Contributed By Wade, Grunberg, & Wilson
The legal grounds for protecting privacy and confidentiality in the USA are rooted in common law (including tort and contract), and state and federal privacy statutes. Much of the relevant law is a matter of state common law. Accordingly, the law across the 50 states varies.
Common Law Tort Protections
The common law in most states in the USA recognises four types of “invasion of privacy” torts, as set out here.
Contract Protections
In the USA, contracts are often used to establish and enforce obligations related to privacy and confidentiality, including the following.
In most jurisdictions, to establish a claim for breach of contract, the plaintiff must prove the following.
Beyond damages, a plaintiff may pursue injunctive relief for a breach of contract, including temporary restraining orders, preliminary injunctions, and permanent injunctions to prevent a defendant from disclosing information in violation of the parties’ agreement. Notably, temporary restraining orders and preliminary injunctions are generally unavailable under the invasion of privacy torts (described above) because they are typically deemed to violate the protection of free speech in the First Amendment of the US Constitution.
Federal Statutes
There are many federal statutes that provide protections for privacy and data, particularly for individuals. These include the following.
Some federal statutes allow for enforcement only by the government, whereas others allow individuals and companies to file civil lawsuits. For instance, the FCRA does allow a consumer to bring a lawsuit to recover damages, whereas HIPAA does not.
State Statutes
At least 20 states have statutes protecting privacy and confidentiality that mirror or go beyond federal statutes. For instance, California is generally notorious for additional regulations, including:
Many other states have proposed legislation to provide additional protection for consumer data.
Privacy remedies depend on the legal claim being pursued and the relevant jurisdiction. Two broad categories prevail: legal/monetary relief and injunctive relief.
Common Law Tort Remedies
Compensatory damages
Punitive damages
Range of damages awards
Injunctive relief
Contract Remedies
Compensatory damages
No punitive damages
Range of awards
Injunctive relief
Federal and State Statutory Remedies
Statutes of Limitations
Statutes of limitations are deadlines for filing a lawsuit.
Defences to Privacy Claims
Media Defences
In addition to the above-mentioned defences, additional defences available specifically to media defendants may include:
In some states, the “wire service defence” protects media outlets that republish content from reputable news services (eg, the Associated Press) if they had no reason to doubt the content’s accuracy and did not alter it significantly. Generally, this defence only protects negligent conduct.
The neutral reportage defence has not been widely adopted and bears little discussion.
Criminal Versus Civil Procedures
Maintaining Confidentiality and Anonymity in Court
Jurisdiction
The general rule in the USA is that each party pays its own attorney’s fees and expenses regardless of who wins or loses. This is known as the “American rule”. However, this general rule has many exceptions.
Compared to other countries, the most unusual aspect of the law in the USA is its incoherence because it varies among the 50 states and the 13 federal appellate “circuit courts”. There are many “circuit splits” in the USA, whereby the federal circuit courts disagree over the law, including whether particular state anti-SLAPP statutes are enforceable in federal courts. For instance, the Ninth Circuit enforces California’s anti-SLAPP statute, whereas the Second Circuit does not.
In the USA, a claim for defamation arises exclusively under state law and thus varies across the 50 states. That said, there are virtually universal components ‒ particularly the fundamental elements of a defamation, the existence of conditional and absolute privileges, and the US Constitutional First Amendment defences of opinion and actual malice.
Elements of Defamation
The basic elements of defamation are as follows.
False statement of fact
Defamatory
Publication to a third party
Of and concerning the plaintiff
Fault
Causation and damages
For a discussion of common law tort remedies and potential damages, see sections 1.2 Privacy Remedies and 2.1 Defamation Grounds.
For a general discussion of deadlines and defences applicable to defamation claims, see section 1.3 Privacy Deadlines and Defences.
The law regarding statutes of limitations is highly dependent on the state in which the lawsuit is filed, and the law must be carefully reviewed given the draconian repercussions for missing the deadline.
Statutes of limitations for defamation claims in the USA are among the shortest of any tort claim. Depending on the jurisdiction and whether the statement is written or oral, the deadlines may range from six months to three years ‒ with one year being the most common.
Statutes of limitation generally run from the date the defamatory statement was first made ‒ even if the plaintiff was unaware of the statement before the statute of limitation expired.
In most jurisdictions ‒ if not all ‒ the fact that a defamatory statement remains posted online does not extend the deadline – ie, it will still be calculated from the date that the statement was originally posted online.
The same can be said for a statement that remains in circulation in a book, magazine, newspaper, film or show.
However, if a new edition of a book is published, the statute of limitations would likely run from the date of the new edition.
Defamation claims in the USA are almost universally civil, as opposed to criminal.
Approximately 14 states have potentially enforceable criminal defamation statutes, but their enforcement is extremely rare. Attempts at enforcement have often failed because a given state’s statute violates the US Constitution. However, New Hampshire’s criminal defamation statute was recently upheld, and the US Supreme Court declined to review the case.
States with enforceable or potentially enforceable criminal defamation statutes include:
Criminal statutes vary greatly – they may apply to run-of-the-mill defamatory statements, or only to limited statements that impugn the financial condition of a financial institution, to name a few.
Defamation is generally considered only a misdemeanour punishable by a maximum of one year in prison, with fines up to several thousand dollars. Penalties in some states may be more serious – for example, Texas may provide for ten years imprisonment and a USD10,000 fine for certain defamatory statements about credit unions.
For further discussion of the availability of criminal remedies versus civil remedies and appropriate jurisdiction for such claims, see section 1.4 Privacy Proceedings Forum Choice.
See section 1.5 Privacy Costs.
See section 1.6 Other Features of Privacy Actions.
Federal and state laws may protect victims of harassment and stalking, including cyberstalking.
Federal and state laws generally define stalking and harassment as an unwanted course of conduct that makes the victim fear for their physical safety or, in some instances, which causes severe emotional distress.
Though some states’ laws may not have been updated to reflect the digital age, even those statutes are commonly construed broadly enough to cover electronic harassment, whereas others explicitly do so.
Course of Conduct
While single instances of severe misconduct may be sufficient, laws and courts often look for a “course of conduct” (eg, ongoing or pervasive misconduct).
True Threats
Laws may require speech that objectively subjects individuals to fear of violence and therefore has no, or at most slight, First Amendment value.
Name-calling, discriminatory speech, and insults (even extremely vulgar ones) are generally insufficient.
Mens Rea for Criminal Laws
To warrant criminal sanctions, the defendant must generally recognise the wrongful nature and likely result of their misconduct.
The US Supreme Court recently held that the First Amendment permits punishment where a person acts at least “recklessly”.
Contact
Laws may require that the defendant directed the harassing activity at the victim, as opposed to conduct directing it towards a general audience ‒ eg, a direct message to the victim, as opposed to a Facebook post to the public at large that does not tag the victim.
See 1.2 Privacy Remedies for remedies, particularly for civil remedies.
Most criminal state laws focus on restraining and/or protective orders to end the harassment.
Temporary restraining orders that last less than one month are often obtained in ex parte proceedings – ie, without notice and/or participation of the defendant.
Depending upon the severity of the misconduct, lengthy or even permanent protective orders may be available.
Criminal statues may also provide for fines and imprisonment, ranging from one-year misdemeanour sentences to decades-long sentences ‒ particularly if physical violence was involved.
Victims may also pursue civil actions to obtain protective orders to stop harassment, rather than depending on government prosecutors.
Statutes of Limitations
See sections 1.3 Privacy Deadlines and Defences and 2.3 Defamation Deadlines and Defences, including the explanation regarding the variability of statutes of limitations because of the patchwork of jurisdictions and laws.
Victims should seek relief ‒ whether criminal or civil ‒ swiftly and while the conduct is ongoing, as courts are less likely to issue protective orders if months have passed without harassment.
Defences
See 1.3 Privacy Deadlines and Defences and 2.3 Defamation Deadlines and Defences.
The First Amendment applies to harassment claims, particularly those based on speech ‒ eg, defendants may argue the speech served a legitimate public purpose or was a mere expression of opinion, rather than a true threat.
Anti-SLAPP statutes may also apply, as discussed at 1.3 Privacy Deadlines and Defences and 1.6 Other Features of Privacy Actions.
Defendants may challenge the elements of the claim ‒ for example, arguing the conduct would not reasonably be expected to place the victim in fear or to cause severe emotional distress.
Defendants may argue the victim consented to the conduct.
See 1.4 Privacy Proceedings Forum Choice, which applies to harassment proceedings.
See 1.5 Privacy Costs. Additionally, many statutes explicitly authorise a prevailing victim to recover their reasonable attorney’s fees and costs for pursuing, for example, a temporary restraining order or protective order.
Trust in traditional media in the USA is at a record low. Whether this lack of faith is well deserved can be debated. But one thing is clear, the current media market is not conducive to fostering respect for privacy, accuracy and journalistic ethics.
The traditional media is beset by pressures to create content in a 24-hour media market, while facing polarised audiences, tightening budgets, fierce competition from non-traditional media, short attention spans, plummeting viewership and dwindling profits. Many outlets are pursuing infotainment (particularly for cable outlets) and “clickbait”, where opinion is often packaged as “news” and accuracy suffers. Perceptions about existing law may also incentivise the media to prioritise attention-grabbing content over accuracy, as some members of the media perceive that their First Amendment protections and anti-SLAPP statutes make it exceedingly difficult to challenge defamatory statements. Ultimately, these factors may lead to compromises that decrease the respect for privacy and increase the transmission of false information.
Whether the traditional media can right the ship is an open question. In recent years, several traditional media defendants have settled high-profile defamation cases rather than face a jury, but it remains to be seen whether these cautionary tales will translate into greater precautions. For instance, Dominion Voting Systems obtained a USD787 million settlement against Fox News in connection with false statements regarding 2020 election fraud. And ABC paid Donald Trump USD15 million for misrepresenting the nature of the civil claims made in a defamation lawsuit against him. Ultimately, the challenges for traditional media will likely increase, and so too will the journalistic compromises.
The most influential news providers in the USA are The New York Times, the Associated Press, CNN, MSNBC and Fox News. The New York Times has traditionally been considered the “newspaper of record” ‒ ie, the authoritative source of news in the USA. This is changing, including because of the challenges cited earlier. The latter three are rooted in cable television and have more obvious political leanings that drive editorial decisions and opinion-based content, which may result in journalistic compromises.
Regulatory Framework for Defamation and Invasion of Privacy Torts
The common law legal system ‒ including claims for defamation and invasion of privacy ‒ is the primary check on the media for issues regarding reputation and for redressing personal harms to privacy. Thus, the controls are largely a function of the state civil laws discussed in 1.1 Privacy Grounds and 2.1 Defamation Grounds,which may then be enforced when a private party pursues legal remedies in a court.
This may be ineffective, as it too often depends on private parties either paying costly hourly attorney’s fees or obtaining counsel on a contingency fee basis (ie, paying the lawyer using only funds recovered in the lawsuit, if any). This results in many torts related to reputation and privacy never being remedied.
It is challenging to obtain contingency fee counsel for defamation and privacy torts because the law provides extensive protections to the media, which disincentivise plaintiffs’ lawyers from focusing on this complex area of law.
Regulatory Framework for Privacy
For privacy issues, as discussed in 1.1 Privacy Grounds, media companies are governed by both federal and state statutes that are often subject to administrative regulatory frameworks, including through the Federal Communications Commission, the Federal Trade Commission, and state regulatory agencies.
The laws and rules generally are not focused specifically on the media, but instead apply more broadly to the handling of private information and data by companies, or apply to other sectors – for example, HIPAA covers personal medical information held by the healthcare industry. Nevertheless, social media will increasingly become the subject of specific regulations.
Regulators in the USA are moderately effective, but certainly less so than in the EU, which is subject to its comprehensive General Data Protection Regulation (GDPR), including the “right to be forgotten” (whereby individuals can have their personal online data removed) and meaningful fines.
Because of the incoherent federal framework in the USA, some states are filling the gap with comprehensive data privacy laws, such as California (the CCPA), Colorado (the Colorado Privacy Act), and Virginia (the Virginia Consumer Data Protection Act), or laws to protect children (eg, the New York Child Data Protection Act).
The regulatory framework is evolving and should be closely monitored for recent changes.
Complaint Process for Defamation and Invasion of Privacy Torts
The complaint process for defamation and invasion of privacy torts is to file a lawsuit in a court of law. The sanctions range from monetary damages to injunctive relief.
Complaint Process for Privacy Regulators
Because the USA lacks a coherent regulatory framework for privacy, it lacks a coherent process for filing a complaint with a regulator (as opposed to a court) – for example, the complaint process for a person whose data is compromised in California will be far different than for a person in North Dakota.
Available sanctions vary by statute and by state. Administrative agencies that administer data privacy laws may have authority to impose civil penalties, including the imposition of fines and limiting a company’s ability to operate ‒ a process that may involve administrative proceedings. But the imposition of criminal penalties requires a criminal prosecution in a court of law, often handled by the US Department of Justice or a state’s analogous department.
In the USA, the primary legal protections for websites that host user-generated information are Section 230 of the CDA, and the Digital Millennium Copyright Act (DMCA).
CDA
Section 230 of the CDA immunises online platforms from liability for content created and posted by their users, as opposed to the content generated by the platform itself – for example, Facebook cannot be held liable for a user’s false and defamatory posts, even if Facebook is on notice of the unlawful nature of the post.
DMCA
The DMCA protects online platforms from liability for some copyright infringement by its users under certain conditions, including when a platform does the following to satisfy the DMCA’s “safe harbour”:
See 1.3 Privacy Deadlines and Defences.
The enforceability of foreign judgments in the USA is largely a function of state law, although the USA has enacted a federal law that specifically addresses defamation judgments: the Securing the Protection of our Enduring and Established Constitutional Heritage (SPEECH) Act.
SPEECH Act
The SPEECH Act allows US citizens, lawful residents and businesses to challenge defamation judgments obtained in foreign jurisdictions, including by filing a lawsuit in a federal court to have the foreign judgment declared unenforceable. A judgment is unenforceable if:
State Law for Recognising Foreign Judgments
Approximately 37 states have adopted versions of two “uniform” acts that strive to bring consistency to this area – namely, the 1962 Uniform Foreign Money Judgments Recognition Act and its successor, the 2005 Uniform Foreign-Country Money Judgments Recognition Act. The other states follow a common law approach from which many of the components of the uniform acts were derived.
The uniform acts are analogous, and the various state statutes adopting them may include the following components.
Arbitration Awards
The USA has entered into international conventions to recognise foreign arbitration awards (eg, the New York Convention and the Panama Convention). These conventions provide streamlined procedures compared to the enforcement of court judgments.
In the USA, data rights are primarily protected through various federal statutes, which regulate the securing and sharing of individual personal data. The primary federal statutes are described and discussed in 1.1 Privacy Grounds and include HIPAA, the FCRA, the GLBA, COPPA, FERPA, the ECPA and the SCA.
The federal statutes generally apply by sector to specific types of data – for example, HIPAA applies to health care information, whereas the FCRA applies to data collected by consumer credit reporting agencies. Each statute establishes different requirements for the various types of data being protected.
Additionally, at least 20 states have enacted comprehensive laws establishing protections for data rights that exceed the protections afforded by federal statutes, and all states have at least basic laws governing security breaches relating to individual consumer data. These statutes vary greatly among the states.
Data protection statutes require entities to provide notification, either to individuals, the government or both, following a breach of personal consumer data. Certain statutes also provide requirements for minimising the impact of such breaches, such as notifying credit agencies.
Remedies available for violations of data privacy laws differ depending on which statute is being enforced and whether the statute is a federal or a state law. The civil penalties generally involve compensatory damages, fines or injunctions, with many statutes establishing specific fines for violations. Criminal penalties may involve fines or imprisonment. These remedies are discussed in more detail in 1.2 Privacy Remedies and the regulatory procedures are addressed in more detail in 4.2 Regulatory Framework.
The deadlines for filing actions under data privacy laws vary depending on the law being enforced and whether the action is civil or criminal. For government enforcement actions seeking civil penalties, the general federal statute of limitations is five years from the date of the violation. Under many state data privacy laws, the deadline for filing such a claim may be extended so that it begins to run only when the data breach is actually discovered.
There are a number of possible defences to a claim for violation of data privacy laws, including:
For a discussion of criminal versus civil procedures and jurisdictional requirements for data privacy claims, see 1.4 Privacy Proceedings Forum Choice.
For a discussion of the US rule and the possibility of fee-shifting in data privacy cases, see 1.5 Privacy Costs.
729 Piedmont Avenue NE
Atlanta
GA 30308
USA
+1 404 600 1153
+1 470 970 4303
info@wgwlawfirm.com www.wgwlawfirm.com