The Structure of U.S. Privacy Law: Sectoral, Not Omnibus

Before any single privacy law, the exam wants you to know where U.S. law comes from at all, because the answer to a question often turns on the type of law involved.

There are five sources. First, constitutions, federal and state, which set outer limits, especially the Fourth Amendment's protection against unreasonable government search. Second, statutes passed by Congress and by the fifty state legislatures.

Third, regulations, the detailed rules that agencies like the F-T-C, Health and Human Services, the F-C-C, and the Consumer Financial Protection Bureau write to implement those statutes. Fourth, common law, the body of judge-made law built case by case, including the privacy torts. And fifth, self-regulation, the industry codes and contracts that fill gaps where no statute reaches.

Keep those five buckets in mind; the exam loves to ask which one is doing the work.

Now the defining trait, and we'll keep returning to it. The U.S.

has no omnibus privacy law. It regulates sector by sector and data type by data type. Health data has HIPAA.

Financial data has Gramm-Leach-Bliley. Credit data has the Fair Credit Reporting Act. Children's online data has COPPA.

Where no sectoral statute reaches, two things fill the gap: the F-T-C's general authority over unfair and deceptive practices, and the growing body of state law. Compare this to the EU, where the GDPR covers nearly all processing of personal data under one regime. The exam will hand you a fact pattern and expect you to identify which sectoral law, if any, governs, and to recognize when the answer is none, so the F-T-C or a state law steps in instead.

Common law gives us the four privacy torts, drawn from the Restatement Second of Torts, section six fifty-two, and the exam expects you to recognize each by its facts. Intrusion upon seclusion is prying into someone's private space or affairs, like secretly recording a private conversation. Public disclosure of private facts is publicizing true but private information that a reasonable person would find offensive and that isn't newsworthy.

False light is portraying someone misleadingly, close cousin to defamation. And appropriation is using a person's name or likeness for commercial gain without consent. When a scenario has no obvious statute but someone's personal life was invaded, think torts, and match the facts to the right one of the four.

Underneath nearly every privacy statute sit the Fair Information Practice Principles, the FIPs, and the exam treats them as foundational DNA. They trace back to a nineteen-seventies U.S.

government report and the O-E-C-D Guidelines, and the F-T-C built its own version. The core ideas: give people notice of what you collect, offer them choice over its use, let them access and correct it, keep it accurate, secure it, and hold yourself accountable. When you read GLBA's notice-and-opt-out, HIPAA's patient rights, COPPA's parental consent, or a state law's access-and-deletion rights, you're seeing FIPs in different costumes.

The U.S. leans especially on notice and choice, sometimes called notice-and-choice, which is why broken notices become F-T-C deception cases.

Let's see the sectoral pattern in action, because one fact can change everything. Imagine the same kind of information, a person's health status, in three settings. In a doctor's office, the record is held by a covered entity, so HIPAA governs it.

In a consumer fitness app that tracks heart rate, that same health-adjacent data is usually outside HIPAA entirely, because the app isn't a covered entity, so the F-T-C and a growing set of state consumer-health-data laws step in instead. And if a bank's file shows a customer's account balances, that's financial data under Gramm-Leach-Bliley, not health data at all. Notice that the data type alone didn't decide the rule; the actor and the sector did.

That's the whole reason the triage habit matters, and it's why the exam can make a question turn on who is holding the data rather than what the data says.

Let's turn this into an exam habit. For each scenario, triage in three steps. First, what sector or data type is involved, health, financial, credit, education, children, marketing?

Second, who is the actor, a HIPAA covered entity, a financial institution, an employer, a website operator? Third, what kind of law governs, a federal sectoral statute, a state comprehensive law, the F-T-C's Section five authority, or a common-law tort? A favorite distractor drops a GDPR-flavored concept, like a lawful basis or a data protection officer, into a U.

S. question to see if you'll reach for the European answer. Don't.

In a U.S. fact pattern, the sectoral-and-state map is the right one.

Run the triage, and the rest of this course fills in each branch. Now go test yourself, then on to enforcement.