US Data Privacy Laws: Past, Present and Future

Alyssa Wolslegel

Associate Editor

Loyola University Chicago School of Law, JD 2023

Despite the technology and data collection sectors rapidly growing over the past few decades, laws protecting consumers in these spaces have barely expanded, if at all. The first, and only, comprehensive federal data privacy regulation was passed in 1974, roughly ten years before the first Mac computer was invented. Since then, we’ve seen a few more federal laws put in place to protect consumer data and even some states take actions into their own hands, but we have yet to see another comprehensive law from the federal government. This begs the question, will the federal government finally enact new data privacy laws for the country as a whole to adhere to, or will they continue to let states take the reins forcing companies to comply with multiple laws at once?

The history of US privacy laws

If we are going to talk about US privacy laws, we may as well start all the way at the beginning with the Fourth Amendment. The Fourth Amendment protects people from unlawful searches and seizures which seems pretty straight forward, but with the rise of technology, courts have ruled that it also protects searches of cell phone data. The next federal privacy law we get is the Fair Credit Reporting Act (FCRA) of 1970 which allows people to know what consumer reporting agencies have in their file on them and prevents the use of that information from being used without their knowledge. The FCRA also allows a person to dispute inaccuracies and force agencies to correct false or inaccurate information.

Four years later, we get the Privacy Act of 1974, the only comprehensive data privacy regulation passed by the federal government to date. The Act protects information that can be linked to a person by a personally identifiable mark like their name or phone number and prevents the information from being disclosed without written consent of the individual. After the Privacy Act of 1974, we see a series of Acts that protect certain niche areas of consumer information. Some of the most well-known from the list are the Gramm-Leach-Bliley Act of 1999 which requires financial institutions to explain their information sharing processes with a customer, the Health Insurance Portability and Accountability Act of 1996 which protects the heath information of individuals, and the Children’s Online Privacy Protection Rule of 1998 which protects children’s data privacy, among others.

The current state of privacy laws in the US

Since the federal government has yet to pass an updated federal law to catch up to new technology, some states have started taking matters into their own hands and passing their own privacy laws to protect consumers in their states. California, Virginia and Colorado are currently the only states that have actually passed state data privacy regulations. Many other states have started the process of passing data privacy laws for their state but have yet to agree on the scope and enforcement of the law in order to get it passed. Because each state’s law is slightly different, companies doing business in each of the states must comply with their respective laws making it difficult to conduct business. In addition, many states are taking a reactive rather than proactive approach to enforcing these laws meaning many companies who can afford to do so, like Facebook, are not actively trying to comply with the laws and waiting for action to be taken against them. Many companies who do business in Europe also have to comply with GDPR, the data privacy law that governs Europe, which has a positive effect because it protects US consumers interactions with the companies.

So what does the future hold?

In 2000, the FTC called on Congress to pass a federal law protecting the basic rights of consumers when it comes to their data, but over twenty years later we still have yet to see that come to fruition. Many consumers are starting to realize how much freedom companies have when it comes to the handling of their data due to the massive breaches that have occurred. Technology has grown exponentially in the past two decades, yet politicians still can’t seem to agree on how to protect US consumers from being taken advantage of by this technology. The biggest areas of disagreement when it comes to passing a federal law are preemption, meaning whether the law should preempt all state laws already passed, and whether there should be a private right of action, meaning consumers would be suing companies to enforce the law against them. Until Congress can come to an agreement on these issues, or a massive breach happens that catches the attention of enough consumers to push to make a change, there seems to be no finish line in sight when it comes to passing a comprehensive federal data privacy law in the US.