Legal Blog

Legal Advice on Protecting Your Privacy

Privacy Rights in the Global Era

It is very hard to protect privacy in the modern era. An individual may believe that it is impossible to protect their privacy from government or big corporations. This is even more true in an age in which technology, data and information has become so widespread across the planet and data is transferred all over the globe in a nanosecond. Notwithstanding the rapid pace of technological innovation and globalism, federal and state laws do offer privacy protections for the individual. Although the right to privacy is not explicitly mentioned in the U.S. Constitution, the Fourth Amendment has been interpreted by the Supreme Court to offer a right to privacy. Specifically, the Supreme Court has found that citizens have a right to privacy from unlawful government seizures. State laws also offer some guidance on an individual’s right to privacy, but these laws vary between the states.

Privacy in the Workplace

The laws on privacy in the workplace are slowly developing, and they frequently vary from state to state. There is a consensus among states that an employer has the legal right to intercept, monitor and read any electronic messages that are sent on its technology platform.

The monitoring of employee workplace behavior is not only perfectly legal, but it is nowadays viewed as standard business practice to prevent fraud, corporate espionage and leaking of business trade secrets. There are indeed laws for a business to follow when monitoring employee emails, social media accounts, keystrokes, etc. but a business can stay in compliance by establishing a company monitoring policy that is clear and communicated to all employees. All workplace monitoring policies should follow local and state laws.  State laws may vary slightly from federal laws which does require the disclosure of a monitoring policy.

All monitoring software policies should be clearly defined, explicitly outlined, and properly documented with a written acknowledgment by the employee. All employees should sign off on a written policy that clarifies that there is no expectation of privacy whenever an employee uses company property. The policy should clearly state that there is no monitoring of unrelated non-work performance.

The privacy laws are more ambiguous in instances in which an employee uses an employer’s equipment to access personal messages. In Ontario v. Quon, 560 U.S. 746 (2010), the United States Supreme Court held that a public employee has no reasonable expectation of privacy for messages that were transmitted on an employer-provided device.

Federal law mandates that an employer must keep most personnel records confidential. Typically, any record that contains medical or bio-metric information must be securely stored. Additionally, there are a handful of states that have laws specifically that prohibit surveillance or recording equipment in areas in which an employee has a reasonable expectation of privacy, such as in restrooms. A few states have made efforts to protect a person’s privacy by prohibiting a potential employer from requesting passwords to access social media accounts.

Privacy Obligations of Landlord’s Towards Tenant’s

If you are a renter, the extent of a person’s right to privacy in their home will depend in part on the state where the person resides. It is very common for a state to have laws that detail the circumstances in which a landlord can enter a tenant’s rental unit. These laws usually specify whether a landlord must give advance notice to be permitted to enter. In a handful of states, the privacy rights for tenants come from state court decisions, rather than the legislature.

Privacy of Personal Medical Data and Records

Healthcare providers and insurers certainly need access to medical records, but patients have an expectation that their healthcare records are otherwise kept confidential. The 1996 federal ‘Health Insurance Portability and Accountability Act’ (HIPAA), allows a patient to learn who has accessed their personal medical information, limits health care workers from sharing the personal information of their patients, allows a person to obtain a copy of their own medical records and sets up a procedure for an individual to file a complaint when privacy rights have been violated against the HIPPAA law.  In some states, the confidentiality requirements are even stricter than under federal law. The violation of HIPAA or state rules may result in disciplinary action against the employees concerned, including the termination of employment. In those instances, in which the patient privacy violations are particularly egregious, there could be civil charges or possibly criminal charges that are filed against the violator.

HIPAA privacy laws prohibit the use of protected health information from being publicized. A patient and their authorized caregivers need to protect the dignity and privacy of a patient. HIPAA privacy protections apply to social media networks like Facebook and Twitter even though HIPPA was passed before social media networks even existed. Courts have determined that the HIPAA laws and standards do apply to the social media networks when inappropriately used by healthcare organizations and their employees. Healthcare organizations should establish a HIPAA social media policy that eliminates any risk of privacy violations. Healthcare employees must never post pictures of a patient online or post other proprietary and private information concerning a patient. Most states have their own laws governing medical records that are oftentimes even stricter than HIPAA requirements.

Privacy of School and Education Records

The privacy of children school records is a sensitive concern for many parents. Many school records include personal and confidential information not only about the students but also information about other family members. The ‘Family Educational Rights and Privacy Act’ (FERPA), offers some federal privacy protections of student records. Specifically, FERPA prevents school officials and agencies from sharing any student records with third parties unless the parent has consented to the disclosure in writing. FERPA permits a parent to access their children’s school records and make a request to correct any inaccuracies. These privacy rights apply to any student if they are under 18 years of age or if they attend a post-secondary school.

The privacy safeguards of FERPA has some limitations. Parents are not permitted to bring a lawsuit against the school district when there is a violation. Many parents have publicly complained that the complaint process can be bureaucratic and cumbersome. Parents have also vocally complained that the FERPA safeguards should also apply to keeping children school records secure from malicious hackers. At present, FERPA does not extend privacy protection rights or establish data security procedures to keep education records safe from electronic hacking.  Many states and local jurisdictions have also established their own laws and privacy safeguards to protect the privacy of student records.

Privacy of Financial Data

The federal ‘Fair Credit Reporting Act’ (FCRA) established privacy safeguards to protect an individual’s privacy surrounding their credit information. The law restricts third-party access to credit information with only limited exceptions for background checks, lending decisions and credit reporting. FCRA allows a consumer the right to obtain a copy of their credit report and scores by contacting any of the 3 major credit reporting agencies, Transunion, Experian, and Equifax. The consumer is permitted to have any inaccurate information corrected or deleted simply by notifying the agency of the error. No information may be shared with any third party, including prospective employers, unless the consumer agrees to the disclosure in writing.

There are several federal and many state provisions that require financial institutions to have a privacy policy that safeguards consumer’s financial data and personal information. These laws typically require that there be a notification of the financial institution’s privacy policy that is sent out to their consumers. Typically, these provisions require for there to exist an opt out provision that allows for consumers to decline from having their information and data shared with other third-party entities.

New Privacy Laws and the Internet

The pace of technological innovation is only matched by the onslaught of data privacy laws that have recently been sweeping across the globe. The EU’s General Data Protection Regulation (GDPR), set the global standard for how customer data is handled. The GDPR requires that a company must inform their users on how their data is collected and requires that a user must consent to having their data collected. The United States plans a similar version of the GDPR with planned passage of the ‘Customer Online Notification for Stopping Edge-Provider Network Transgressions’ (CONSENT) otherwise known as  ‘The Consent Act’ to offer greater protection to consumers of their personal data. The proposed ‘Consent Act’ federal law (S. 2639) would require any business website to abide by the new privacy safeguard rules.

A business website would be forced to monitor the data that is collected from visitors. There would need to be explicit consent from a user before any data is shared or sold and also before serving any advertisement on the user. There would need to be a clear “opt-in” and “opt-out” mechanism that that allows a visitor to consent and withdraw consent at any time.  The passage of the Consent Act would mean significantly stronger privacy rights for website users and visitors

Additionally, Senate Bill 2728, also known as the “Social Media protection Act” would grant privacy safeguard protections to visitors of social media websites. A business would need to establish  a privacy policy for social media, set clear terms of service, offer opt-in and opt-out provisions, show users the specific data that is collected and notify a user within 72 hours if there is a privacy violation.

The laws above are not the exclusive privacy laws that are changing the landscape for privacy protection on the Internet.  The federal ‘Data Security and Breach Notification Act’ and the 2018 ‘California Consumer Privacy Act’(CCPA) are both significant efforts to change the landscape to safeguard user privacy on the Internet. The legal framework for safeguarding individual privacy on the Internet is moving at a breath-taking speed and likely will continue to do so as technology evolves.