Policy Cross-domain
United States Privacy Research
Terry Maxwell June 2004
United States Terry Maxwell
The right of privacy in the United States has a complicated history, and inconsistent structure.
No specific right to privacy was enunciated in the U. S. Constitution, but several constitutional amendments provided some level of privacy with respect to certain actions of government. Most particularly, the 4th Amendment states: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
In addition to constitutional rights, several common law privacy rights, protected by civil actions, have developed over time. These torts were summarized by William Prosser in 1960 (48 California Law Review 383) as the right to sue someone for a) disclosing truly intimate facts (even if true); b) placing the plaintiff in a false light; c) the use of a name or face for commercial purposes without permission and/or compensation; and; d) an intrusion into a person’s solitude.
In 1890, Samuel Warren and Louis Brandeis attempted to integrate the common law notion of privacy with constitutional protections for individuals into a coherent legal philosophy. In The Right to Privacy, (4 Harvard Law Review 93, Dec. 15, 1890) they noted that “The principle which protects personal writings and any other production of the intellect or of the emotions is the right to privacy, and the law has no new principle to formulate when it extends this protection to personal appearance, sayings, acts, and to personal relation, domestic, or otherwise.” Their article, written in response to newspaper intrusions into private lives of prominent citizens, argued that just as the constitution protects private property from unreasonable search and seizure, we should consider the acts of a person within their private property to be similarly protected.
The Warren and Brandeis article attracted much attention and debate. In response to the article and a subsequent case (Roberson v. Rochester Folding Box Co. 171 NY 538), in 1903 New York was the first state to pass legislation recognizing the statutory right to sue for invasions of privacy. Many states followed suit in succeeding years. It was not until 1965, however, that the United States Supreme Court, (Griswold v. Connecticut (381 U.S. 479)) articulated a national right to privacy. Justice Douglas, writing for the majority, stated that “specific guarantees in the Bill of Rights have penumbras, formed by emanations from these guarantees that help give them life and substance. Various guarantees create zones of privacy.”
In addition, when studying privacy in federalist governmental systems like the United States, the issue of preemption often becomes relevant. Preemption is the practice whereby a higher level of government blocks the ability of governments at a lower level from enacting either weaker or stronger privacy controls. On the positive side, preemption can lead to stronger national privacy protections and more consistency across political boundaries. On the other hand, federal preemption of state statutes can sometimes lead to weaker general privacy protection of records, if states have instituted more stringent controls on information collection, use, retention, and transmission, either in the public or private sector. Historically, individual states have often led
the way in the development of more effective record privacy protection. Innovation may therefore be constrained by overuse of federal preemption.
In general, the right of privacy found in the United States occurs along two dimensions: one spatial, regarding the rights of individuals in the public vs. private location; and the other relational, with respect to the rights of individuals (including legal persons like corporations) relative to the state’s right to promote the public welfare. American laws relating to privacy therefore provide a complex environment for archival and other records management practice.
The following sections provide an overview of governmental rights and responsibilities relative to records, as well as the rights and responsibilities of private organizations in the field of records management.
Government Records and Privacy
The privacy of individual records collected by governmental agencies should be viewed as an attempt to balance individual privacy rights against the public’s ‘right to know’ about the operations of government in a democracy. Therefore, any discussion of privacy should begin with an understanding of what rights the government has to collect information, and the state’s subsequent obligation to make information available to citizens.
The first statutory right to information collection by the federal government is contained in constitutional provisions for census data collection. Title 13 of the U.S. Code lays out the census bureau’s rights and requirements for data collection. The Census Bureau is authorized to acquire data from individuals and agencies, but prohibits the bureau’s dissemination of information identifying private individuals, or for non-statistical purposes. In practice, however, the dissemination of Census data (in datasets known as TIGER files) provides important baseline information about the characteristics of relatively small geographic areas, and are frequently used as fairly reliable indicators of the demographic characteristics of a locality’s inhabitants.
The federal government may also demand information in exchange for the provision of governmental services or grants (Whalen v. Roe, 429 U.S. 589, 1976). This allows many governmental organizations at all levels of government to collect, store, and archive individual records. In addition, through Freedom of Information (FOI) laws (e.g. 5 U.S.C. 552), federal and state governments have an affirmative responsibility to release certain types of documents (e.g.
final opinions, policy statements, staff manuals, agency goals and objectives and procedures), but in most cases must protect individual information from unauthorized disclosure. However, amendments in 2003 (Intelligence Authorization Act of 2003 (PL 107-306)) prohibit agency processing of FOI requests by foreign entities. In some categorical areas, there is an affirmative expectation that information related to an individual will be available to the general public.
These areas include records relating to voting (including address and party affiliation), property, and any judicial records not subject to restrictions. Judicial restrictions usually apply to the records of juveniles.
Privacy Protection
The first organized attempt to established privacy policies for government documents came in the early 1970’s. At that time, the secretary of the federal Department of Health, Education and Welfare (HEW) convened a group entitled “The Secretary’s Advisory Committee on Automated Personal Data Systems.” The committee’s report, published in 1973, outlined five key information practices for information systems. These ‘fair information practices’ included:
• There must be no personal-data record-keeping systems whose very existence is secret.
• There must be a way for a person to find out what information about him is in a record and how it is used.
• There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.
• There must be a way for an individual to correct or amend a record of identifiable information about him.
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.
Many of these principles were incorporated in the Privacy Act of 1974 (5 U.S.C. Sec. 552a), which covered the actions of Federal information managers. The same principles were also subsequently adopted in many state legislative initiatives.
In general, the statute prohibits disclosure of individual information to a federal agency or person, except with written approval by the affected person. There are, however, several exceptions to this rule. Disclosures by record keepers can occur when federal agencies require information to perform their duties, for statistical research, for certain law enforcement activities, for health and safety purposes to determine a person’s last known address, for Congress, and via a court order. Release of information must be logged by the agency responsible for maintenance of the system, and sale or rental of mailing lists is prohibited. Individuals may have access to their own records, and can request amendments to correct inaccuracies.
Under the Privacy Act, only records authorized as relevant to accomplish an agency’s purpose under statute or Presidential order can be kept. Individuals must be notified under what authority a record is kept, and the agency is required to establish safeguards for security and confidentiality. Section 552(e)4 of the act requires that agency’s publish a notice of the systems maintained by the agency, including details of the system’s purpose, use of records, sources of information, and procedures for access, storage, retrieval, retention and disposal. The act also specifies the procedures for transfer of individual records to the Archivist of the United States, and states that the Archivist shall “not disclose the record except to the agency which maintains the record, or under rules established by that agency which are not inconsistent with the provisions of this section.”
The provisions of both privacy and freedom of information laws are incorporated in the federal Office of Management and Budget (OMB) Circular A-130, which was promulgated as a result of
the Paperwork Reduction Act of 1980 (PL 95-511). The circular underscores certain privacy policies for federal agencies, noting that:
• The individual's right of privacy must be protected in federal government information activities involving personal information.
• Agencies shall consider the effects of their actions on the privacy rights of individuals to ensure that appropriate legal and technical safeguards are implemented.
• Agencies have a responsibility to provide information to the public consistent with their missions. Agencies shall discharge this responsibility by providing (a) information as required by law. . . . ; and (b) access to agency records under provisions of FOIA and the Privacy Act, subject to the protections and limitations provided for in these Acts.
• Agencies shall limit the collection of information that identifies individuals to that which is legally authorized and necessary for the proper performance of agency functions.
• Agencies shall provide individuals, upon request, access to records about them maintained in Privacy Act systems of records, and permit them to amend such records as are in error consistent with the provisions of the Privacy Act.
OMB Memorandum No. M-99-18, written in 1999, expands the provision of protection to Web- based documents, directing agencies to post privacy policies on their primary web pages, any known major access points, and on any Web page where substantial personal information is collected. Web privacy policies must state what information is being collected, the purpose for collection, and the intended use of the information by the agency.
Information Sharing among Agencies
Under the broad protection of the Privacy Act, Congress has specified certain circumstances under which agencies may share information, primarily in the areas of public welfare and safety.
Under the Privacy Act’s Computer Matching and Privacy Protection Amendments of 1989 and 1990, the matching of data across federal and non-Federal organizations may occur pursuant to legal authority and written agreements. Each agency involved in such matching must establish Data Integrity Boards. They must also develop written procedures for: a) verifying information produced by matching programs; b) retention and timely destruction of identifiable records; and c) ensuring administrative and technical and physical security of records. Duplication and re- disclosure of records by receiving agencies is prohibited, and procedures governing return or destruction of records received under matching agreement must be in place. If an originating agency feels the receiving agency does not have appropriate privacy safeguards, they must refuse to hand over records.
Information sharing provisions figured prominently in welfare reform legislation in 1996, in the Crime Identification Technology and National Criminal History Access in Child Protection acts of 1998, and in the Homeland Security Act of 2002. In all cases of information sharing and mapping, however, the absence of a national identification number has compromised the accuracy of such matches. While national leaders have debated the efficacy of such an
identification system over the last decades, no consensus in this area has been reached. In the meantime, the widespread use of Social Security Numbers (SSNs) as a substitute for a National ID number, both in the public and private sector, has led to many difficulties with both information accuracy and information security. These are particularly difficult issues for public and private information managers and archivists.
Information Disclosure and Protection for Special Populations
In some cases, the protections for personal information held by federal agencies under the Privacy Act have been determined either to be too restrictive or too broad to promote the public welfare. In these cases, Congress has carved out special provisions for record collection, use, and dissemination. In many such cases, the special legislative actions have occurred in response to particular instances where either disclosure or withholding of personal information has led to well-publicized injuries to individuals. As such, they can not be viewed as general trends toward strong or weaker privacy safeguards in government. They do, however, pose specific challenges to record managers and archivists, since they represent divergence from standard practices, and must therefore be separately monitored.
Instances where Congress has mandated disclosure of personal records includes those involving Nazi War Crimes (Nazi War Crimes Disclosure Act PL 105-246), child pornography use (Child Pornography Prevention Act of 1996 (PL 104-208)), child abduction and abuse (Megan’s Law (PL 104-145)), and AIDS (Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (PL 101-381)). Special regulations have also been established regarding the collection and retention of information regarding handgun purchases ((Brady Handgun Violence Protection Act of 1993 (PL 103-159); 1994 Violent Crime Control and Law Enforcement Act (PL 103-322)), and the collection of military personnel DNA samples for subsequent identification in cases of death.
Stronger protections of personal information have also been instituted in some cases. After the 1989 murder of an actress where the murderer learned her address through Department of Motor Vehicle (DMV) records, Congress passed the Driver’s Privacy Protection Act of 1994 (P.L. 103- 322, Title XXX), allowing disclosure only in specific circumstances for DMV records. Most importantly, the use of such records for the purposes of marketing may only occur after the customer has had the opportunity to ‘opt in’ or ‘opt out’ of such activity. (Opting in means that sharing is not allowed unless the individually specifically approves of disclosure. Opting out assumes that the individual will approve of the information sharing practice, unless the agency is otherwise notified) In addition, any organization reselling DMV information must keep a record of all individuals to whom the information was provided and the purposes for which the information was transferred.
Congress has also circumscribed the amount of information regarding victims past sexual activities that can be included in rape trials (Privacy Protection for Rape Victims Act of 1978 (PL 95-540)), and has restricted the disclosure of child abuse or neglect victim information (Juvenile Justice and Delinquency Prevention Appropriations Authorization FY 93-96 (PL 102-586)).
After abuse of discretion by Internal Revenue Service (IRS) agents with access to taxpayer records, Congress established stronger criminal penalties for unnecessary agent inspections
(Taxpayer Browsing Protection Act (PL 105-35)), and instructed the IRS to improve their data security. Strong privacy protections were also instituted for veteran AIDS test results (Veterans' Benefits and Services Act of 1988 (PL 100-322), and for all substance abuse treatment records.
(Section 290dd-2 USC Title 42).
The most extensive effort to strengthen privacy of citizens’ records has occurred in the health care arena. The Health Insurance Portability and Accountability Act of 1996 (PL 104-191), or HIPAA, covers both public and private organizations who produce and use health information. It requires development of data transmission standards, allows the use of encryption and electronic signatures for health records, and establishes security standards both for data storage and transmission. Specifically, it states that
Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards--
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated--
(i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employees of such person.
The original act required the development and implementation of unique identifiers both for health providers and recipients. However, subsequent protests caused Congress to back away from the development of a recipient unique identifier system.
Privacy of Information Transmissions and Law Enforcement
The protection of private information in transit between sender and recipient has been an area of concern since the founding of the United States. Early postal regulations sought to establish a zone of privacy for information in transit, though legislation like the Comstock Act of 1873 and the Sedition Acts of 1917 sometimes designated postal authorities as originating-point censors, in that they could refuse to mail items deemed harmful to public morals or safety.
With the advent of telecommunications systems, courts generally sided with government agencies in the use of wiretapping in cases in which the government invoked public safety and national security concerns. It was not until 1967 (Berger v. New York, 388 U.S. 41) that the Supreme Court enunciated 4th Amendment limits to law enforcement wiretaps. This area was further clarified by a federal wiretapping law passed the following year. The 1968 law was silent on the use of the capture of digital electronic rather than analog data, and did not cover visual surveillance. Subsequent legislation, including the Omnibus Crime Control and Safe Streets Act
of 1968, the Electronic Communications Privacy Act of 1986 (PL 99-508), FBI Access to Telephone Subscriber Information (PL 103-142), and the Community Assistance for Law Enforcement Act of 1994 (PL 103-414) further defined the boundaries of government information collection, by establishing prohibitions for unauthorized monitoring of all forms of telecommunications, while establishing technical support for authorized monitoring by law enforcement through regulation of telecommunications companies.
While generally beyond the scope of this paper, certain provisions related to law enforcement data collection, transmission and use are relevant. First, the USA PATRIOT Act of 2001 (PL 107-56) expanded the authority for law enforcement and intelligence agency information interception and sharing of wire, oral and electronic communications related to terrorism and computer fraud and abuse, including authorizing law enforcement officials to intercept computer communications of individuals accessing computers without proper authorization. It specifically allows for voluntary sharing of personal information by computer service providers when the service reasonably believes an emergency exists involving immediate danger to people, establishes programs for information sharing regarding financial crimes, and allows the Department of Justice and FBI to give access to the Department of State and the Immigration and Naturalization Service (INS) of information about visa applicant criminal histories. The Homeland Security Act of 2002 (PL 107- 296) consolidated many law enforcement information collection functions within the new Department of Homeland Security, and authorized the newly established Directorate of Information Analysis and Infrastructure Protection to develop databases and promote information exchange regarding terrorism among federal, state, and local agencies and private organizations.
In collecting such information, the Department is required to “treat information in such databases in a manner that complies with applicable Federal law on privacy.”
In addition to legislative mandates, the Attorney General has from time to time revised guidelines regarding the activities in federal agents (e.g. FBI, AFT) under his or her supervision.
These ‘rules of engagement’ entitled “Attorney General’s Guidelines on General Crimes, Racketeering and Terrorism” were last revised on May 30, 2002, and expanded federal law enforcement ability to use such tools as the Internet and private sector databases, as well as enabling physical surveillance of public events such as religious gatherings and protest rallies.
In general, case law and legislation has developed a distinction between the privacy expectation of people and places. Privacy protects a person, not the place: therefore, a person might have a reasonable expectation of privacy even in a public place. Conversely, they might not necessarily have an expectation of privacy in a private location such as a workplace. In addition, statutes have narrowed the ‘zone of privacy’ expectations in specific areas of public safety, most notably with respect to drug trafficking and terrorism investigations.
Information Security
The final area of governmental activity in the area of records privacy involves the security of systems of information use, storage and retrieval. This area was first specifically addressed by the Computer Security Act of 1987 (PL 100-235), which established a Computer Systems Security and Privacy Advisory Board within the National Bureau of Standards (NBS), required federal agencies to identify and develop security plans for computer systems containing sensitive
information, and required mandatory periodic training for Federal employees and contract personnel. The National Defense Authorization Act for FY96 (PL 104-106) placed the responsibility for developing federal computer system security standards and guidelines with the National Institute of Standards and Technology (NIST).
In 2002, the Federal Information Security Management Act of 2002 (Title X of PL 107-296), recognized the increasingly networked nature of Federal information systems and the necessity to implement information security at the information rather than at the systems level. This is highlighted by the following definitions included in the act:
(1) the term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--
(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;
(C) availability, which means ensuring timely and reliable access to and use of information; and
(D) authentication, which means utilizing digital credentials to assure the identity of users and validate their access;
Under the Act, the Department of Homeland Security is responsible to oversee all federal agency information security policies and practices, and for developing, in consultation with NIST, government-wide information policies. In addition, all Federal agencies are required to develop information security management structures within their departments, including personnel and technical policies and procedures consistent with agency information needs and national standards. In addition, agencies are required to undertake periodic risk assessments of information threats, and submit to annual independent audits of information security measures.
Privacy of Private Sector Records
In general, the United States has not sought to regulate the information practices of private organizations. However, in certain industries, particularly those engaged in financial, health care (outlined above), and telecommunications services, government bodies have been given some oversight and access capabilities that impact information privacy.
The first regulation of private information management occurred in 1970, in the Fair Credit Reporting Act (PL 91-508). This legislation, also known as FCRA, predated the federal Privacy Act and sought to promote accuracy, fairness and privacy of personal information gathered by
Credit Reporting Agencies (CRAs). CRA’s normally contain financial information, extracts from public records, credit information, information about unpaid bills, and may contain some health information. They are used to assist financial and retail organization decision making about individual credit worthiness, and are also frequently used to perform background checks on prospective employees.
The act requires CRAs to establish reasonable procedures to protect the confidentiality, accuracy and relevance of financial data. The framework established by the regulation includes the following:
1. Data Quality: Sources of information contained in credit reports must be identified.
Individuals have the right to know who requested information within the past year, have a right to inspect all information contained in the report, and have a right to request that information they deem to be incorrect be reviewed and changed as needed.
2. Data security: CRA systems must be secure from outside tampering and CRAs should have information security systems in place.
3. Use limitations: Credit reports may only be provided to organizations with legitimate business needs (such as banks, prospective employers, and businesses providing customer credit. Individuals may write credit agencies electing to ‘opt-out’ of information sharing among organizations and the use of their credit report to engage in ‘pre-screening,’ the practice of mailing credit card and other offers to customers based on their credit rating.
Over the years, there has been significant concern about the accuracy of credit reports, prompting requests for greater government oversight. Some states have responded by instituting more stringent CRA requirements than included in the federal law. In 2003, the federal government enacted the Fair and Accurate Credit Transactions Act of 2003 (PL 108-159). This act amended the FCRA to combat fraud and identity theft, improve the process of resolving consumer disputes, and improve record accuracy. The most important areas of privacy concern for records managers were: a) the requirement that electronic receipts for credit card purchases not include more than five digits; b) the establishment of a ‘fraud alert’ report in consumer files if requested by the consumer; c) requirements that credit bureaus provide a free annual report without charge at the customer’s request; and d) a prohibition against providing credit reports containing medical information without affirmative consumer consent.
Other financial institutions are also covered by federal privacy legislation. In response to a 1976 Supreme Court decision (United States v. Miller , 425 U.S. 435) finding that bank customers had no legal expectation of privacy for their financial records, in 1978 the U.S. Congress passed the Right to Financial Privacy Act (12 USC 3401 et. seq). The law prohibits disclosure of individual financial records without prior notification and requests to customers, unless the request is made by an agency with statutory authority to access the information, or unless access is approved via a court or administrative subpoena, summons, or warrant. Interagency information transfers are barred; unless certification is received in writing that the request is based on a legitimate law enforcement need.
In general, the Right to Financial Privacy Act provides weaker privacy protections for individuals than 4th amendment probable cause requirements. In addition, recent legislation targeting terrorism and drug enforcement have led to broad exemptions from the act for law enforcement and counterterrorism investigations.
Other information privacy legislation intended for financial institutions has focused on information security and sharing of customer information between financial institutions. The Financial Services Modernization Act of 1999 (PL 106-102), also known as the Gramm-Leach- Bliley Act, determined that financial institutions have an affirmative and continuing obligation to protect customer privacy. Toward that end institutions are required to have administrative, technical and physical safeguards:
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Financial providers must disclose their privacy policy to customers, who have the option to opt- out of any information sharing with third parties. Some states have strengthened this provision to require customer opt-in prior to any information sharing. In any event, if information is disclosed to a third party, that data can not be re-disclosed by the recipient. Customer account numbers may not be disclosed, except to Credit Reporting Agencies.
Recently, the Federal government has also sought to stem the invasion of customer privacy by telemarketing firms. Following the lead of state regulators, in 2003 the federal government authorized the Federal Trade Commission to implement a telemarketing do-not-call list ((Do- Not-Call Implementation Act (PL 108-10); FTC Do-Not-Call Registry Implementation Authority (PL 108-92)). This allowed consumers to be included on a FTC database that required telemarketing firms not to call.
Telecommunications Privacy
The privacy of communications over private networks has been a concern of regulators for many years. Section 605 of the Telecommunications Act of 1934 (PL 73-416) prohibited the disclosure of wire or radio communications to any person other than the intended recipient, except for law enforcement purposes. The Cable Television Consumer Protection and Competition Act of 1992 (PL 102-385) extended these rights to cable-based communications. Disclosures related to necessary business actions, court orders, authorized governmental monitoring, or after customer notification are permitted, except that no disclosures involving subscriber selection of video programming choices is allowed.
The Telecommunications Act of 1996 (PL104-104) Section 222c, while extending the prior requirements for privacy of Customer Proprietary Network Information (CPNI), required affirmative customer approval (opt-in) for sharing personal information, except in the case of
authorized law enforcement purposes, or for direct business purposes of the carrier or their contractors. The one exception involved the disclosure of subscriber telephone exchange lists, to allow for the publication of telephone directories. Vagueness in language regarding opt-in provisions in the law led to a subsequent ruling by the Federal Communications Commission (FCC), requiring customer opt-in for sharing of private information to third parties, but allowed customer opt-out for information sharing with organizations affiliated with the telecommunications provider. Some states have strengthened this provision by requiring customer opt-in even for information sharing with affiliates.
Private Organization Privacy Protections for Special Groups
As with government organizations, legislators have seen the need on occasion to protect private information related to particular groups from general dissemination. The Privacy Protection Act of 1980 (42 U.S.C. 2000aa. et. seq.) protects individuals engaged in news gathering from governmental searches unless a judicial subpoena has been obtained. The Employee Polygraph Protection Act of 1988 (PL 100-347) prohibits the use of employee lie detector tests by employers engaged in interstate commerce. The video rental viewing habits of customers are protected by Privacy Protection Act of 1988 (PL 100-618).
Access to information about children is protected more stringently than for other groups. The Family Educational Rights and Privacy Act of 1974 (34 CFR Part 99), or FERPA, protects the privacy of student educational records for all schools receiving federal funding. Written permission to release records must be obtained from parents (or the student if they are older than 18), except in certain cases necessary for educational administration or public safety. Students may request correction of inaccurate information, and the school may disclose, without consent, directory information regarding the student (including name, address, telephone information, date and place of birth, honor/awards, and dates of attendance), though students or parents can choose to opt-out of disclosure. The Higher Education Amendments of 1998 (PL 105-244) modified the rules to allow institutions of higher learning to disclose information about disciplinary proceedings involving violent crimes or sexual offenses, and to inform parents of violation of rules regarding drug and alcohol possession by students.
Other laws regulating the use of information about children include the Protection of Children from Sexual Predators Act of 1998 (PL 105-314), which required online computer service providers to report possible violations of child pornography laws to law enforcement agencies. In addition, the Children’s Online Privacy Protection Act of 1998 (COPPA) (PL No 105-277), required affirmative parental consent prior to collection by websites of personal information from children under the age of 13. It also required websites to insure confidentiality, security and integrity of all information collected about children on their systems.
In summary, record privacy statutes and regulations in the United States are complex, inconsistent, and may be differently enforced across functional areas, organizational locations, and political jurisdictions. Archivists and records managers need to be particularly aware of the laws and regulations protecting the functional areas of records under their control, as well as any nuances in the laws related to state or local regulation.
