Technology is changing how we do everything, from connecting with friends to investigating our family history. While most of these changes are for the better, the reality is that many of these new technologies expose us to serious privacy risks, especially as legislation has struggled to keep up.
Yet both here in the U.S. and around the world, that could soon change. There are numerous new and pending laws that are starting to seriously tackle the challenges posed by modern technology, helping close gaps in legislation and enforcement that open you up to online stalking, medical data breaches and disclosure of your online data. Even if you don’t realize it, many of these laws can have a major impact on your life, from how you buy insurance to which bits of personal information are gathered while you shop online, go to the bank, or talk on the phone.
What follows is a brief guide to many of the newer and upcoming laws regarding privacy in the United States. You’ll learn what the bills propose, how they’ll affect your life and when they’ll go into effect… if they haven’t already.
These laws and proposals are designed to protect your privacy in the online and mobile spheres, ensuring that you and those you care about aren’t tracked, subject to data seizures, or the victims of online predators.
Proposed by Rep. Lamar Smith of Texas, this bill is designed to increase the enforcement of laws related to child pornography and child sexual exploitation, specifically by requiring Internet service providers (ISPs) to provide data about subscribers to law enforcement officials. While still on the table for debate, the law has attracted a lot of attention from those who believe it has serious implications with regard to consumer privacy.
- How It Will Affect You: This law doesn’t just affect those who create and distribute child pornography. If passed, all Internet users would see a reduction in privacy. The law would require ISPs to retain user IP addresses and subscriber information for one year, even in the event service is cancelled. This information would include names, addresses, telephone numbers and account numbers, with no limits on the scope of subscriber information that can be retained and accessed by the government. What’s more, this collected information could be used to prosecute for any issue with probable cause and a warrant. This not only poses problems for the misuse of data by law enforcement; it could also result in serious security issues if information is hacked. It also opens up that information to gross violations of personal privacy and security.
- Timeline: The bill passed the United States House Judiciary Committee on July 28, 2011, but hasn’t gone much further since then, despite garnering 39 co-sponsors by January 2012. It seems to have stalled, and little has been heard of it since it garnered widespread backlash. That’s no guarantee, however, that similar legislation won’t pop up in the future.
The Electronic Communications Privacy Act is almost 30 years old, so why does it appear on this list? Because it’s likely going to see some major revisions to reflect the increased variety and prevalence of electronic communications. The original act was designed to help expand federal wiretapping and electronic eavesdropping provisions, as well as protect communications that occur via wire, oral and electronic means and to balance the right to privacy of citizens with the needs of law enforcement.
In the years since, the law has been under increased scrutiny for being out of date and failing to protect all communications and consumer records. For example, under current law, government agencies can demand ISPs hand over personal consumer data stored on their servers that is more than 180 days old without a warrant. This wasn’t an issue in the past, when most emails were downloaded to individual computers, but with the advent of webmail programs like Gmail and Yahoo, now nearly all consumer email communications are fair game. Major tech companies, like Google, Facebook, Verizon and Twitter, have advocated for greater privacy and reform of the law.
- How It Will Affect You: If reforms to the ECPA go through, law enforcement and government officials will no longer be able to access your personal emails stored on a server without a warrant, regardless of their age. This is a strong first step towards updating the bill and ensuring the privacy concerns are addressed for present day technology.
- Timeline: No changes have gone through to update ECPA yet, but in November 2012, the Senate Judiciary Committee approved a bill that would strengthen privacy protection for emails by requiring a warrant to access them. It is set to debate in the Congress early this year. Other legislation will likely be needed to deal with privacy issues related to mobile phones, text messages and social media, but no bills reflecting this type of data have been proposed.
COPPA isn’t new, either, but it has seen some significant amendments over the past year that are worth mentioning. COPPA, which went into effect in early 2000, protects children under 13 from the online collection of personal information. As a result, many sites today often disallow children under 13 from using their services or require parental permission for disclosure of any personal information.
In September 2011, the FTC announced proposed revisions to COPPA that would expand the definition of what it means to collect data from children. These new rules would include regulations on data retention and deletion and would require any third parties to whom a child’s information is disclosed to have policies in place to protect the information.
- How It Will Affect You: You will likely only be directly affected by this law if you own or operate a website or have children under 13 who use the Internet. The new amendment is largely positive for parents and children, preventing abuses of data, laying out guidelines for stricter parental approvals and ensuring that children’s information stays secure. A number of tech giants, however, have pushed back against this legislation. Apple, Facebook, Google, Microsoft and Twitter, as well as Viacom and Disney, have all objected to several aspects of the new FTC rules stating that they make it nearly impossible for companies to create and disseminate child-focused material.
- Timeline: In late 2012, nearly a year after revisions were proposed, the FTC adopted the final amendments to COPPA, and they are currently in effect.
The GPS Act, proposed by Representative Jason Chaffetz and Senator Ron Wyden, seeks to give government agencies, commercial entities and private citizens specific guidelines to when and how geolocation information can be accessed and used. At present, there are no U.S. laws that directly address GPS tracking data, and with the proliferation of trackable devices like cell phones and GPS systems, the act is aiming to update regulations and guidelines to reflect modern sources of privacy concerns.
- How It Will Affect You: If passed, the act will detail the legal procedures and protections that apply to electronic devices that use GPS, will require warrants for the release of GPS data, will make it illegal for individuals to be tracked without their knowledge, and will create criminal and civil penalties for violating these new GPS regulations. This could be a big boon to protecting your personal privacy and security, as it will make it illegal for others to track you (including family members) and will prevent data about your activities from being disseminated without your knowledge, consent, or a court order.
- Timeline: The GPS Act was introduced to the Senate on June 15, 2011. It has not passed, in part because of opposition to two major court decisions, United States v. Jones and United States v. Knotts, which have ruled in favor of allowing law enforcement to place GPS trackers on cars, as well as opposition from the Obama administration. Yet a more recent case addressed by the Supreme Court, United States v. Jones, found that such measures violated the Fourth Amendment, which may help strengthen its passage as it waits to be considered by the Senate Judiciary Committee and the House.
Much like your social activities, your consumer habits and activities are also subject to privacy violations, especially when they occur online or through a mobile device. The following are laws that seek to address a number of major issues related to consumer privacy rights.
On April 12, 2011, Senators Kerry and McCain introduced the Commercial Privacy Bill of Rights to establish a baseline code of conduct for how personal information can be used, stored and distributed. The bill of rights has since been picked up by the Obama administration and adapted in a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In both instances, the bill of rights lays out principles that would work to protect personal data and to improve consumer security. It is not a piece of legislation in itself, but rather a guideline for building and enacting future regulations and laws that will impact tech companies and online retailers.
- How It Will Affect You: While nothing has been passed yet, this outline could help protect your personal data from abuse by retailers and ensure that it’s not sold to a third party or in any other way compromised.
- Timeline: First proposed in early 2011, it could be quite some time before this bill of rights is translated into any real kind of legislation, especially if there is major pushback from Congress or tech companies themselves. If companies begin to better self-regulate privacy issues, no additional legislation may be needed.
Congressman Hank Johnson proposed the APPS Act early this year. The act is designed to address concerns with the data collection being done through applications on mobile devices and would require that app developers provide greater transparency about their data collection practices, ensure reasonable levels of data security and allow users to opt out of data collection or have the option to delete data that has been collected on them.
- How It Will Affect You: The APPS Act would ensure that apps on your phone aren’t gathering, storing, or sharing information about you without your knowledge or consent. It doesn’t mean that data can’t or won’t be collected, just that consumers will have greater knowledge and potentially the ability to opt out of certain aspects of this process.
- Timeline: The draft of the bill was released in January 2013 and is currently just a discussion draft, meaning that it hasn’t be formally introduced for passage just yet. It’s likely that discussions with app developers and consumer advocates will help to shape the final draft and it could be a couple of years before any final decisions are made on the legislation.
Worried about the potential risks for stalking posed by cell phones loaded with GPS and apps that gather information about a user’s location, Senator Al Franken, along with several co-sponsors, proposed this bill to fill in loopholes in federal law that allow companies to obtain location-based information on consumers and to share that information with third parties. While some app developers have complained that this hinders location-based advertising, others agree that privacy needs to be protected and that location-based tracking should only be allowed within apps that consumers have given consent to do so.
- How It Will Affect You: The Location Privacy Protection Act, if passed, will protect you from having mobile data on your whereabouts tracked, stored or shared without your knowledge or consent. It would not eliminate the ability of mobile technologies to track your location but would only ensure transparency and greater security, though it may be cumbersome with some existing systems of location-based advertising.
- Timeline: The bill has been under development since 2011 and is still being refined and tailored take into consideration the needs of all involved parties. Franken is expected to push the measure later this year and if passed the bill could see enforcement as early as 2014.
Proposed by Rep. Michael Rogers and co-sponsored by 111 other House members, CISPA is designed to help the government better investigate cyber threats and ensure that large networks are secure against the threat of cyber-attack. To do that, the act would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies.
While noble in its intention, the act has been widely criticized for endangering privacy and civil liberties, though some large technology companies (Microsoft and Facebook) favor it as a simple and effective way of sharing important cyber threat information with authorities.
- How It Will Affect You: If CISPA becomes law, it would make it harder for cybercriminals to execute major attacks on networks. However, it may also mean that the government could also easily, and without warrant, track any individual’s browsing history. As the bill is presently worded, there are few limits on when or how the government can monitor an individual, and it may even make certain kinds of spyware legal if it is being used in good faith for a cyber-security purpose.
- Timeline: CISPA was introduced in late 2011 and was passed by the House of Representatives in mid-2012. While gaining early support, Obama’s advisors have argued that the bill could be a major risk to confidentiality and civil liberties and it is likely he would veto it if it passes.
Work and Employment
Here, you can learn more about privacy laws that affect life in the workplace, from how you’re hired to what information is fair game for employers.
Increasingly, employers have turned to social media as a way to learn more about potential employees. However, this has also meant that in some cases privacy boundaries were crossed, with potential employers requiring applicants to turn over passwords to social media accounts. To help job seekers protect their online privacy, California, Delaware, Illinois, Maryland, Michigan and New Jersey have all passed social media privacy laws. What’s more, 11 other states (including New Mexico and Texas) have legislation of this nature pending.
- How It Will Affect You: The legislation will only affect you if you live in a state that has passed an Internet privacy law, though over time it’s likely that most, if not all, states will follow suit. These acts make it illegal for employers to require applicants or current employees to hand over passwords to private accounts, which will help protect your personal accounts and private interactions when seeking employment. Some laws, like those of Delaware and New Jersey, focus on colleges and not employers, banning admissions officers and college employees from requiring password information.
- Timeline: All states that have passed legislation with regard to the privacy of social media passwords have gone into effect, some as recently as January. Over the course of 2013, it’s likely that many other states will pass and begin enforcing similar laws, though there are no guarantees: in some states, like Pennsylvania, similar measures never even made it out of committee.
The Genetic Information Nondiscrimination Act (GINA) isn’t new legislation. Passed in 2008, it prohibits the use of genetic information in health insurance and employment. That means that employers can’t making hiring, firing, job placement or promotions decisions based on genetic information, nor can insurers raise premiums or deny coverage to those with a genetic predisposition for a disease.
While GINA itself is just five years old, it may soon see some updates. A recent report from the U.S. Presidential Commission for the Study of Bioethical issues recommended that the law be expanded to include security measures whole-genome sequence data rather than just focusing on issues of discrimination. New regulations would likely update the consent forms individuals sign when they agree to take part in research studies, helping protect their genetic information and preventing misuse of this data. Additionally, under recommendations by the committee, GINA would be expanded to include comprehensive national rules on how genetic privacy is protected.
- How It Will Affect You: Should the act be expanded, individuals will enjoy greater protection of their genetic data. Research studies must be more transparent about security risks and genetic data itself will see greater protection under law to ensure that fewer privacy breaches occur and that discrimination cannot occur. Currently, GINA does not protect individuals from discrimination when applying for life or long-term care policies. Greater protections on genetic data could make it possible for this information to be off limits to anyone outside the individual or his or her immediate family.
- Timeline: The report from the commission was just released in February 2013, so it will likely be quite some time before amendments to the legislation, if they are decided as being warranted, are crafted. In lieu of amending GINA, legislators may opt to create new laws on genetic privacy. In these early stages, however, there are no guarantees and no new legislation may be passed for several years, if at all.
These highly important laws address issues of personal information, including medical data, private phone conversations and video watching history.
FISA Amendments Act of 2008/ FISA Amendments Act Reauthorization Act of 2012
The Foreign Intelligence Surveillance Act (FISA) was passed in 1978 but has undergone some major restructuring in recent years. Originally, FISA, signed into law by Jimmy Carter, proscribed basis procedures for physical and electronic surveillance and the collection of foreign intelligence information. It also provides strict judicial and congressional oversight of any covert surveillance activities.
The first changes to the act occurred under the Patriot Act, and though they expired in 2008, many of those changes were extended by the FISA Amendments Act of 2008. Under this act, the government is authorized to get year-long orders to conduct surveillance of Americans’ international communications, including phone calls, emails, and Internet records.
Currently, these orders do not need to specify who is being spied on or the reasons for doing so. Why is this important to you today? Originally, the amendment to FISA was only designed to last five years, expiring at the end of 2012. Overwhelmingly, however, the U.S. Senate voted in December 2012 to extend the FISA Amendments Act through the end of 2017.
- How It Will Affect You: The amendment to FISA could potentially already be having an effect on you as it has already been in place for five years, but this most recent extension means that Americans will face another five years under the law. With little oversight, it is now possible for government agents to gather information on any foreign communications, which many individuals and privacy protection groups have consistently argued is a gross violation of privacy and civil liberties. If for any reason the government suspects you may be a threat or may be connected to someone who is, your phone calls, email, and internet browsing history are subject to monitoring.
- Timeline: The FISA Amendment Act has been in force since 2008, and the most recent FISA Amendments Act Reauthorization Act of 2012 was signed into law by Obama in late 2012.
The Video Privacy Protection Act was signed into law in 1988 by President Reagan. It was designed to prevent the wrongful disclosure of video tape rental or sale records or similar audio visual materials. While over two decades old, the law has been in the news regularly over the past five years thanks to streaming technology and online video rental subscription programs, such as Netflix and Blockbuster, who have often integrated with social media sites. This has resulted in some major lawsuits, including one case in 2012 that required Netflix to change its privacy rules so that members who have left the site no longer have records with the company.
Yet while the law has been at odds with online media providers in the past, recent changes to the legislation in the form of an amendment make it legal for streaming services to share details of the content viewed after consumers have given blanket permission, making it possible for greater integration into social media sites like Facebook.
- How It Will Affect You: How the VPPA amendment will affect you will depend on how you watch movies and use the Internet. If you do not subscribe to an online movie provider, the law will not impact you or make any additional information about your rental history public. Even if you do subscribe to a service like Netflix, you must give permission to allow your information to be disclosed publicly, either once every two years or each time disclosures are sought.
- Timeline: The amendment to VPPA was signed into law by President Obama in January 2013. It is expected that video streaming and rental services will begin creating social media integrated apps later this year, taking advantage of the freedom the new amendment allows.
Most Americans are familiar with the Health Insurance Portability and Accountability Act (HIPAA), but many may not realize that the protections they enjoy under HIPAA got an update in the form of the HITECH Act. Part of the American Recovery and Reinvestment Act of 2009, HITECH contains incentives to expand the adoption of health information technology, including the establishment of a nationwide network of health records.
What does this have to do with privacy? HITECH also requires that major security breaches be reported to Health and Human Services as well as the media, it increases enforcement of HIPAA and the resulting penalties and it ensures that any individual can request a copy of his or her public health record. Most importantly, it expands HIPAA regulations to include any business associates or providers to medical facilities, requiring vendors of any kind of keep private records private.
- How It Will Affect You: HITECH will ensure that your health records are even more secure than they were under HIPAA. Despite expanding electronic health records, which make many nervous, the act also ensures that anyone having any contact with your records cannot disclose information about them without your knowledge. It also makes it an even more serious offense if this is done.
- Timeline: HITECH was signed into law on February 17, 2009. It fully went into effect in January 2011 and will provide funding and support for electronic health records through 2015. Other areas of protection will stay in effect.
Some don’t think that HITECH went far enough in protecting patient privacy. In June 2012, a bill was proposed that would amend the American Recovery and Reinvestment Act. The new act would require health providers to encrypt any mobile device containing health information, restrict business associates’ use of protected health information, improve congressional oversight of HIPAA, and provide additional measures that would protect patient privacy and safety when using health information technology.
- How It Will Affect You: The POHP Act generally just strengthens the provisions already in place from HITECH, but it does take things one step further with regard to mobile medical devices. Under this bill, those devices would all need to be secured to ensure that they are no breaches of privacy. The act would also help individuals ensure that HIT is to their benefit and that new innovations do not compromise their health, safety, or privacy.
- Timeline: The bill was introduced in mid-2012 and was referred to Senate committee and then the Committee on Health, Education, Labor, and Pensions. It is still pending.
As privacy becomes and ever larger concern in an increasingly connected world, new legislation is likely to continually pop up, and there may be many new laws that see proposal and passage in addition to those we’ve listed here in the next few years. The best thing you can do to protect yourself is to stay informed.