Privacy law violations: who investigates and what are the consequences?

One of the earliest federal privacy laws to be passed, the Fair Credit Reporting Act of 1970 protects personal financial information collected by credit agencies, tenant screening services, and medical information companies. In essence, it guarantees the privacy and accuracy of the information in consumer credit bureau files and empowers action in the event of inaccuracies.

The Federal Trade Commission is the government entity that enforces the FCRA, though the Consumer Financial Protection Bureau is primarily responsible for rulemaking. Violations can come in many forms, including inaccurate debt reporting, failing to send poor credit rating notifications, disseminating credit reporting information without consent, and failing to provide a satisfactory process to prevent identity theft.

Such violations can result in various damages awarded, court costs, and attorney's fees. Actual damages include those that resulted from a proven failure to act, or an action by an individual, business, or agency that brings harm; they are case-specific and thus have no limit. Statutory damages don't require evidence to support them and have a compensation limit from $100 to $1,000. Punitive damages are awarded as punishment against an individual, business, or agency found in FCRA violation and are meant to deter the guilty party from further wrongdoing. All damage types are contingent upon willful and negligent FCRA violations.

The Privacy Act of 1974 prevents federal agencies from disclosing personal information they collect or control when not authorized. The act also requires that federal agencies publicly disclose their system of records in the Federal Register, which is the U.S. government's official record. The act was ratified in response to concerns over how the creation and use of computerized databases impacted personal privacy; however, it is important to note that the act applies only to federal agencies and not to state or local agencies.

Many agencies share the duty of enforcing this act due to its range of protections, but the director of the Office of Management and Budget has the power to create guidelines for how agencies should follow the act. Penalties differ for violations of specific sections of the act and can be civil or criminal in nature, or both. In civil court, an individual can sue to have a record amended should an agency refuse to do so—and the individual can also have reasonable litigation costs paid by the government if the court so rules. An individual can also sue to have records produced in civil court. Should a court find that any agency has committed a violation intentionally or willfully, the court can award actual damages to the individual and the individual's reasonable attorney fees.

Suppose a government agency employee or officer willfully and knowingly discloses personally identifiable information or deliberately maintains a records system without disclosing relevant details or even the system's existence. In that case, they can be fined up to $5,000 and cited for a misdemeanor. Moreover, the same misdemeanor penalty can apply to anyone who willfully and knowingly requests the record of an individual from an agency under false pretenses.

The Computer Fraud and Abuse Act of 1986 is an anti-hacking law prohibiting unauthorized use of any protected device connected to the internet, including computers and smartphones. This act has been amended since its original ratification. It has come under scrutiny for what has been seen by some as vague language that allowed the law to be so broadly interpreted, it criminalizes everyday activities.

Fortunately, in June 2021, the Supreme Court narrowed the act, saying that the law should not apply to people using systems they've been allowed to access, as otherwise, a large number of everyday computer activities would, in effect, be criminal.

The Department of Justice enforces this act and recently updated its enforcement policy so that good-faith security research—accessing a computer solely with good-faith vulnerability or security flaw correction, investigation, or testing purposes—would not be charged. Within the DOJ, the FBI has primary investigative authority regarding cases involving foreign relations or national defense issues, foreign counterintelligence, restricted data, and suspicion of espionage. The Secret Service is also authorized to investigate instances of fraud.

The CFAA criminalizes unauthorized access of a computer or the obtaining of protected information by exceeding authorized access; extortion involving computers; intentional and unauthorized access to a computer that causes reckless damage; and any attempts to commit such offenses, even if ultimately unsuccessful. A first offense can result in a maximum of 10 years in prison; a second offense increases the sentence to 20 years.

The Children's Online Privacy Protection Act enforces requirements on services online that are directed at and collect information from children younger than 13. Such services must provide specific parental controls and the ability to opt out, and must make their privacy policies available and easily accessible.

The Federal Trade Commission enforces the application of this act and investigates violations thereof—most recently turning its attention to online education tools. When a COPPA violation occurs, the violator could receive a fine of up to $43,280 per violation. This figure throws into stark relief the $170 million fine levied against Google in 2019 for COPPA violations on YouTube. The web service collected children's personal information without consent and then used it to target these children with advertising.

Many companies have committed COPAA violations by improperly gathering children's personal information over the years, including WW International and Kurbo Inc. in 2018, Musical.ly (TikTok) in 2019, We Heart It in 2020, HyperBeard in 2020, OpenX in 2021, and Recolor in 2021.

The Gramm-Leach-Bliley Act requires financial institutions to safeguard the public's nonpublic personal information and provide their customers with an explanation of their information-sharing practices. It also mandates that consumers or customers can opt out of all information sharing. The act is enforced by several types of authorities, primarily the Federal Trade Commission; federal banking agencies, additional federal regulatory authorities, and state insurance oversight agencies are also responsible for enforcement.

Penalties for violations of the GLBA can include severe personal and financial consequences for employees and executives. For each violation, a financial institution can get a fine of up to $100,000. An institution's directors and officers can face a fine of up to $10,000 or five years in prison (or both). Additionally, companies that violate this act will face a loss of confidence from their customers and increased exposure.

The Health Information Portability and Accountability Act ensures the proper protection of individuals' health information by setting disclosure and use standards. The Office for Civil Rights at the Department of Health and Human Services is responsible for enforcing HIPAA privacy and security rules. The office investigates complaints and conducts compliance reviews per HIPAA standards.

Penalties for HIPAA violations can be levied as both civil and criminal. Civil penalties are a minimum of $100 per violation; if the same breach has occurred in multiple variations, this fine can reach $25,000. Such penalties are applied if an individual was aware of wrongdoing or is proven to have failed to exercise such due diligence as would have made them aware. Penalties do not apply in the absence of willful neglect or if the individual corrects the violation within 30 days of being made aware of it.

Criminal penalties are, of course, much stiffer. A willful violation bears a minimum fine of $50,000 up to a maximum of $250,000. Moreover, the guilty individual may have to pay restitution to any victims involved. Imprisonment is also possible. Prison terms can vary from up to one year in the case of criminal negligence to up to 10 years for violating HIPAA rules with malicious intent or for personal profit.

The Telephone Records and Privacy Protection Act made it a criminal offense to engage in pretexting—using manipulation or false statements to obtain personal information—to acquire phone records from telecommunication companies. It not only prohibits a person from using fraudulent tactics to obtain phone data, but also makes it illegal to try accessing confidential phone data online or on computers. Selling and transferring phone records that were illegally obtained is also prohibited.

With the passage of the act, violators can incur fines or be sentenced up to 10 years imprisonment. Both of these penalties can also increase based on the severity of the crime: If the fraudulent activity had more than 50 victims or involved more than $100,000, fines can double and an additional five years could be added to a prison sentence. Another additional five years could be added if the fraudulently acquired phone records were used to commit violent crimes, crimes against law enforcement officers, or domestic violence.