Certified Information Privacy Professional (CIPP): US - US Privacy Law Sources, Constitution, Statutes, Common Law, FTC Act Section 5

CIPP/US – US Privacy Law Sources (Constitution, Statutes, Common Law, FTC Act §5)

What This Is

US privacy law is not a single, omnibus statute like the GDPR. Instead, privacy protection comes from a patchwork of constitutional guarantees, federal and state statutes, common?law torts, and the Federal Trade Commission (FTC) Act §5 (which bans “unfair or deceptive acts or practices”). Understanding where the authority originates helps you decide which rule applies to a given data?handling activity, and it’s the foundation for any compliance program.

Real?world example: A health?tech startup based in California collects biometric data from users in Texas. The company must evaluate (1) the Fourth Amendment (if the data is obtained by a government search), (2) HIPAA (if the data is “protected health information” and the startup is a “covered entity” or “business associate”), (3) Texas’ biometric privacy statute, (4) the FTC’s unfair?practice authority, and (5) any state common?law claims that could arise from a data breach.

Key Terms & Provisions

• Fourth Amendment (U.S. Constitution): Protects against unreasonable searches and seizures; applies to government?initiated data collection, not private actors.
• Section 5 of the FTC Act (15?U.S.C. §§?45?45b): Gives the FTC power to stop deceptive or unfair privacy practices, even where no specific statute exists.
• HIPAA (Health Insurance Portability and Accountability Act) – 1996: Federal statute governing “protected health information” (PHI). Requires safeguards, breach notification, and limits on use/disclosure for covered entities and business associates.
• GLBA (Gramm?Leach?Bliley Act) – 1999: Requires financial institutions to protect “nonpublic personal information” (NPI) and provide privacy notices.
• FCRA (Fair Credit Reporting Act) – 1970: Regulates consumer?reporting agencies; mandates accuracy, disclosure, and dispute rights for credit data.
• COPPA (Children’s Online Privacy Protection Act) – 1998: Requires parental consent before collecting personal information from children?<?13.
• CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) – 2018/2020: Grants California residents rights to access, delete, and opt?out of the sale of personal information; imposes notice and security obligations on “businesses.”
• State Biometric Privacy Laws (e.g., Texas SB?441, Illinois BIPA): Require informed consent before collecting biometric identifiers and impose statutory damages for violations.
• Common?Law Intrusion?upon?Seclusion: A tort claim when a party intentionally intrudes on a private matter in a way that would be highly offensive to a reasonable person.
• Negligence (Privacy?Related): Liability when a party fails to exercise reasonable care to protect personal data, leading to a breach.
• Breach?Notification Statutes (e.g., NY SHIELD Act, 42?U.S.C.?§?20001): Mandate timely notice to affected individuals and regulators after a data breach.

Step?by?Step / Process Flow

1. Identify the Data & Actor – Catalog the type of personal information (PHI, biometric, financial, consumer) and determine whether the organization is a government entity, covered entity, business associate, financial institution, or “other” private party.
2. Map the Legal Landscape – Match the data/actor to the applicable source(s): Constitution (if government), federal statutes (HIPAA, GLBA, etc.), state statutes (CCPA, BIPA), common?law torts, and FTC §5.
3. Perform a Gap Analysis – Compare current policies, notices, and security controls against each applicable requirement (e.g., consent, notice, data?minimization, breach?notification timelines).
4. Implement Controls & Documentation – Adopt the stricter of overlapping rules (e.g., BIPA’s consent + CCPA’s opt?out) and maintain evidence (privacy notices, consent logs, risk assessments).
5. Monitor & Respond – Set up continuous monitoring for breaches, privacy complaints, or FTC enforcement trends; be ready to invoke the appropriate response plan (notice, remediation, FTC cooperation).

Common Mistakes

CIPP Exam Insights

1. Source Hierarchy: The exam loves to ask which source “trumps” another. Remember: Constitution-Federal Statutes-State Statutes-Common Law-FTC §5 (as a supplemental enforcement tool).
2. FTC §5 Scope: Expect a question that presents a privacy practice not covered by a specific statute; the correct answer will be that the FTC can still act under §5 if the practice is “unfair or deceptive.”
3. Statutory Overlap: Be ready to pick the most stringent requirement when multiple laws apply (e.g., BIPA’s consent + CCPA’s notice-you must satisfy both).
4. Tort vs. Statutory Claims: The exam may contrast a common?law intrusion claim with a statutory breach?notification claim; know that torts require proof of “highly offensive” intrusion, while statutes impose notice duties regardless of offensiveness.

Quick Check Questions

1. Scenario: A retailer collects email addresses for a newsletter and later sells the list to a third?party marketer. A California resident objects.
   Answer: Under CCPA/CPRA, the resident can opt?out of the sale of their personal information. The retailer must honor the request within 15 days and provide a clear “Do Not Sell My Personal Information” link.

2. Scenario: A state university police department installs facial?recognition cameras on campus without student consent.
   Answer: The Fourth Amendment does not apply because the university is a state actor performing a search; however, the university may be liable under state biometric statutes (e.g., Illinois BIPA) and could face FTC §5 action for an unfair practice.

3. Scenario: A fintech startup stores credit?card numbers on a cloud server located in Ireland. A Texas consumer requests deletion of their data.
   Answer: The GLBA (and Texas data?privacy law) requires the fintech to honor the deletion request, but HIPAA does not apply because the data is not PHI. The company must still comply with any applicable state breach?notification rules if a breach occurs.

Last?Minute Cram Sheet (10 One?Liners)

1. Fourth Amendment protects only government searches; private firms are not covered.
2. FTC §5 = “unfair or deceptive acts”-baseline enforcement when no specific statute exists.
3. HIPAA applies to PHI held by covered entities or business associates (via BAA).
4. GLBA-Financial institutions must provide a privacy notice and safeguard NPI.
5. FCRA gives consumers the right to dispute inaccurate credit info and requires annual disclosures.
6. COPPA = Parental consent required before collecting data from children <?13.
7. CCPA/CPRA – Consumer rights: Access, Delete, Opt?out of Sale; 12?month extension for “sale” definition.
8. BIPA (Illinois) – Consent required before collecting biometric data; $1,000 per violation (or $5,000 if reckless).
9. State breach?notification deadlines range 30–45?days after discovery (e.g., NY SHIELD Act = 30?days).
10. Common?law intrusion = intentional, highly offensive intrusion; negligence = failure to use reasonable care to protect data.

Good luck—remember: U.S. privacy is a mosaic; always start with the data type, then layer the applicable source(s).