Structure and Enforcement of US Law Flashcards
What are the sources of U.S. law?
- Constitutions
- Legislation
- Regulations and Rules
- Case Law
- Common Law
- Contract Law
Is the right to privacy explicit in the U.S. Constitution.
No, the word “privacy” is not in the U.S. constitution. However, some parts directly affect privacy such as the 4th Amendment which limits gov searches. Amendments 3, 5, 9, and 14 also provide privacy protections to Americans. State constitutions may create stronger rights than those found in the U.S. constitution. For example, CA state constitution expressly recognizes a right to privacy.
What is legislation?
Laws passed by Congress or state legislatures. State legislation may be stricter than national legislation, and vice versa
What are Regulations and Rules?
Regulatory agencies, such as the Federal Trade Commission and Federal Communications Commission, issue regulations and rules that place compliance expectations on industries, such as marketing
What is Case Law?
Final decisions made by judges in court cases. When similar issues arise in the future, judges may look to past decisions as precedent and decide the case in a manner consistent with past decisions - “stare decisis”, but precedents change
What is Common Law?
legal principles that have developed over time through judicial decisions and contrast with statutory laws. Draw from social customs and expectations. EX) doctor-patient and attorney-client confidentiality
What is a Consent Decree?
Consent decrees are agreements or settlements that resolve a dispute between a regulator and a private party without admission of guilt or liability. Through a legal document approved by a judge, the defendant may have to take specific action, such as agreeing to stop the alleged illegal activity or pay money to the government and agree to not violate the relevant law in the future.
What are the fundamental requirements for forming a binding contract?
- Offer
- Acceptance
- Consideration
What is an Offer?
Proposed language to enter into a bargain. It must be communicated to another person and remain open until it is accepted, rejected, retracted or has expired. A counteroffer ends the original offer.
What is Acceptance?
The assent or agreement by the receiver of the offer that the offer was accepted. Acceptance must be communicated to the offeror.
What is Consideration?
Is the bargain-for exchange. Legal benefit received by one person and the legal detriment imposed to the other. Consideration usually takes the form of money, property, or services.
What is Tort Law?
Are civil wrongs recognized by the law as the grounds for lawsuits. These wrongs result in an injury or harm that constitutes the basis for a claim.
What are the 3 general tort categories?
- Intentional Torts - when a defendant knew or should have known that their action or inaction would cause harm.
- Negligent Torts - when a defendant’s actions were unreasonably careless or unsafe.
- Strict Liability - when a defendant has legal responsibility for damages or injury even if they are not negligent or at fault, as in product liability
What is a Person?
Any entity with legal rights, including an individual or a corporation.
What is the meaning of Jurisdiction?
The authority of a court to hear a particular case. The court must have subject matter jurisdiction and personal jurisdiction.
What is Preemption?
A superior government’s ability to have its laws supersede those of an inferior government.
What is “Private Right of Action”?
The ability of an individual harmed by a violation of law to file a lawsuit against the violator.
What is the purpose of a Notice?
- consumer education
2. corporate accountability
What is a Privacy Notice?
Often refers to external communications, issued to consumers, customers, or users.
What is a Privacy Policy?
Often refers to internal standards used within the organization.
What is Choice?
The ability to specify whether personal information will be collected and/or how it will be used or disclosed.
What is an “opt in” choice?
An affirmative indication of choice based on an express act of the person giving the consent.
What is an “opt out” choice?
A choice can be implied by the failure of the person to object to the use or disclosure.
What is Access?
The ability to view personal information held by an organization.
When must Access and Correction be provided?
When the information is used for any type of substantive decision making, such as for credit reports.
Which federal agencies engage in regulatory activities concerning privacy in the private sector?
- Federal Trade Commission (FTC)
- Federal Communications Commission (FCC)
- Department of Commerce (DoC)
- Department of Health and Human Service (HHS)
- Federal Reserve Board (Fed)
- Office of Comptroller of the Currency (OCC)
- Consumer Financial Protection Bureau (CFPB)
Who enforces privacy at the state level?
State attorney generals
How do state attorney generals bring enforcement actions?
Typically, pursuant to state laws prohibiting unfair and deceptive trade practices.
What questions should be asked to understand any privacy related law, statute, or regulation?
- Who is covered by this law?
- What types of information (and what uses of information) are covered?
- What exactly is required or prohibited?
- Who enforces the law?
- What happens if I don’t comply?
- Why does this law exist?
What are the 3 Branches of the U.S. Government? & What is the role of each branch?
Executive Branch
Enforces laws
President, Vice President, Cabinet and Federal Agencies
Legislative Branch
Makes laws
Congress (house of representatives and senate)
Judicial Branch
Interprets the law (determines if constitutional)
Federal courts
What AMENDMENTS to the United States Constitution have been interpreted to provide privacy protection?
3rd Amendment (Soldiers Quartered) 4th Amendment (Search and Seizure) 5th Amendment (Self-Incrimination) 14th Amendment (Due Process)
What are the roles and responsibilities of the Federal Communications Commission (FCC)?
Places significant compliance regulations on and governs the communications industry, such as television, radio, and telemarketing, and more recently, with online marketing developing such laws as the Telemarketing Sales Rule and Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).
Along with the FTC, the FCC also enforces privacy laws.
What are the roles and responsibilities of the Department of Commerce (DoC)?
Leading role in federal privacy policy development
Administers the Privacy Shield Framework between the United States and the EU.
The DOC works along with the FTC on the enforcement of privacy and security standards set by organizations, particularly with those having privacy self-regulatory programs.
What are the roles and responsibilities of the Department of Health & Human Services (HHS)?
Creates regulations to protect the privacy and security of healthcare information.
Responsible for enforcing HIPAA laws.
The HHS shares rule-making and enforcement power with the FTC for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
What are the roles and responsibilities of the two agencies responsible for regulating the Banking Industry?
Federal Reserve Board
Responsible for enforcing provisions of specific federal financial regulatory mandates, such as the Gramm-Leach-Biley Act (or GLBA).
Consumer Financial Protection Bureau An independent bureau under the Federal Reserve, has rule-making authority for laws related to financial privacy and oversees the relationship between consumers and financial product and service providers
Office of the Comptroller of the Currency (OCC)
Independent bureau of the U.S. Department of Treasury.
Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks.
Ensures fair access to financial services and compliance with financial privacy laws and regulations.
What are the roles and responsibilities of the State Attorney Generals?
Chief legal advisor to the state government
State’s chief law enforcement officer. They may take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule and violations of breach notification laws
What are Self- Regulatory Programs?
Organizations monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures created and monitored by industry groups.
Government agencies, such as the FTC, may be involved in enforcement and adjudication
What are Trust Marks?
Images or logos of third party seal and certification programs that are displayed on websites to indicate that a business is a member of a professional organization or to show that it has adopted the guidelines of a program and passed a security and privacy test.
Designed to give customers confidence that they can safely engage in e-commerce transactions.
Examples include TrustArc, Norton, the Better Business Bureau, and EU-U.S. Privacy Shield
What is Criminal Liability?
Initiated by, burden of proof, remedy, sources of law
Court proceedings for criminal prosecution
Initiated by: Government
Burden of Proof: Beyond a Reasonable Doubt
Remedy: Fines, restitution, incarceration or death
Sources of Law: Constitutions, laws and regulations
What is Civil Liability?
Disputes between individuals or organizations
Plaintiff (Private Party or Government) sues a Defendant to address a wrong
Burden of Proof: Preponderance of evidence
Remedy: Monetary Compensation or Injunctions
Federal privacy areas covered by federal agencies.
Medical - HHS Office of Civil Rights
Financial - CFPB generally; Federal Reserve and Comptroller of Currency for institutions under their jurisdiction pursuant to GLBA.
Education - ED
Telemarketing and marketing privacy - FCC (with FTC) under TCPA and other statutes.
Workplace privacy - EEOC and others.
State Dept role in privacy
Negotiating internationally on privacy issues with other countries and multinational groups like OECD.
US Dept of Commerce role in privacy?
Leading role in policy development and administered Privacy Shield Framework.
US Dept of Transportation role in privacy?
Enforced privacy shield violations between US and EU for some transportation companies.
FAA, on drone policy.
National Highway Traffic Safety Administration, on connected cars.
OMB role in privacy?
Interpreting Privacy Act of 1974.
Also issues guidance to agencies and contractors on privacy information security issues, such as data breach disclosure and privacy impact assessments.
IRS role in privacy?
Subject to privacy rules re. tax records.
Other Dept of Treasury parts involved with financial records issues, including compliance with money laundering rules at the Financial rimes Enforcement Network.
Binding Corporate Rules (BCRs)
Internal rules for data transfers within multinational companies, like a code of conduct for transfer.
Standard Contract Clauses (SCCs)
Established by EU to cover data transfer outside of EU:
- 2 for controller to controller
- 1 for controller to processor
The Federal Trade Commission Act
Codified in 15 USC section 45. Section 5(a) of the FTC act empowers the agency to enforce against - “unfair or deceptive acts or practices in or affecting commerce” are hereby declared unlawful.
Limits on FTC Authority
- Applies to commerce, excluding nonprofits
2. Excludes financial institutions
FTC Privacy & Enforcement Actions
The FTC brings enforcement actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices which holds businesses to fair and transparent privacy and security standards.
Consent Decree
Formal contract between the government requiring modification of business practices
Information Resolution
Agreement that the accused company will modify business practices without a formal enforcement action
FTC Sunset Policy
Sets a 20-year maximum length on consent agreements
FTC Enforcement History
- From late 1990s - Chairman Pitofsky approach = “notice and choice”. Enforcement actions based on deception and failure to comply with privacy notice, rather than specific, tangible harm to consumers.
- From 2001 to 2009, Chairman Muris and Platt-Majors emphasized “harm-based model” for enforcement, i.e. harms due to identity theft, and invoked unfairness.
- 2009, Chairman Leibowitz, began including requirement of comperhensive privacy program in CDs, and beyond tangible harm.
- 2009 approach reflected in 2012 White House and FTC reports.
Which U.S. statutes provide the FTC with additional enforcement authority over privacy issues?
The Children’s Online Privacy Protection Act (COPPA),
the Fair Credit Reporting Act (FCRA),
the Gramm-Leach Bliley Act (GLBA),
the CAN-SPAM Act
What does Section 5(a) under the FTC Act prohibit?
“Unfair or deceptive acts or practices in or affecting commerce.”
What are the primary regulatory authorities that regulate privacy in the U.S.?
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking Regulators
What are the primary banking regulators that regulate privacy in the U.S.?
i. Federal Reserve Board
ii. Comptroller of the Currency
iii. Consumer Financial Protection Bureau (CFPB)
iv. Federal Deposit Insurance Corporation (FDIC)
v. National Credit Union Administration
Consumer Financial Protection Bureau
Summary: Regulates how financial institutions handle personal information
Detail: An independent bureau under the Federal Reserve. CFPB has rule marking authority for laws related to financial privacy and oversees the relationship between consumers and financial products and services providers
State Attorney General
Chief legal advisor to the state government / state’s chief law enforcement officer. Authority to take enforcement action on a state’s unfair and deceptive practice law, HIPAA, GLBA, the Telemarketing Sales Rule, and violations of breach notification laws
Self-Regulation Model
Organizations that monitor privacy through internal privacy practices, frameworks/guidelines, policies and procedures, created and monitored by industry groups
Trust Marks
Images or logos of third-party seal and certification programs that are displayed on websites to indicate that it has adopted the guidelines or a program and passed a security and privacy test
Criminal Liability
Violations of criminal law with charges by the government. Parties that include depriving someone of their liberty.
Civil Liability
Failure to carry out a legal duty owed to another party. Charges brought to courts by the claimant.
Can practices be both unfair and deceptive?
Yes.
Unfair Trade Practices
Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.
What are the three requirements to be an unfair trade practice?
- Must cause or be likely to cause substantial injury
- Must not be reasonably avoidable
- Must not be outweighed by the benefits
Deceptive Trade Practices
Corporate entities who mislead or misrepresent products or services to consumers and customers.
What are the three requirements to be a deceptive trade practice?
- Must involve a misleading representation, omission, or practice
- Must be analyzed from the perspective of a reasonable consumer
- Must be material
Who brings forward state enforcement of unfair and/or deceptive trade practices?
The State Attorney General
Most states have similar laws to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. In addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.
