USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
1.2 Regulators A number of regulators at the federal and state level have investigative and enforcement author - ity. Some also have authority to promulgate rules to implement privacy laws. Federal Trade Commission (FTC) The FTC requires entities under its jurisdiction to: • abide by the representations that they make in their privacy policies or other public state - ments regarding their data privacy practices; • refrain from engaging in unfair practices (such as failing to disclose the sharing of personal data with third parties); and • maintain adequate data security safeguards. In addition, the FTC is responsible for protecting children’s privacy rights under COPPA and has certain enforcement responsibilities under other federal privacy statutes, including HIPAA. Other Federal Agencies Other federal agencies have authority to enforce privacy laws and regulations under their respec - tive jurisdictions. Examples include the follow - ing. • The Consumer Financial Protection Bureau (CFPB), which is generally responsible for enforcing privacy laws in the context of transactions with financial institutions and under the FCRA, and can bring enforcement actions against companies that engage in unfair, deceptive or abusive acts or practices. The CFPB also administers and enforces Regulation P, which implements data privacy requirements for financial institutions under the GLBA. As later discussed, it also enforces the Personal Financial Data Rights rule, which provides consumers with certain rights to
State unfair or deceptive practices statutes State consumer protection statutes that prohibit companies from engaging in unfair or deceptive acts or practices are often used to protect con - sumers’ privacy interests. State privacy torts Most states recognise common law privacy torts such as “intrusion upon seclusion” and “pub - lication of private facts”. (Some states have codified these torts in statutes.) The elements of these torts vary, but in general, if an intrusion into private spaces or affairs, or a publication of the private facts, would be “highly offensive to a reasonable person”, the person harmed may be able to sue for monetary damages. Local Level Overview Smaller jurisdictions within states, such as coun - ties, townships and cities, have enacted local laws to address specific privacy issues. The New York City Biometric Identifier Informa - tion Act has two distinct components. The law: • requires commercial establishments to dis - close on a sign at the entrance of the busi - ness their collection, use, storage and sharing of customers’ biometric data; and • prohibits the selling, leasing or trading of, or otherwise profiting from, the transaction of biometric data. Violations are enforceable by a private right of action. More than a dozen local governments have banned or significantly limited use of facial rec - ognition by government agencies. The City of Portland, Oregon was the first to extend such regulation to private entities.
533 CHAMBERS.COM
Powered by FlippingBook