the collection, use, and disclosure of personally identifiable information.

      Under this law, the federal government may not use certain technologies to monitor private activities without a warrant supported by probable cause. However, the effectiveness of this law has been questioned. Most notably, classified information leaked by former National Security Agency subcontractor Edward Snowden in 2013 indicated that state-sponsored domestic surveillance has been ongoing for some time.[19] Thus, although there is widespread support for amendments to the federal laws regulating electronic surveillance, it remains to be seen whether anything will come of it.

Private Information Stored Electronically

       The Privacy Act of 1974 was passed in response to the increasing collection and use of personal information by the government.[20] The Privacy Act established a code of so-called “fair information practices,” which governs the collection, maintenance, use, and dissemination of personal information that is recorded by the federal government.[21] It also requires consent before any personal information held by the government is disclosed, subject to some exemptions.[22]

        President Gerald Ford, a strong advocate of personal privacy, regarded the Privacy Act as an important “first step” toward safeguarding individuals.[23] While its protections were limited, the Privacy Act represented the first official embodiment of the fair information principles and practices that have been incorporated in many other online data protection efforts. Now, the notice and disclosure precedent set by the Privacy Act serves as the basic standard for privacy protections applied to electronic data and it has even been written into the laws of states. For example, Nevada and Minnesota have each passed similar laws requiring Internet Service Providers to comply with privacy rules pertaining to information they collect from customers.[24] As the internet becomes the dominant source for marketing, sales and the distribution of products and services, specialized laws are still being developed to protect people online.

National Online Privacy Protection

        Outside the realm of government activity, the United States has been slow to develop online privacy laws that prevent private companies from collecting, using, and sharing personal information collected from people’s virtual activities. In 2018, the European Union put into effect the General Data Protection Regulation, which requires companies using internet users’ personal data to first obtain consent. This protection extends to many types of information, including a person’s IP address and browsing history.[25] While many multinational companies operating in the United States and Europe have changed their privacy policies to reflect the new regulation, no such similar law exists in the United States.

       The U.S. does, however, protect the online privacy of children. By 1998, 10 million children in the United States had access to the internet.[26] Around that same time, researchers showed that young children are unable to understand the potential ramifications of revealing their personal information online. In response, Congress enacted the Children’s Online Privacy Protection Act, or “COPPA.” The Act has been administered by the Federal Trade Commission, which developed its own implementing regulation - the subsequent Children’s Online Privacy Protection Rule. COPPA sets forth privacy standards for websites “directed towards children” under the age of thirteen. The law and its supplemental regulations require these websites to give notice regarding the use and nature of information collected. COPPA also requires websites to obtain “verifiable parental consent” before collecting or using children’s personal information.[27] While COPPA was revolutionary when enacted, many have been calling for an overhaul providing stricter regulation on the collection and dissemination of personal information.[28] However, as it has been regarding most federal online privacy laws, Congress has been slow to react. Instead, most online privacy protection laws in the United States have come from states.[26]        

       Around that same time, researchers showed that young children are unable to understand the potential ramifications of revealing their personal information online. In response, Congress enacted the Children’s Online Privacy Protection Act, or “COPPA.” The Act has been administered by the Federal Trade Commission, which developed its own implementing regulation - the subsequent Children’s Online Privacy Protection Rule.

       COPPA sets forth privacy standards for websites “directed towards children” under the age of thirteen. The law and its supplemental regulations require these websites to give notice regarding the use and nature of information collected. COPPA also requires websites to obtain “verifiable parental consent” before collecting or using children’s personal information.[27] While COPPA was revolutionary when enacted, many have been calling for an overhaul providing stricter regulation on the collection and dissemination of personal information.[28] However, as it has been regarding most federal online privacy laws, Congress has been slow to react. Instead, most online privacy protection laws in the United States have come from states.

State-Level Online Privacy Protections

        One of the hallmarks of our federalist legal system is the ability for states to step in where federal laws are lacking. Recognizing the shortcomings in national online privacy protections, many state legislatures have passed laws that create the privacy protections. In fact, many states have passed laws regulating mandatory disclosures in the event personal digital information is accessed by hackers or other unauthorized sources.

        The California Online Privacy Protection Act was a landmark internet privacy law enacted in 2003. It applies to anyone whose website collects personally identifiable information from California consumers. It requires operators to post privacy policies on websites in conspicuous places. It also requires compliance with the published privacy policies and gives consumers opportunities to opt out of data collection practices. The law requires all websites serving customers in California to identify the categories of personally identifiable information that it collects and requires website owners to comply with any “Do Not Track” requests.[29]

        Many state legislatures have followed California’s lead in establishing online privacy protections for in-state e-commerce customers. Connecticut, for example, requires any company that collects social security numbers to create and display an enforceable privacy protection policy. The policy must be sufficient to protect the social security numbers from disclosure and to prevent unauthorized access.[30] Delaware follows California’s restrictive approach to online consumer privacy protection, requiring all e-commerce websites and mobile apps that collect personally identifiable information to provide clear notice of their activities to all web customers.[31] Likewise, Nevada’s online privacy law requires websites collecting personally identifiable information to notify customers how their information is being used.[32] Utah also requires businesses to disclose any personal information that they share or sell to a third party, although this statute is not expressly limited to online businesses.[33]

Conclusion

            There is no uniform legal structure to safeguard online privacy. While Congress has passed laws preventing unauthorized access or use of electronic information by the federal government, noncompliance appears to be a major challenge to the enforcement of these laws. Attempts at strengthening federal electronic privacy protections have been introduced but not enacted.  Still, many states have passed their own laws aimed at protecting personal privacy. Likewise, e-commerce sites that allow access to users from the European Union must now receive consent before collecting private information. While these requirements do not hold legal weight in every U.S. jurisdiction, they do create significant privacy protections simply by the non-jurisdictional nature of e-commerce activities. In other words, because many of the websites we use every day are also active in Europe, California and jurisdictions with similar privacy protection laws, many Americans are receiving the protections afforded by these jurisdictions even though they do not reside within them.

            In our next module, we will turn to federal laws that protect users from online hazards and inconveniences like spam, spyware, computer fraud and online predators.