Federal Data Privacy: Current Law, Gaps, and Legislative Proposals

Federal data privacy regulation in the United States has developed on a sector-specific basis, with each major statute addressing a particular type of data or industry. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects individually identifiable health information held by covered entities and their business associates. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Children's Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under 13 by commercial websites and online services.

The Federal Trade Commission serves as the de facto federal privacy regulator, using its authority under Section 5 of the FTC Act to pursue enforcement actions against companies engaged in unfair or deceptive data practices. FTC enforcement actions have addressed unauthorized data collection, inadequate data security, deceptive privacy policies, and violations of consent decrees. However, the FTC's authority is limited to "unfair or deceptive" practices rather than establishing comprehensive privacy requirements, and its enforcement resources are finite relative to the scope of the data economy.

HIPAA's Privacy Rule establishes national standards for the protection of individually identifiable health information by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. COPPA requires verifiable parental consent before collecting personal information from children under 13, with the FTC proposing updates to address changes in technology since the rule was last revised. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. The Fair Credit Reporting Act (FCRA) regulates the collection, dissemination, and use of consumer credit information.

The Electronic Communications Privacy Act of 1986 (ECPA), including the Stored Communications Act, governs law enforcement access to electronic communications and stored data. However, ECPA was enacted before the modern internet and has not been comprehensively updated, creating significant gaps in privacy protection for cloud-stored data and digital communications. The Carpenter v. United States (2018) Supreme Court decision extended Fourth Amendment protections to cell-site location information but left broader questions about digital privacy unresolved.

The primary legislative approach is comprehensive federal privacy legislation establishing baseline privacy protections applicable across sectors. Key design choices include: the scope of covered data and entities; individual rights (access, correction, deletion, portability, opt-out of targeted advertising); data minimization requirements limiting collection to what is reasonably necessary; heightened protections for sensitive data categories (biometric, health, financial, geolocation, children's data); consent and notice requirements; enforcement mechanisms (FTC authority, state attorney general authority, private right of action); and whether federal law preempts state privacy laws.

Alternative approaches include strengthening sector-specific statutes, expanding FTC rulemaking authority, establishing a dedicated data protection agency, enacting targeted legislation addressing specific harms such as data broker regulation or algorithmic accountability, and developing industry self-regulatory frameworks with FTC oversight. The tension between comprehensive federal preemption (favored by industry for regulatory certainty) and preservation of state authority to enact stronger protections (favored by privacy advocates and some state officials) remains a central obstacle to legislative progress.

State privacy legislation continues to advance rapidly, with each new law creating additional compliance obligations for businesses. The FTC has undertaken rulemaking on commercial surveillance and data security, potentially establishing more comprehensive requirements under existing authority. International developments, including the EU's General Data Protection Regulation enforcement and adequacy determinations, create additional pressure for U.S. federal legislation. Congressional bipartisan interest in children's online privacy, data broker regulation, and AI-related privacy concerns may provide pathways for incremental progress even absent comprehensive legislation.