The following statutes are some of the most significant ones on the subjects of information privacy and data security. The acts are listed in chronological order. For each entry, the entities bound by the statute are noted and a link provided to the best guidance resource from the enforcing federal agency, as well as where the implementing regulations are published. Congress has not passed a major new privacy statute in many years, with the result that much of the legislative activity is now occurring at the state level.
Fair Credit Reporting Act of 1970 (FCRA)
Pub.L. No. 90-32, 15 U.S.C. §§ 1681 et seq.
Link: https://www.law.cornell.edu/uscode/text/15/chapter-41/subchapter-III
Covered entities: credit reporting companies
Agency guidance | Implementing regulations (title 12) Implementing regulations (title 16)
Family Educational Rights and Privacy Act (FERPA) (a/k/a Buckley Amendment)
Pub. L. No. 93-380, 20 U.S.C. § 1232g
Link: https://www.law.cornell.edu/uscode/text/20/1232g
Covered entities: educational agencies and institutions
Agency guidance | Implementing regulations
Privacy Act of 1974
Pub. L. No. 93-579, 5 U.S.C. § 552a
Link: https://www.law.cornell.edu/uscode/text/5/552a
Covered entities: federal government agencies and bodies
Agency guidance | Implementing regulations
Right to Financial Privacy Act of 1978 (RFPA)
Pub. L. No. 95-630, 12 U.S.C. §§ 3401-3422
Link: https://www.law.cornell.edu/uscode/text/12/chapter-35
Covered entities: financial institutions (upon requests from federal government authorities)
Agency guidance | Implementing regulations
Cable Communications Policy Act of 1984
Pub. L. No. 98-549, 47 U.S.C. § 551
Link: https://www.law.cornell.edu/uscode/text/47/chapter-5/subchapter-V-A/part-IV
Covered entities: cable TV operators
Agency guidance
Electronic Communications Privacy Act of 1986 (ECPA)
Pub. L. No. 99-508, 18 U.S.C. §§ 2510–2523, 2701-2713
Link: https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119
Covered entities: electronic communication services
Agency guidance
Drivers Privacy Protection Act of 1994
Pub. L. No. 103-322, 18 U.S.C. §§ 2721–2725
Link: https://www.law.cornell.edu/uscode/text/18/2721
Covered entities: state departments of motor vehicles
Agency guidance and regulations will vary by state
Health Insurance Portability and Accountability Act of 1996 (HIPPA)
Pub. L. No. 104-191, various sections of Title 42 of the US Code
Link: https://www.law.cornell.edu/uscode/text/42/1320d-2
Covered entities: covered entities defined by the Act, including health care providers, health plans that
use health information in electronic format
Agency guidance | Implementing regulations
Children’s Online Privacy Protection Act of 1998 (COPPA)
Pub. L. No. 105-277, 15 U.S.C. §§ 6501–6506
Link: https://www.law.cornell.edu/uscode/text/15/chapter-91
Covered entities: operators of websites or online services directed at children
Agency guidance | Implementing regulations
Gramm-Leach-Bliley Act of 1999 (GLBA)
Pub. L. No. 106-102, 15 U.S.C. §§ 6801-6809
Link: https://www.law.cornell.edu/uscode/text/15/chapter-94/subchapter-I
Covered entities: financial institutions and financial services companies
Agency guidance | Implementing regulations
E-Government Act of 2002
Pub. L. No. 107-347
Link: https://www.govinfo.gov/content/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf
Covered entities: federal government agencies and bodies
Agency guidance
CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing)
Pub. L. No. 108-187, 15 U.S.C. §§ 7701-7713
Link: https://www.law.cornell.edu/uscode/text/15/chapter-103
Covered entities: senders of commercial e-mail messages
Agency guidance | Implementing regulations