There is no comprehensive legislation in the United States that regulates the collection, storage, transmission, or use of personal information on the Internet. As new technologies have developed, the response has been to enact laws designed to target specific privacy-related issues on an ad hoc basis. As a result, the law governing privacy issues on the Internet consists of an assortment of state and federal legislation, regulations, and court decisions interpreting them.
In 1999 Congress enacted the Financial Modernization Act (FMA), which requires federal agencies to issue regulations implementing restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Pub. L. No. 106-102, 113 Stat. 1338 (1999). Affected agencies include the Federal Trade Commission (FTC), Securities and Exchange Commission(SEC), and the Federal Reserve. Pursuant to the act, the FTC issued a final rule requiring financial institutions to provide notice to consumers about its privacy policies and practices and set forth the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated individuals and entities.
The Electronic Communications Privacy Act (ECPA) regulates intrusions into electronic communications and computer networks. 18 U.S.C.A sections 2510 et seq. Subject to various exceptions, ECPA makes it illegal to intercept e-mail at the point of transmission, while in transit, when stored by an e-mail router or server, or after receipt by the intended recipient. ECPA specifically prohibits the intentional interception, disclosure, or use of any wire, oral, or electronic communication. The act provides both criminal and civil penalties for its violation. However, one federal court ruled that ECPA could not be interpreted to support a class action alleging that an advertising corporation had unlawfully stored cookies on the hard drives of Web users who had visited particular Internet sites. In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001)
The Fair Credit Reporting Act (FCRA), as amended by the Consumer Reporting Reform Act of 1996, regulates the collection and use of personal information by consumer reporting agencies. Fair Credit Reporting Act of 1970, 15 U.S.C.A sections 1681-1681u (1997); Consumer Credit Reporting Reform Act of 1996, Pub. L. No. 104-208, 110 Stat. 3009-426 (1996). The law requires that consumer reporting agencies establish “reasonable measures” addressing the commercial need for consumer credit information in a manner that ensures “confidentiality, accuracy, relevancy, and proper utilization” of the information. Among other things, the law prohibits the disclosure of a consumer report in the absence of written consent from the consumer, unless the disclosure is made pursuant to a court order or for legitimate business purposes.
Many states have enacted laws that mirror or expand upon the above federal acts. For example, Article 250 of New York’s Penal Law prohibits intercepting or accessing electronic communications without the consent of at least one party to the communication. N.Y. Penal L. sections 250 et seq. States have also enacted privacy legislation relating to medical records and employment records. Conn. Gen. Stat. Ann sections 13-128a et seq. One state has modified its existing privacy laws so they apply to information collected over the Internet. Va. Code Ann. § 2.1-379. Another state passed a law prohibiting gambling on the Internet to quell concerns over the kinds of information that might be exchanged to partake in such activity. 720 ILCS 5/28-1.