Navigating Online Privacy Laws: What You Need to Know

We talk a lot about taking the right steps to protect your identity, data, and privacy when you are online. Those actions are definitely important, and you should always proceed with caution when you are browsing, shopping, learning, banking, doing business, working, or doing anything else online. 

However, you should also know that if you live in the US, your federal government has passed several online privacy laws to protect you when you are on the internet. Individual states have done the same, as have many countries around the world.

A History of Federal Privacy Laws

Here are some of the most important things to know about online privacy laws that exist to protect you–and what privacy laws are still needed. 

FTC Act of 1914

How could a law passed in 1914, signed by President Woodrow Wilson, affect your internet activity? Well, the Federal Trade Commission (FTC) was created by President Wilson when he signed this act. It gave authority to the FTC to regulate businesses and prevent them from engaging in unfair or deceptive commercial practices. 

Over time, the FTC has become the main federal entity in charge of maintaining privacy rights for consumers by holding companies accountable that fail to protect their consumers’ privacy. 

Here’s an example: the FTC oversaw massive fines against Google in 2019 for violating another law on our list: COPPA. Because Google violated this law designed to protect children’s privacy online, they had to pay $170,000,000 in fines! The FTC had the power to enforce these fines because of the foundation laid in 1914 by the FTC Act. 

FERPA (1974)

The Family Educational Rights and Privacy Act (FERPA) is a 1974 law signed by President Gerald Ford that protects the privacy of student education records like grades, test scores, contact info, and more. It limits how schools can disclose student record information without consent from parents or eligible students. 

FERPA preserves confidentiality around sensitive information that is gathered in the education system about specific students–and that includes data that is stored electronically. It restricts teachers, administrators, and others from sharing or accessing private student data without authorization from the student. As HIPAA does for health information, FERPA aims to protect the personal information of students from unauthorized disclosure.

ECPA (1986)

In 1986, the Electronic Communications Privacy Act was signed by President Ronald Reagan. It was designed to protect most communications from unauthorized interception, access, use, and disclosure. This includes wire, oral, and electronic communications. Even in the early days of the internet, lawmakers realized the importance of protecting electronic communication alongside other forms of communication. 

CFAA (1986)

The CFAA (Computer Fraud & Abuse Act) was also signed by President Reagan in 1986, the same year as the ECPA. It made it illegal to use a computer to gather information from someone else’s files, transmit harmful items like viruses, or sell computer passwords. It has been expanded and amended several times since 1986. 

HIPAA (1996) 

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 under President Bill Clinton. It affects everyone who seeks medical care, but it’s also a somewhat misunderstood law. 

HIPAA protects the privacy of patient health information, including medical records and health history, by regulating how healthcare providers and insurers collect, store, use, and share that data. HIPAA aims to preserve confidentiality around sensitive medical information that is gathered by doctors, hospitals, pharmacies, and other healthcare entities. It restricts the sharing or accessing of private patient data without authorization.

It is not, however, a rule that promises people medical privacy, and the only companies or organizations bound to follow HIPAA are medical providers and healthcare entities that collect personal healthcare information. Other businesses, schools, and organizations are not bound by HIPAA in any way.

COPPA (1998)

In 1998, lawmakers passed the Children’s Online Privacy Protection Act, which requires many websites and online platforms to verify a child’s age and parental consent before collecting any information from minors who are under the age of 13. Websites also have to post their privacy policies publicly, and they can only collect necessary information from users. They have to take appropriate steps to maintain online security for their users. 

GLBA (1999)

The GLBA (Gramm-Leach-Bliley Act) is also called the Financial Services Modernization Act. President Bill Clinton signed this bill into law in 1999 to regulate how financial institutions collect, use, and disclose any of their customers’ personal information. The GLBA also requires banks and other financial institutions to provide a customer notice of how their data will be used. 

CAN-SPAM Act (2003)

To protect people from unwittingly opening and viewing non-solicited materials including pornography and marketing, the Controlling the Assault of Non-Solicited Pornography and Marketing Act was signed into law by President George W. Bush in 2003. Get the joke? “CAN SPAM.” Yes, this bill was all about stopping people from receiving certain kinds of unsolicited spam email, as well as emails with misleading header information or deceptive subject lines. 

The CAN-SPAM Act also requires corporate email senders to provide a valid opt-out option in every email. It established both civil and criminal penalties for companies who violate these rules.

FACTA (2003) 

In 2003, Pres. George W. Bush codified the Fair and Accurate Credit Transactions Act, which is a bill that requires all financial institutions (banks, credit unions, lenders, etc.) to provide written documentation of their programs to prevent identity theft. 

What About State-by-State Protections? 

Many states have been adding their own data protection laws in recent years. Specifically, several states have added rules modeled after the EU’s General Data Protection Regulation (GDPR) rules, which are more stringent than any federal laws in the US regarding data protection. 

These states and their laws include: 

• California Consumer Privacy Act (CCPA)
• Colorado Privacy Act (CPA) 
• Connecticut Data Privacy Act (CDPA)
• Delaware Personal Data Privacy Act (DPDPA)
• Florida Digital Bill of Rights (FDBR) 
• Indiana Senate Bill 5/Indiana Data Privacy Law
• Iowa Consumer Data Protection Act (CDPA)
• Montana Senate Bill 384/Montana Consumer Data Privacy Act
• New Jersey  Senate Bill 332/New Jersey Data Privacy Law
• Oregon Senate Bill 619/Oregon Consumer Privacy Act
• Tennessee Information Protection Act (TIPA) 
• Texas Data Privacy and Security Act (TDPSA)
• Utah Consumer Privacy Act (UCPA)
• Virginia Consumer Data Protection Act (CDPA)

What Consumers Need to Know

The internet age has brought many conveniences, but also complex privacy challenges. As we conduct more of our lives online, privacy laws struggle to keep up with evolving technologies and data practices. While laws like HIPAA and FERPA protect health and student information, most internet users lack comprehensive legal safeguards. Many existing privacy rules also lack teeth or resources for enforcement.

New state laws are helping to bridge the gap between basic protections and more sufficient ones. The US could benefit from a better national framework for protecting consumers from issues related to data and privacy on the internet, similar to the GDPR in the EU. In fact, many companies already have to conform to GDPR standards because they have international operations or handle the personal information of European citizens. 

As technology makes it easier for companies to collect data on consumers, the need for strong legal protection only increases.