Skip to main content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.
Federal Trade Commission (FTC)
FTC privacy homepage
The starting point for understanding the FTC's role and activity in enforcing privacy rights. The FTC has multiple divisions, including the Division of Privacy and Identity Protection (DPIP).
While not expressly mentioning privacy, section 5(a) of the act has served as the FTC's authority for many privacy violation enforcement actions.
A recommended book for understanding the history of the FTC and specifically on its evolving role in enforcing privacy rights is Chris Jay Hoofnagle, Federal Trade Commission: Privacy Law & Policy (Cambridge Univ. Press, 2016). Main stacks: KF 1611 .H66 2016
A recommended article describing the FTC's development of a "common law" of privacy rights through its power to police unfair and deceptive trade practices is Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583 (2014).
Health & Human Services (HHS)
The department of Health & Human Services (HHS) is responsible for the protection of privacy for health information under HIPAA. Within the HHS, the Office of Civil Rights is in charge of enforcing the provisions of HIPAA and the implementing regulations. This website of HHS is the main page for information on HIPAA protections and enforcement.
Privacy and Security Framework
The OCR created this framework explaining six principles for protecting health information.
Records, Computers, and the Rights of Citizens (HEW 1973)
The Dept of Health, Education and Welfare (HEW) was the predecessor to the HHS. In 1973, it issued a highly influential report on privacy issues related to information stored on computers. It articulated a number of "fair information practice principles" (FIPP'S) which have formed the basis of many subsequent privacy policies and guidelines.
OMB (Office of Management & Budget)
The Congressional Research Service (CRS) is a non-partisan policy research unit of the US Congress. The CRS has issued many reports on the subjects of privacy and data security. Its database of full-text reports is searchable by keyword. Until 2018, the CRS did not make its reports available to the public. Therefore its current database of reports is evolving and not yet complete.
CRS reports are also available through the HeinOnline database, which has a more extensive collection of reports. In HeinOnline, use the "U.S. Congressional Documents" database, and the advanced search feature allows filtering to only CRS reports, which can then be searched by keyword.
U.S. Department of Justice
The Justice Department has the Office of Privacy and Civil Liberties (OPCL). This office protects the public by ensuring the department's compliance with numerous federal laws related to privacy, including the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Modernization Act of 2014. The OPCL provides oversight and coordination of the privacy procedure of the department and all its components. The OPCL's website is a good source for examining the policies and procedures put in place by an agency to ensure its compliance with the law.
Department of Education
Department of Education FERPA program
The Department of Education administers the requirements of FERPA and provides guidance and assistance to educational institutions covered by the statute and regulations. FERPA regulations are found at 34 CFR, Part 99.
Department of Commerce
US - EU Safe Harbor Framework
Following the implementation of the EU Data Protection Directive in 1998 a mechanism was needed to ensure that personal information flowing into the US met the EU data protection requirements. In 2000, after negotiations with the EU, the Department of Commerce began operating the Safe Harbor Framework, which was a method for US companies to certify that they were in compliance with EU standards. After many criticisms of the effectiveness of this program, the European Court of Justice rejected the Safe Harbor program in 2015. The replacement program is the EU-US Privacy Shield Framework, administered by the FTC.