Contact us Today!

History of Data Privacy in the United States

The United States does not have a comprehensive law governing data collection, protection and privacy. Instead, there is a system of federal and state laws that govern particular sectors and types of personal information. The following discusses some of the important events in privacy in the United States as well as some of the key laws adopted by federal and state governments to protect privacy.

Benjamin Franklin’s Postal Service

Some of the earliest privacy measures in the United States were implemented by Benjamin Franklin, who sought to maintain privacy in mailed items during the 1700s by locking the postal carriers’ saddle bags, which were only unsealed at their destination.

Fourth Amendment

No discussion of privacy in the United States would be complete without a discussion of the Fourth Amendment of the U.S. Constitution, which offers the people the right to be secure against unreasonable searches and seizures by the Government. It developed from the notion of privacy in English common law that a person’s home is his or her castle

Although the Constitution does not specifically mention privacy, Justice William Douglas writing for a majority in the Supreme Court in Griswold v. Connecticut (1965), found that there is a right to privacy within the penumbra of rights provided through the Constitution, even though it is not specifically identified in one of the amendments.

Morse Code

The transmission of messages over the telegraph in the 1800s brought additional privacy concerns. Initially, there was a certain level of privacy because users needed to know morse code in order to understand messages sent over the telegraph. Later, users began further coding their messages with ciphers in order to encrypt them and limit surveillance of their communications.

Fair Information Practices

In the 1970s, the U.S. Department of Health, Education and Welfare proposed a set of safeguards to address the lack of protections under the law. A set of principles of privacy were set forth in the HEW Report, called Records, Computers and the Rights of Citizens: report of the Secretary’s Advisory Committee on Automated Personal Data Systems. These core practices were built upon by the Organization for Economic Cooperation and Development (OECD) when it created a set of Fair Information Practices in the OECD Guidelines on the Protection of Privacy and Transbroder Flows of Personal Data.


The Health Insurance Portability and Accountability Act is perhaps the best known privacy law in the United States. It is the primary federal law governing sensitive health information. Among other things, HIPAA regulates the use and disclosure of protected health information by covered entities such as health insurers, employer sponsored health plans and certain medical service providers. Protected health information, or PHI, is broadly interpreted to include andy part of a medical record or health care provision that can be linked to an individual.


The Family Educational Rights and Privacy Act was enacted in 1974 and covers access to school records. It provides parents and students with the right to inspect their information, request corrections, and control the disclosure of some personally identifiable information. The law applies to all schools receiving federal funds through the U.S. Department of Education.


The Children’s Online Privacy Protection Act governs the data of children under the age of thirteen. It was passed by Congress in 1998 and went into effect in April 2000. The law imposes requirements on operators of websites or online services directed to children under 13 years of age and those operators that have actual knowledge that they are collecting personal information online from a child under 13. Companies collecting such information must take a number of steps, including posting a privacy policy that identifies how personal information from children is handled, give parents direct notice of the information practices, obtain the parent’s verifiable consent before collecting/using/disclosing it, and respect parent’s subsequent requests to review data from their child or delete their child’s personal information.


The Telephone Consumer Protection Act of 1991 was a consumer protection measure against companies engaged in telemarketing. The FCC regulations impose financial penalties on commercial telemarketers for calling phone numbers on the “Do-Not-Call” registry. Although it is not an online data privacy law, it is perhaps one of the best known privacy laws in the United States.


The Federal Trade Commission is the nation’s primary enforcement agency for data privacy and security. The legal authority for its actions usually comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has the ability to obtain civil monetary penalties through a number of statutes and rules implicating privacy, such as the Fair Credit Reporting Act and the Telemarketing Sales Rules. The FTC has brought enforcement actions in the past on a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing and mobile.


The California Online Privacy Protection Act of 2003, and amended in 2013, was the first state law in the United States requiring a privacy policy on the website of commercial websites and online services.


The California Electronic Communications Privacy Act requires state law enforcement to get a warrant before they can access electronic data on a device or from an online service provider. The ACLU called it a landmark victory for digital privacy when it was passed in 2015.


The Delaware Online Privacy and Protection Act, which went into effect on January 1, 2016, strictly regulates advertising directed at children, enhances the privacy protections of digital book readers, and requires conspicuous posting of privacy policies that complies with the laws mandates.

Social Media Privacy

Many states, including Utah, California, Delaware, Illinois Maryland, Michigan and New Jersey have adopted restrictions on employers with respect to social media accounts. Utah’s Internet Employment Privacy Act, for example, prohibits requests of employees or applicants to disclose user names or passwords to personal social media accounts.

Internet Service Provider Privacy

Nevada and Minnesota require internet service providers to keep certain information about their customers private. In response to the Federal Communication Commission’s repeal of restrictions on the use of data by internet service providers, many states have introduced measures to put additional restrictions on what these businesses can do with collected consumer data.

Data Disposal

Many states have enacted laws that govern the disposal of digital and paper records containing personal information. According to an article published in December 2016 on the website of the National Conference of State Legislatures, at least 32 states and Puerto Ricos have laws regarding such information to be made unreadable or undecipherable.

Data Security and Breach Disclosure

A number of states have laws requiring the protection of personal data. Arkansas’ Personal Information Protection Act, for example, requires the implementation of reasonable security procedures and practices to protect personal information against unauthorized access, disclosure, modification, use or destruction.

Edward Snowden and the NSA

It would be hard to have a discussion of the history of privacy in the U.S. without mentioning the revelations in June 2013 concerning the National Security Agency’s domestic collection of intelligence from internet and communications companies. While an employee of government contractor Booz Allen & Hamilton, Edward Snowden disclosed to the media that the NSA collected information on phone records of millions of Verizon customers daily. Snowden also revealed that the NSA had a program, called PRISM, which gave them direct access to servers at the U.S. tech companies of Google, Facebook, Apple and Microsoft.


Facebook lost more than $100 million in market capitalization in the ten days after the release of news that Cambridge Analytica collected information about more than 50 million Facebook users.

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

Related Content

Buying Privacy Software: The 10 Categories of Privacy Technology for Business
Privacy Management Software Tools for Compliance with GDPR and CA
CCPA Privacy Consulting
Data Privacy as a Service
GDPR Compliance Software as a Service (SaaS) Tools
GDPR Consulting Services
History of Data Privacy in the US
History of the Right to be Forgotten