Technology & Privacy Law
Data privacy, cybersecurity, AI regulation, social media law, and digital rights.
Overview
Technology and privacy law addresses the legal issues arising from digital technology, data collection, artificial intelligence, social media, and cybersecurity. Unlike the EU's comprehensive GDPR, the United States lacks a single federal data privacy law, instead relying on a sectoral approach with industry-specific statutes (HIPAA for health data, COPPA for children's data, GLBA for financial data) and a growing patchwork of state privacy laws.
Data privacy law has become one of the fastest-growing legal areas as companies collect, process, and monetize vast amounts of personal information. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), established the first comprehensive state data privacy framework, giving consumers rights to know what data is collected, delete their data, opt out of data sales, and exercise these rights without discrimination. Virginia, Colorado, Connecticut, and other states have followed with their own comprehensive privacy laws.
Cybersecurity law involves the protection of computer systems and data from unauthorized access and cyberattacks. Key issues include data breach notification requirements (all 50 states have breach notification laws), cybersecurity standards for regulated industries, incident response obligations, and the evolving liability framework for security failures. Emerging areas include AI governance, autonomous vehicle regulation, cryptocurrency and blockchain law, and the regulation of social media platforms.
Key Statutes
Computer Fraud and Abuse Act (CFAA)
18 U.S.C. § 1030
Federal law criminalizing unauthorized access to computer systems, also providing a civil cause of action for victims.
Electronic Communications Privacy Act (ECPA)
18 U.S.C. § 2510 et seq.
Governs government access to electronic communications, including the Wiretap Act and Stored Communications Act.
Children's Online Privacy Protection Act (COPPA)
15 U.S.C. § 6501 et seq.
Requires parental consent for online collection of personal information from children under 13.
California Consumer Privacy Act (CCPA/CPRA)
Cal. Civ. Code § 1798.100 et seq.
Comprehensive state privacy law granting consumers rights over their personal data including access, deletion, and opt-out of data sales.
FTC Act Section 5
15 U.S.C. § 45
Used by the FTC to bring enforcement actions against companies with unfair or deceptive privacy and data security practices.
Key Cases
Carpenter v. United States
585 U.S. 296 (2018)
Held that the Fourth Amendment requires a warrant for government access to cell-site location information, recognizing privacy interests in digital records.
Van Buren v. United States
593 U.S. 374 (2021)
Narrowed the CFAA by holding that 'exceeds authorized access' covers only accessing information on a computer that a person is not entitled to access.
Riley v. California
573 U.S. 373 (2014)
Held that police generally need a warrant to search the contents of a cell phone seized during an arrest.
Gonzalez v. Google LLC
598 U.S. 617 (2023)
Addressed the scope of Section 230 immunity for tech platforms, though the Court declined to reach the merits.
Key Regulations
FTC Privacy and Data Security Enforcement
Federal Trade Commission
FTC guidance and consent orders establishing de facto standards for corporate privacy practices and data security.
NIST Cybersecurity Framework
National Institute of Standards and Technology
Voluntary framework providing standards, guidelines, and best practices for managing cybersecurity risk.
SEC Cybersecurity Disclosure Rules
Securities and Exchange Commission
Rules requiring public companies to disclose material cybersecurity incidents within four business days.
Common Forms
Frequently Asked Questions
Is there a federal data privacy law?
No. The United States does not have a comprehensive federal data privacy law like the EU's GDPR. Instead, privacy is regulated through sector-specific federal laws (HIPAA, COPPA, GLBA, FERPA), FTC enforcement of unfair/deceptive practices, and a growing patchwork of state laws. Several comprehensive federal privacy bills have been introduced but none has passed. The American Data Privacy and Protection Act (ADPPA) came closest in 2022.
What is Section 230?
Section 230 of the Communications Decency Act (47 U.S.C. § 230) provides internet platforms with immunity from liability for third-party content posted by users and protection for good-faith content moderation decisions. It has been called 'the twenty-six words that created the internet.' Both political parties have proposed reforms, though from different perspectives — some arguing platforms censor too much, others arguing they don't moderate enough.
What happens after a data breach?
All 50 states have data breach notification laws requiring companies to notify affected individuals (and often state attorneys general) when personal data is compromised. Notification timelines vary from 'as soon as practicable' to specific deadlines (72 hours in some states). Companies may also face FTC enforcement, state attorney general actions, class action lawsuits, and regulatory penalties depending on the circumstances and applicable laws.
Recent Developments
Technology law is evolving rapidly with the emergence of generative AI regulation, including the EU AI Act and proposed U.S. frameworks. Key developments include state AI regulation bills, FTC enforcement actions against AI companies for bias and deception, debates over AI copyright and intellectual property, social media regulation for minors, and the regulation of cryptocurrency and DeFi. The SEC has finalized cybersecurity disclosure rules for public companies, and states continue to pass comprehensive privacy laws, with over a dozen now enacted.
State Variations
State technology and privacy laws vary dramatically. California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states have comprehensive privacy laws with different scope, definitions, and enforcement mechanisms. State data breach notification requirements differ in definitions of personal information, notification timelines, and penalties. Some states have enacted biometric privacy laws (Illinois BIPA being the most litigated), drone regulations, autonomous vehicle laws, and AI-specific legislation.