US Federal Privacy & Surveillance Laws
The sector-specific patchwork that governs American data
Overview
The United States has no single, comprehensive federal privacy law. Unlike the European Union’s General Data Protection Regulation (GDPR), which provides a unified framework for all personal data processing, American privacy law is a sector-specific patchwork of statutes enacted over five decades, each targeting a particular industry, data type, or government activity.
This approach means that your medical records are protected by one law (HIPAA), your credit report by another (FCRA), your children’s online data by yet another (COPPA), and your email by still another (ECPA), while vast categories of personal data collected by technology companies, data brokers, and advertisers fall into gaps where no specific federal statute applies. In those gaps, the Federal Trade Commission’s general authority over “unfair or deceptive” business practices under Section 5 of the FTC Act serves as the de facto federal privacy law, enforced through case-by-case consent orders rather than statutory mandates.[1]
On the surveillance side, the legal framework is equally fragmented. The Foreign Intelligence Surveillance Act (FISA) governs intelligence gathering, while the Electronic Communications Privacy Act (ECPA) addresses law enforcement access to communications. Executive Order 12333 authorizes the vast majority of NSA intelligence collection with essentially no judicial oversight. The tension between national security and civil liberties has produced a constantly evolving body of law shaped by congressional reauthorizations, secret court opinions, and landmark Supreme Court decisions.
As of February 2026, twenty states have enacted their own comprehensive consumer privacy laws to fill the federal vacuum,[2] and the prospect of a unified federal privacy statute remains elusive despite repeated legislative attempts. This page catalogs every major federal privacy and surveillance law currently in effect, along with pending legislation and the agencies responsible for enforcement.
General Privacy Laws
Privacy Act of 1974
Citation: 5 U.S.C. § 552a | Enacted: 1974 (Pub. L. No. 93-579) | Amended: Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503); Computer Matching and Privacy Protection Amendments of 1990 (Pub. L. No. 101-508)
The Privacy Act of 1974 establishes a Code of Fair Information Practice governing the collection, maintenance, use, and dissemination of personally identifiable information maintained in federal agency systems of records.[3] It prohibits disclosure of individual records without written consent, subject to twelve statutory exceptions including agency employees with a need-to-know, FOIA-required disclosures, “routine use” compatible with the original collection purpose, the Census Bureau, statistical research, law enforcement, health and safety emergencies, Congress, the GAO, court orders, and debt collection.
The Act requires agencies to publish System of Records Notices (SORNs) in the Federal Register and grants individuals the right to access and request amendment of their records. The 1988 Computer Matching Act added procedural requirements for automated matching programs, Data Integrity Boards, and due process protections before government benefits can be denied based on matching results.[3]
Scope: Federal government agencies only. Does not apply to state or local governments or the private sector.
Penalties: Civil suits may recover actual damages (minimum $1,000 statutory damages after proving some actual harm) plus court costs and attorney fees for intentional or willful violations. Criminal penalties include fines up to $5,000 for willful unauthorized disclosure by government officers or employees (misdemeanor).[3]
Key case law: In Doe v. Chao, 540 U.S. 614 (2004), the Supreme Court held that plaintiffs must prove some actual damages to qualify for the $1,000 minimum statutory award.[4] In FAA v. Cooper, 566 U.S. 284 (2012), the Court held 5–3 that “actual damages” does not include mental or emotional distress damages, only pecuniary (economic) damages qualify, as the sovereign immunity waiver must be construed narrowly.[4]
Known weaknesses: The broad “routine use” exception allows significant inter-agency data sharing. There is no centralized enforcement mechanism. Violations must be “intentional and willful.” Intelligence and law enforcement agencies hold general exemptions. And after Cooper, emotional distress damages are unavailable.
Freedom of Information Act (FOIA)
Citation: 5 U.S.C. § 552 | Enacted: 1966 | Major amendments: 1974, 1986, 1996 (E-FOIA), 2007 (OPEN Government Act), 2016 (FOIA Improvement Act)
While FOIA is primarily a transparency law, it has critical privacy dimensions. Exemption 6 protects information whose disclosure would constitute a “clearly unwarranted invasion of personal privacy.” Exemption 7(C) protects personal information compiled for law enforcement purposes.[5]
The Privacy Act and FOIA interact in an important way: agencies cannot discretionarily release Privacy Act-protected records through FOIA unless FOIA requires disclosure (i.e., no FOIA exemption applies). First-party requests (individuals seeking their own records) receive the “greatest access” standard, meaning records can only be withheld if both a Privacy Act exemption and a FOIA exemption apply. Third-party requests for Privacy Act records are processed only under FOIA, since third parties have no right of access under the Privacy Act.[5]
Financial Privacy
Gramm-Leach-Bliley Act (GLBA, 1999)
Citation: Pub. L. No. 106-102 | Enacted: 1999 | Major updates: FTC Safeguards Rule substantially amended 2021 (effective June 2023); breach notification requirement added October 2023 (effective May 13, 2024)
The Gramm-Leach-Bliley Act contains three core privacy and security components:[6]
Financial Privacy Rule (Regulation P): Requires financial institutions to provide initial and annual privacy notices explaining what nonpublic personal information (NPI) they collect, how it may be shared, and with whom. Customers must be given the right to opt out of sharing NPI with certain nonaffiliated third parties.
Safeguards Rule: Requires financial institutions to implement a comprehensive information security program. As of the 2021/2023 amendments, this includes designating a qualified individual to oversee the program, conducting regular risk assessments, implementing access controls, encryption, multi-factor authentication, continuous monitoring, incident response plans, and annual reporting to boards of directors. As of May 13, 2024, institutions with 5,000 or more customer records must report breaches affecting 500 or more consumers to the FTC within 30 days.[6]
Pretexting Rule: Prohibits obtaining customer financial information through false pretenses, forged documents, or impersonation. Makes it a crime to request a third party to fraudulently obtain customer information.
Scope: “Financial institutions” is broadly defined to include banks, securities firms, insurance companies, mortgage brokers, payday lenders, auto dealers, tax preparers, real estate appraisers, and entities “significantly engaged” in financial activities.
Enforcement: FTC (non-bank financial institutions), CFPB, OCC, FDIC, Federal Reserve, SEC, state insurance regulators, and state attorneys general.
Penalties: Civil penalties up to $100,000 per violation for institutions and up to $10,000 per violation for individual directors and officers. Criminal penalties for pretexting include fines up to $50,000 and up to 5 years imprisonment.[6]
Fair Credit Reporting Act (FCRA, 1970)
Citation: 15 U.S.C. § 1681 et seq. | Enacted: 1970 (Pub. L. No. 91-508) | Major amendments: Fair and Accurate Credit Transactions Act (FACTA, 2003); Dodd-Frank Act (2010, transferred primary enforcement to CFPB)
The FCRA regulates the collection, dissemination, and use of consumer credit information.[7] Consumer reporting agencies (CRAs) must follow “reasonable procedures” to ensure maximum possible accuracy. Consumers have the right to one free credit report per year from each major CRA via AnnualCreditReport.com (per FACTA). Consumers may dispute inaccurate information, and CRAs must investigate and correct or delete inaccurate data within 30 days.
The FCRA limits who can access credit reports to those with a “permissible purpose”, including credit decisions, employment screening with consent, insurance underwriting, and other specified uses. Employers must get written consent before obtaining a consumer report and must provide adverse action notices. Furnishers (entities providing data to CRAs) must investigate disputes and correct inaccuracies.[7]
Scope: Consumer reporting agencies (Equifax, Experian, TransUnion, specialty CRAs), furnishers of information (creditors, collection agencies), and users of consumer reports (employers, lenders, landlords, insurers).
Enforcement: CFPB (primary), FTC, state attorneys general.
Penalties: Willful non-compliance carries statutory damages of $100 to $1,000 per violation without proving actual harm, plus punitive damages and attorney fees. Negligent non-compliance allows recovery of actual damages plus attorney fees. Government enforcement can seek up to $5,000 per willful violation. Criminal penalties include fines and up to 2 years imprisonment for knowingly obtaining a consumer report under false pretenses.[7]
Notable enforcement: The Equifax Data Breach Settlement (2019) resulted in $575 million (up to $700 million) paid by Equifax to the FTC, CFPB, and 50 states over the 2017 breach affecting 147 million people, including a $100 million CFPB civil penalty.[8] In January 2025, the CFPB issued an order finding Equifax violated the FCRA by failing to properly reinvestigate disputes, and separately filed a lawsuit against Experian for FCRA violations. The CFPB also finalized a rule in January 2025 prohibiting medical debt on credit reports, removing approximately $49 billion in medical bills from the reports of 15 million Americans (though the CFPB withdrew several FCRA-related guidance documents in May 2025).[9]
Right to Financial Privacy Act (RFPA, 1978)
Citation: 12 U.S.C. § 3401 et seq. | Enacted: 1978 (Pub. L. No. 95-630, Title XI) | Amended: USA PATRIOT Act (2001, expanded access without customer notice for law enforcement and intelligence activities)
The RFPA was enacted as a direct response to United States v. Miller, 425 U.S. 435 (1976), where the Supreme Court held that bank customers have no constitutional privacy expectation in records held by financial institutions. The Act creates a statutory Fourth Amendment protection for bank records.[10]
It generally requires federal government agencies to provide individuals with written notice and an opportunity to object before a financial institution can disclose personal financial records. Notice must explain why records are being sought and the steps the customer can follow to challenge the request. Financial institutions may not release records until the government certifies compliance with the Act and must maintain records of all disclosures to government authorities.[10]
Five methods for lawful access: customer authorization, administrative subpoena, judicial subpoena, search warrant, or formal written request.
Scope: Federal government agencies seeking financial records from financial institutions. Does not apply to state or local government access, private litigation, or disclosures between private parties.
Penalties: Actual damages, $100 minimum statutory damages per violation, reasonable attorney fees and court costs, and punitive damages for willful or intentional violations.[10]
Health Privacy
HIPAA (1996)
Citation: Pub. L. No. 104-191 | Enacted: 1996 | Privacy Rule effective: April 2003 | Security Rule effective: April 2005 | Amended: HITECH Act (2009); Omnibus Rule (2013); proposed Security Rule update (NPRM published January 6, 2025)
The Health Insurance Portability and Accountability Act established national standards for the protection of individually identifiable health information, known as Protected Health Information (PHI).[11]
Privacy Rule (45 CFR Part 164, Subpart E): Permits use and disclosure of PHI without patient authorization for treatment, payment, and healthcare operations (TPO). Requires written authorization for most other uses. Grants patients the right to access their health records, request amendments, receive an accounting of disclosures, and request restrictions. Requires covered entities to designate a privacy officer, train workforce members, and implement administrative safeguards. Establishes the “minimum necessary” standard, meaning entities should use or disclose only the minimum PHI needed for a given purpose.[11]
Security Rule (45 CFR Part 164, Subpart C): Requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Requires risk analysis and risk management. Currently distinguishes between “required” and “addressable” implementation specifications (a proposed 2025 NPRM would eliminate this distinction and make all specifications required).[12]
Breach Notification Rule (45 CFR Part 164, Subpart D): Added by the HITECH Act (2009) and finalized in the 2013 Omnibus Rule. Requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals must also be reported to HHS and prominent media. Smaller breaches must be logged and reported annually to HHS.[11]
Scope: Covered entities (health plans, healthcare clearinghouses, healthcare providers who transmit health information electronically) and business associates (entities that perform functions involving access to PHI on behalf of covered entities, such as billing companies, cloud hosting providers, attorneys, and consultants). Does not apply to employers (in their capacity as employers), life insurers, schools, law enforcement, or entities that do not meet the covered entity or business associate definition.[11]
Enforcement: HHS Office for Civil Rights (OCR); DOJ for criminal violations; state attorneys general (since HITECH).
Penalties (2025 inflation-adjusted amounts):[13]
- Tier 1 (No knowledge): $145 to $73,011 per violation; annual cap up to $2,190,294
- Tier 2 (Reasonable cause): $1,461 to $73,011 per violation; annual cap up to $2,190,294
- Tier 3 (Willful neglect, corrected within 30 days): $14,602 to $73,011 per violation; annual cap up to $2,190,294
- Tier 4 (Willful neglect, not corrected): $73,011 to $2,190,294 per violation; annual cap up to $2,190,294
- Criminal (DOJ): Up to $50,000 fine and 1 year imprisonment for knowing violations; up to $100,000 and 5 years for violations under false pretenses; up to $250,000 and 10 years for violations with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm
Notable enforcement: Anthem Inc. – $16 million (2018), the largest HIPAA settlement ever, for a breach affecting nearly 79 million individuals.[14] Premera Blue Cross – $6.85 million (2020), second-largest, for a breach affecting 10.4 million people where malware went undetected for 9 months. Montefiore Medical Center – $4.75 million (February 2024), where an employee stole and sold patient data affecting 12,517 individuals. In 2024, 22 investigations resulted in civil monetary penalties or settlements totaling $9,436,346. OCR ended 2025 with 21 settlements and civil monetary penalties, the second-highest annual total to date.[14]
Proposed 2025 Security Rule update: Published in the Federal Register on January 6, 2025, the NPRM would eliminate the “required” versus “addressable” distinction, mandate multi-factor authentication for all ePHI access, require written verification of business associate technical safeguards every 12 months, and set a 180-day compliance deadline after the final rule. Over 4,000 comments were received by the March 7, 2025 deadline. The rule’s fate under the current administration remains uncertain.[12]
HITECH Act (2009)
Citation: Pub. L. No. 111-5 (part of the American Recovery and Reinvestment Act) | Enacted: 2009
The Health Information Technology for Economic and Clinical Health Act fundamentally strengthened HIPAA enforcement.[15] Key changes:
- Established the four-tier penalty structure, replacing the previous maximum of $100 per violation / $25,000 annual cap with penalties reaching $50,000 per violation and $1,500,000 per year for willful neglect
- Extended HIPAA Security Rule and certain Privacy Rule provisions directly to business associates (previously only bound contractually through BAAs)
- Created the Breach Notification Rule requiring notification of breaches of unsecured PHI
- Authorized state attorneys general to bring civil actions to enforce HIPAA
- Required HHS to conduct periodic audits of covered entities and business associates
- Prohibited the sale of PHI without patient authorization
- Required HHS to publicly post breaches affecting 500 or more individuals (the “Wall of Shame”)
42 CFR Part 2 (Substance Abuse Records)
Authority: Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970; Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972 | Major 2024 update: Final rule published February 16, 2024 (effective April 16, 2024; compliance date February 16, 2026)
42 CFR Part 2 provides stricter privacy protections for substance use disorder (SUD) treatment records than HIPAA.[16] Historically, it required specific written patient consent for each disclosure of SUD records, even for treatment, payment, and healthcare operations. SUD records could not be used in criminal proceedings against the patient and recipients were prohibited from re-disclosing them.
2024 final rule changes (compliance date February 16, 2026): The rule now allows a single, broad consent for future uses and disclosures for treatment, payment, and healthcare operations, aligning more closely with HIPAA. It expressly states that segregating Part 2 records from general medical records is not required. A new definition for SUD clinician “psychotherapy notes” requires specific consent separate from broad TPO consent. Enforcement has been aligned with HIPAA’s civil and criminal penalty structure.[16]
Scope: Federally assisted SUD treatment programs (receiving any federal assistance including tax-exempt status, Medicare/Medicaid reimbursement, or direct federal funding) and any person who receives SUD records from such a program.
Children’s Privacy
COPPA (1998)
Citation: 15 U.S.C. §§ 6501–6506 | Enacted: 1998; FTC COPPA Rule effective April 21, 2000 | Amended: 2013 Rule amendments (expanded definition of personal information to include geolocation, photos, videos, persistent identifiers); 2025 Rule amendments (published April 22, 2025; effective June 23, 2025; compliance deadline April 22, 2026)
The Children’s Online Privacy Protection Act applies to operators of websites and online services directed at children under 13, or operators with actual knowledge they are collecting information from children under 13.[17] Operators must post a clear, comprehensive privacy policy, obtain verifiable parental consent before collecting, using, or disclosing personal information from children, give parents the right to review, delete, and refuse further collection, implement reasonable data security measures, and refrain from conditioning a child’s participation on disclosing more information than reasonably necessary.
2025 Rule amendments: The FTC’s revised COPPA Rule expands the definition of personal information to include biometric and government-issued identifiers. Operators must now obtain separate verifiable parental consent specifically for disclosing children’s data to third parties. Operators must establish a written information security program with designated coordinators, annual risk assessments, and annual evaluations. FTC-approved Safe Harbor programs must publicly disclose membership lists. Operators have until April 22, 2026 to comply.[18]
Scope: Commercial websites, online services, apps, connected toys, and IoT devices directed at children under 13, or with actual knowledge of collecting data from children under 13.
Enforcement: FTC (exclusively at the federal level); state attorneys general can also enforce.
Penalties: Civil penalties up to $53,088 per violation (2025 inflation-adjusted amount).[17]
Notable enforcement: Epic Games (Fortnite) – $275 million (December 2022), the largest-ever COPPA penalty, part of a combined $520 million FTC settlement. Epic collected data from children without parental consent and enabled live, on-by-default voice and text communications matching children with strangers.[19] Google/YouTube – $170 million (2019), for illegally collecting personal information from children through tracking cookies to serve targeted ads on child-directed channels ($136 million FTC penalty plus $34 million to New York State). Amazon (Alexa) – $25 million (May 2023), for retaining voice recordings and geolocation data from children despite parent deletion requests. Genshin Impact developer – $20 million (January 2025) for COPPA violations related to loot boxes.[17]
FERPA (1974)
Citation: 20 U.S.C. § 1232g; 34 CFR Part 99 | Enacted: 1974 (Pub. L. No. 93-380, § 513; also known as the Buckley Amendment)
The Family Educational Rights and Privacy Act protects the privacy of student education records at educational institutions receiving federal funding.[20] Parents have the right to inspect and review their children’s education records, request amendments to records they believe are inaccurate, and exercise some control over the disclosure of personally identifiable information. When a student turns 18 or enters a postsecondary institution, rights transfer from parents to the student.
FERPA generally prohibits disclosure of education records without written consent, with exceptions for school officials with legitimate educational interest, transferring schools, certain officials for audit or evaluation purposes, financial aid purposes, accrediting organizations, judicial orders, health and safety emergencies, and “directory information” where the school has given public notice and parents or students have not opted out.[20]
Scope: All educational institutions (K–12 and postsecondary) receiving any federal funding, virtually all public schools and the vast majority of private institutions.
Enforcement: Department of Education, Student Privacy Policy Office (SPPO).
Penalties: The sole statutory penalty is withdrawal of all federal funding, an “all or nothing” approach so severe that the Department of Education has never imposed it. In Gonzaga University v. Doe, 536 U.S. 273 (2002), the Supreme Court held that students may not file a Section 1983 civil rights action for FERPA violations because the statute does not create individually enforceable rights. In practice, SPPO investigates complaints and works with institutions on voluntary corrective action. Complaints must be filed within 180 days of the alleged violation.[20]
Recent activity: In March 2025, SPPO launched FERPA investigations of California and Maine state education agencies, primarily relating to parent rights to access education records related to gender identity of their children.[21]
Communications Privacy
Electronic Communications Privacy Act (ECPA, 1986) / Stored Communications Act (SCA)
Citation: Pub. L. No. 99-508 | Enacted: 1986 | Three titles: Title I (Federal Wiretap Act, 18 U.S.C. §§ 2510–2522), Title II (Stored Communications Act, 18 U.S.C. §§ 2701–2712), Title III (Pen Register Act, 18 U.S.C. §§ 3121–3127)
The ECPA is the principal federal statute governing electronic communications privacy.[22] Title I protects wire, oral, and electronic communications from real-time interception. Title II (the Stored Communications Act) protects stored electronic communications. Title III governs collection of metadata (numbers dialed, routing information).
The SCA establishes a tiered framework for government access: communications stored 180 days or less require a warrant based on probable cause, while communications stored more than 180 days (the notorious “180-day rule”) were historically accessible with a mere subpoena or court order (a lower standard). This distinction, written in 1986 when email storage was expensive and temporary, is described by privacy scholars as arbitrary and outdated in the era of cloud computing.[22]
Scope: Anyone who intercepts or accesses electronic communications without authorization; government agencies seeking access; electronic communication service providers.
Enforcement: Criminal prosecution by DOJ; private right of action for victims.
Penalties: Criminal penalties include up to 5 years imprisonment and fines up to $250,000 for individuals ($500,000 for organizations). Civil remedies include actual damages (minimum $1,000 per violation as statutory damages), punitive damages, and attorney fees. Evidence obtained in violation of the Wiretap Act may be suppressed under the exclusionary rule.[22]
Landmark case: Carpenter v. United States, 585 U.S. 296 (2018) – the Supreme Court held 5–4 that law enforcement must obtain a warrant to access historical cell-site location information (CSLI), even though it is held by a third party. Chief Justice Roberts wrote that CSLI is “detailed, encyclopedic, and effortlessly compiled,” requiring Fourth Amendment warrant protection. This decision significantly limited the third-party doctrine for digital records, though the Court declined to overrule Smith v. Maryland or United States v. Miller and emphasized the holding was narrow.[23]
Reform status: Despite bipartisan reform efforts spanning over a decade, Congress has not amended ECPA to eliminate the 180-day distinction. Lower courts have largely required warrants for all content regardless of storage duration after Carpenter, but the statute itself remains unchanged.[22]
Telephone Consumer Protection Act (TCPA, 1991)
Citation: 47 U.S.C. § 227 | Enacted: 1991 (Pub. L. No. 102-243)
The TCPA restricts telemarketing calls, autodialed calls, prerecorded or artificial voice calls, unsolicited faxes, and text messages.[24] It requires prior express consent for autodialed or prerecorded calls to cell phones, prior express written consent for telemarketing calls using autodialers or prerecorded voices, and established the National Do Not Call Registry (managed by the FTC). Calling is restricted to between 8 AM and 9 PM local time.
Recent developments: In 2024, the FCC declared that AI-generated voices constitute an “artificial or prerecorded voice” under the TCPA, requiring prior express consent. New opt-out rules effective April 11, 2025 require callers to process opt-out requests within 10 business days. However, the FCC’s “one-to-one consent” rule was vacated by the 11th Circuit Court of Appeals on January 24, 2025, citing Loper Bright, holding that the FCC exceeded its statutory authority.[25]
Enforcement: FCC, FTC, state attorneys general, and a powerful private right of action.
Penalties: $500 per violation, per call or text, per class member (no requirement to prove actual injury). Willful or knowing violations carry treble damages of up to $1,500 per violation. There is no cap on aggregate damages, creating substantial aggregate liability.[24]
Notable enforcement: Dish Network – $280 million (June 2017), the largest TCPA penalty ever, for making 55 million unlawful calls. The FCC proposed a $6 million fine in 2024 against parties responsible for AI-generated Biden impersonation robocalls to New Hampshire voters. In 2025, the Supreme Court in McLaughlin v. McKesson held that district courts are not bound by FCC’s TCPA interpretations, opening decades of FCC orders to new challenges. TCPA litigation surged nearly 95% in 2025 compared to the prior year, with class actions spiking 285% in September 2025.[25]
CAN-SPAM Act (2003)
Citation: 15 U.S.C. § 7701 et seq. | Enacted: 2003 (Pub. L. No. 108-187)
The Controlling the Assault of Non-Solicited Pornography and Marketing Act established the first national standards for commercial email. Notably, it does not ban spam but sets requirements: commercial emails must not use deceptive subject lines or false header information, must identify the message as an advertisement, must include a valid physical postal address, must include a clear opt-out mechanism, and must honor opt-out requests within 10 business days.[26]
Scope: Anyone sending commercial electronic mail messages (business-to-consumer and business-to-business).
Enforcement: FTC (primary), DOJ (criminal), state attorneys general, ISPs. No private right of action for individual consumers.
Penalties: Civil penalties up to $53,088 per violating email (2025 adjusted amount), with each separate email constituting a separate violation. Criminal penalties include fines and up to 1 year imprisonment for general violations, or up to 5 years for aggravated violations (dictionary attacks, automated account creation, unauthorized relay of spam).[26]
Notable enforcement: Verkada – $2.95 million (2024), the largest CAN-SPAM penalty ever, for sending 30 million emails over three years without unsubscribe options or physical addresses. Experian – $650,000 (2023) for failing to provide opt-out options. Nicholas Tombros was the first person convicted under CAN-SPAM in 2004, sentenced to 3 years probation and a $10,000 fine. The FTC has brought approximately 169 CAN-SPAM-related cases since 1999.[26]
Criticism: CAN-SPAM preempts potentially stronger state anti-spam laws, provides no private right of action, and is criticized as too weak because it does not require opt-in consent.
Cable Communications Policy Act (1984)
Citation: 47 U.S.C. § 551 | Enacted: 1984 (Pub. L. No. 98-549) | Amended: Cable Television Consumer Protection and Competition Act of 1992; Telecommunications Act of 1996
Section 551 requires cable operators to provide subscribers with written notice at the time of entering service and annually regarding the types of personally identifiable information collected, how it may be used, disclosures that may be made, retention periods, and subscriber access and correction rights. Cable operators are prohibited from using the cable system to collect PII without subscriber consent (except information necessary to provide service or detect unauthorized reception) and from disclosing PII without prior written or electronic consent.[27]
Government entities may obtain subscriber PII only through a court order based on clear and convincing evidence of criminal activity, with the subscriber afforded an opportunity to contest. Cable operators must destroy PII when it is no longer needed for the purpose for which it was collected.[27]
Penalties: Private right of action in federal court with actual damages (minimum $1,000 or $100 per day of violation, whichever is higher), punitive damages, and reasonable attorney fees. Criminal penalties include FCC fines up to $50,000 and up to 2 years imprisonment.
Video Privacy Protection Act (VPPA, 1988)
Citation: 18 U.S.C. § 2710 | Enacted: 1988 (Pub. L. No. 100-618) | Amended: 2012 (Pub. L. No. 112-258, allowing sharing of video rental information on social networking sites with ongoing, revocable consent)
The VPPA was enacted after journalist Michael Dolan obtained and published Supreme Court nominee Robert Bork’s video rental history from Potomac Video during his 1987 confirmation hearings. Known as the “Bork bill,” it prohibits “video tape service providers” from knowingly disclosing personally identifiable information about consumers’ video viewing habits without informed, written consent. Consent must be distinct and separate from any other legal agreement. Requires destruction of PII within one year after it is no longer necessary.[28]
Scope: Broadly interpreted to include streaming services, online video platforms, and any entity providing audiovisual content. Recent litigation has applied it to websites embedding video content.
Enforcement: Private right of action only (no government enforcement body).
Penalties: Liquidated damages of $2,500 per violation (no need to prove actual harm), actual damages if greater, punitive damages, and reasonable attorney fees.[28]
Recent litigation: Over 250 VPPA class actions were filed in 2024 (up from 137 in 2023), with at least 10 settlements exceeding $1 million since 2023. Key settlements include Fubo – $3.4 million (July 2025) and Limited Run Games – $2.72 million for sharing consumer data with Meta. The Supreme Court agreed in 2026 to consider a VPPA case that could clarify the statute’s scope in the digital age. The primary driver of litigation has been the use of tracking pixels and web analytics tools (such as Meta Pixel and Google Analytics) that share video viewing data with third parties.[29]
Surveillance & Intelligence Laws
Foreign Intelligence Surveillance Act (FISA, 1978)
Citation: 50 U.S.C. Chapter 36 | Enacted: October 25, 1978 | Major amendments: 1994 (physical searches), 2001 (USA PATRIOT Act), 2007 (Protect America Act), 2008 (FISA Amendments Act / Section 702), 2015 (USA FREEDOM Act), 2024 (RISAA)
FISA establishes the statutory framework for federal agencies to obtain authorization to gather foreign intelligence through electronic surveillance, physical searches, pen registers and trap-and-trace devices, and production of certain business records.[30] It created the Foreign Intelligence Surveillance Court (FISC), staffed by 11 judges appointed by the Chief Justice to serve seven-year terms. Proceedings before the FISC are ex parte and non-adversarial, meaning the court hears evidence presented solely by the Department of Justice.
FISA requires the government to demonstrate probable cause that the target is a foreign power or agent of a foreign power. It applies to FBI, NSA, and other federal intelligence and law enforcement agencies seeking to conduct surveillance for foreign intelligence purposes within the United States.[30]
Key case law: In Clapper v. Amnesty International USA, 568 U.S. 398 (2013), the Supreme Court held 5–4 that plaintiffs lacked standing to challenge Section 702 because their allegations of possible future surveillance injury were insufficient, making it extremely difficult for civilians to challenge FISA surveillance in federal court. In Jewel v. NSA (2008–2022), the EFF’s challenge to dragnet surveillance on behalf of AT&T customers was ultimately dismissed, with the Supreme Court declining certiorari in 2022, illustrating the Catch-22 of surveillance standing, where citizens cannot prove harm because the evidence needed is classified.[30]
FISA Section 702 (2008)
Citation: 50 U.S.C. § 1881a | Enacted: 2008 (FISA Amendments Act) | Reauthorized: 2012, 2018, 2024 (RISAA)
Section 702 authorizes the Attorney General and Director of National Intelligence to jointly authorize targeting of non-US persons reasonably believed to be located outside the United States for the purpose of acquiring foreign intelligence information. It does not require individualized court orders for each target. Instead, the FISC approves annual “certifications” that set out categories of foreign intelligence information to be collected and targeting/minimization procedures.[31]
Section 702 directs US internet and telecom providers (Google, Microsoft, AT&T, etc.) to hand over communications data on foreign targets located abroad through two main collection programs: PRISM (collecting directly from tech companies’ servers) and Upstream (collecting from internet backbone infrastructure). “Incidental collection” of US persons’ communications occurs when a US person communicates with a foreign target. FBI, NSA, and CIA can then query this collected data using US person identifiers, the so-called “backdoor search” loophole.[31]
2024 Reauthorization (RISAA): The Reforming Intelligence and Securing America Act reauthorized Section 702 on April 20, 2024, for only two years, the shortest extension ever. Key provisions include a permanent ban on “abouts” collection, requirements for FBI supervisor or attorney approval of US person queries, prohibition of queries “solely designed to find and extract evidence of criminal activity,” expanded foreign intelligence definitions to include international narcotics trafficking, and quarterly FBI reporting on US person queries. An amendment requiring a warrant for US person queries was narrowly defeated, tied 212–212 in the House.[32]
Controversially, the RISAA also expanded the definition of “electronic communication service provider” to include any entity that “has access to equipment that is being or may be used to transmit or store wire or electronic communications.” Critics warn this could force anyone who hosts servers, provides WiFi, or works in a building with internet infrastructure to become a surveillance tool. The exact scope remains classified.[32]
2026 sunset: Section 702 is set to expire on April 20, 2026. As of February 2026, the reauthorization debate is the dominant surveillance policy story. The administration has not taken a public position on reauthorization, and a classified congressional hearing reportedly erupted in frustration when officials refused to state the White House’s position. Concerns about potential domestic surveillance abuses are complicating the fight.[33]
USA PATRIOT Act (2001)
Citation: Pub. L. No. 107-56 | Enacted: October 26, 2001 (45 days after the September 11 attacks)
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act significantly expanded government surveillance powers.[34] Key surveillance provisions:
Section 215 (Business Records / “Tangible Things”): Amended FISA to permit collection of “tangible things” for foreign intelligence investigations. As revealed by Edward Snowden in 2013, the NSA used this provision to conduct bulk collection of telephony metadata, including time, duration, and participating numbers of telephone calls (but not content), collecting 434,238,543 call records in 2018 under one provision alone. The USA FREEDOM Act of 2015 reformed Section 215 to end bulk government collection. Section 215 expired on March 15, 2020, and Congress has never reauthorized it.[34]
Section 206 (Roving Wiretaps): Allowed FISA wiretap orders to follow a target across devices and carriers without new orders for each. Also expired March 15, 2020.
Section 6001 (“Lone Wolf”): Allowed FISA surveillance of non-US persons who engage in international terrorism even without ties to a specific foreign power. Also expired March 15, 2020.
Provisions still in effect: Section 201/202 (expanded wiretap crimes to include terrorism), Section 213 (“sneak and peek” delayed-notification warrants), and Section 505 (expanded National Security Letter authority).[34]
Key case law: In ACLU v. Clapper (2nd Cir., 2015), the appeals court ruled the NSA’s bulk phone metadata collection program exceeded what Congress authorized under Section 215.[35]
USA FREEDOM Act (2015)
Citation: Pub. L. No. 114-23 | Enacted: June 2, 2015
The USA FREEDOM Act ended government bulk collection of telephony metadata under Section 215. Call detail records now remain held by telecommunications companies, with the government required to obtain FISC orders using a “specific selection term” to query them, meaning a specific person, account, address, or personal device, preventing open-ended bulk requests.[36]
The Act permanently banned bulk collection under FISA’s business records provision, pen register/trap-and-trace provision, and National Security Letter statutes. It increased FISC transparency by creating a panel of amici curiae (independent advocates) to argue before the FISC in significant cases, addressing the court’s traditionally one-sided proceedings. It required declassification reviews of significant FISC opinions and enhanced reporting requirements including annual ODNI statistical transparency reports.[36]
The NSA stopped bulk telephony metadata collection at midnight on November 29, 2015, after a 180-day transition period. However, the replacement CDR program was plagued by compliance issues (the NSA collected records it was not authorized to have) and was ultimately shut down in 2019.[36]
Executive Order 12333 (1981)
Issued: December 4, 1981 (by President Reagan) | Amended: EO 13355 (2004), EO 13470 (2008), PPD-28 (2014), EO 14086 (2022)
Executive Order 12333 establishes the executive branch framework for national intelligence efforts and designates roles for all 18 intelligence community agencies. The NSA describes EO 12333 as the “primary source” of their intelligence-gathering authority, with the majority of their intelligence collection conducted “pursuant to the authority of EO 12333.”[37]
The critical distinction from FISA: while FISA governs surveillance targeting within or directed at the United States, EO 12333 governs intelligence collection occurring entirely overseas or in transit. It allows “bulk collection” of communications, resulting in acquisition of massive amounts of Americans’ communications when they communicate with people overseas. There is essentially no oversight from Congress or the court system for EO 12333 activities, and the executive branch is alone in implementing it.[37]
Key amendments: President Obama’s PPD-28 (January 2014) added privacy protections for non-US persons in signals intelligence activities. President Biden’s EO 14086 (October 2022) implemented the EU-US Data Privacy Framework and added new safeguards including a Data Protection Review Court for EU citizens to challenge US surveillance. The future of EO 14086 under the current administration is uncertain given its implications for transatlantic data transfers.[38]
CALEA (1994)
Citation: 47 U.S.C. §§ 1001–1010 | Enacted: October 25, 1994
The Communications Assistance for Law Enforcement Act requires telecommunications carriers to design their equipment, facilities, and services with built-in capabilities for targeted lawful interception (wiretapping). Carriers must ensure they can expeditiously isolate and enable government interception of all wire and electronic communications concurrent with their transmission, isolate and enable access to call-identifying information, deliver intercepted communications to the government, and carry out intercepts unobtrusively so subjects cannot detect monitoring.[39]
Originally applying only to telephone carriers, the FCC expanded CALEA in 2005 to include Internet Service Providers, Voice over IP (VoIP) services, and broadband providers. This expansion was challenged by the EFF and others but upheld by the D.C. Circuit in American Council on Education v. FCC (2006). End-to-end encryption effectively defeats CALEA-style interception capabilities, and the FBI has repeatedly requested expanded CALEA authority to cover modern encrypted messaging platforms.[39]
National Security Letters (NSLs)
Authority: Authorized under multiple federal statutes: ECPA (18 U.S.C. § 2709), RFPA (12 U.S.C. § 3414), FCRA (15 U.S.C. §§ 1681u, 1681v), National Security Act (50 U.S.C. § 3162)
NSLs are administrative subpoenas issued by the FBI (and other agencies) without prior judicial approval, no judge or court order is required. They can compel production of transactional records (not content) including subscriber information, phone records, financial records, and credit reports. The information sought must be “relevant” to an authorized national security investigation.[40]
NSLs typically include gag orders forbidding recipients from disclosing that the FBI requested information. The USA FREEDOM Act reformed the gag order process to require periodic review, but an EFF analysis found the reforms largely failed, and the majority of NSL recipients remain gagged indefinitely. Over 300,000 NSLs have been issued since 2001, with the FBI sending approximately 40,000 to 60,000 per year between 2003 and 2007.[40]
Key case law: In Doe v. Ashcroft (2004), a federal court struck down NSL gag order provisions as unconstitutional prior restraints on speech. Reformed gag order provisions were later upheld in Doe v. Holder (2nd Cir., 2015).[40]
CLOUD Act (2018)
Citation: 18 U.S.C. §§ 2523, 2713 | Enacted: March 23, 2018 (signed as part of the Consolidated Appropriations Act)
The Clarifying Lawful Overseas Use of Data Act has two major components.[41]
Part 1 – US law enforcement access to data stored abroad: Clarifies that US legal process (warrants, subpoenas, court orders) can compel US-based service providers to disclose data in their possession, custody, or control regardless of where the data is stored. This resolved the issue raised in United States v. Microsoft Corp., which was mooted by the CLOUD Act’s passage. Providers can file motions to quash if compliance would violate the laws of a qualifying foreign government.[41]
Part 2 – Executive agreements for cross-border data access: Creates a framework for bilateral executive agreements with “Qualifying Foreign Governments” under which foreign law enforcement can make direct requests to US providers for communications data relevant to “serious crime” investigations, bypassing the slow Mutual Legal Assistance Treaty (MLAT) process. Orders under executive agreements must target specific individuals or accounts, be based on articulable and credible facts, and be subject to independent authority review. They may not be used for bulk collection.[41]
Agreements in force: The United Kingdom was the first CLOUD Act agreement partner (entered into force October 3, 2022 after congressional review). Australia’s agreement entered into force January 31, 2024. Negotiations continue with the EU and Canada.[42]
Pen Register / Trap and Trace Statute
Citation: 18 U.S.C. §§ 3121–3127 | Enacted: October 21, 1986 (as part of ECPA) | Amended: USA PATRIOT Act (2001, expanded to internet metadata and authorized nationwide orders)
Pen registers record the numbers dialed or transmitted from a communications device (outgoing metadata). Trap-and-trace devices record the numbers or identifying information of incoming communications. The government need only certify that “the information likely to be obtained is relevant to an ongoing criminal investigation”, a far lower standard than the probable cause required for a wiretap order. Courts effectively function as rubber stamps, as the statute requires judges to issue the order if the government provides the certification.[43]
Unlike wiretap orders, pen register/trap-trace orders collect metadata only (not content), carry no exclusionary rule (illegally obtained evidence is not excluded), require no notice to the subject, involve no judicial supervision during execution, and last for 60 days (renewable), compared to 30 days for wiretap orders. The USA PATRIOT Act expanded their scope from telephone numbers to include routing, addressing, and signaling information for internet communications (email headers, IP addresses).[43]
Commercial Surveillance and Data Procurement
Beyond statutory surveillance authorities, federal agencies increasingly obtain personal data through commercial procurement, purchasing information from data brokers, surveillance technology companies, and intelligence contractors that would otherwise require warrants or legal process to collect directly. This practice raises fundamental questions about whether privacy protections can be circumvented simply by outsourcing surveillance to the private sector.
Palantir Technologies
Palantir, a publicly traded defense contractor (NASDAQ: PLTR) initially funded by the CIA’s venture capital arm In-Q-Tel, builds data integration platforms that fuse information from dozens of government and commercial sources into single searchable systems. Federal contracts with Palantir totaled $970.5 million in 2025 alone, nearly double the previous year.[55]
Immigration and Customs Enforcement (ICE): $30 million contract (April 2025) for the Immigration Lifestyle Operating System (ImmigrationOS), designed to streamline identification and apprehension of individuals for removal. A separate Palantir tool called ELITE reportedly ingests Medicaid and other government data to generate dossiers and leads on potential deportees. Cumulative ICE contracts with Palantir exceed $248 million.[56]
U.S. Army: $795 million modification to the Maven Smart System contract (May 2025), pushing total contract value to $1.3 billion. The Army later consolidated this into a potential $10 billion Enterprise Service Agreement over 10 years (August 2025).[55]
Space Force: $217.8 million delivery order for the C2 Data Platform.[55]
Clearview AI
Clearview AI scraped what the company claims is 70+ billion facial images from social media, news media, and public websites without consent, creating the world’s largest facial recognition database. While European regulators have imposed approximately €95–100 million in fines (none paid; Clearview contests jurisdiction), U.S. federal agencies continue to expand their use of the technology.[57]
ICE Homeland Security Investigations (HSI): $9.2 million contract for facial image search technology with access to 50+ billion facial images; earlier $2.3 million contract (2021).[58]
FBI: $18,000 subscription license.[57]
Customs and Border Protection (CBP): Active service provider.[57]
As of early 2026, at least eight people have been wrongfully arrested due to false positives from Clearview’s facial recognition.[59] More than 600 U.S. police departments have used the technology.[57]
Cellebrite
Cellebrite, an Israeli digital forensics company, provides tools that extract data including contacts, locations, deleted messages, and calls from smartphones, tablets, and other devices. The company employs dozens of former Unit 8200 (Israeli military intelligence) veterans in technical roles.[60]
ICE: 213 contracts worth over $48.6 million (2008–April 2025), including a $2.2 million contract (2017), $30–35 million contract (2019), and $11 million contract (2025).[61]
Federal government-wide: All but one of the 15 Cabinet departments use Cellebrite technology, including Agriculture, Education, Veterans Affairs, HUD, Social Security Administration, USAID, CDC, FBI, U.S. military, and CBP. Total federal contracts in 2024 exceeded $18 million.[61]
Cognyte (formerly Verint)
Cognyte, an Israeli surveillance technology and intelligence analytics company spun out from Verint Systems in 2021, provides investigative analytics and surveillance solutions to government agencies globally.[62]
National Security Agency (NSA): $20+ million annual contract (renewed 2025).[62]
Western intelligence agencies (combined): Approximately $60 million in contracts over the last 18 months.[63]
Data Brokers and Location Intelligence
Federal agencies routinely purchase personal data from commercial data brokers, obtaining information that would require subpoenas, court orders, or warrants if collected directly by law enforcement.
Thomson Reuters (CLEAR platform): $22.8 million DHS contract (expires 2026); six ICE contracts totaling $54.4 million for the CLEAR platform, Vigilant ALPR data, and analyst services.[64]
LexisNexis: $22.1 million ICE contract; $9.75 million DHS contract (2021) for “identity verification services” (a massive surveillance database aggregating public records, utility bills, credit headers, and property records); $2.2 million in RELX contracts with ICE.[65]
Venntel/Gravy Analytics: $476,000 CBP contract (2024) for location data derived from mobile apps. Clients include IRS, DHS, ICE, CBP, DEA, and FBI.[66]
Babel Street (Locate X): $27 million FBI contract (2022) for 5,000 licenses; CBP and ICE contracts for location data; Treasury/OFAC uses the Locate X tracking tool.[66]
DRN/Vigilant Solutions (Motorola): CBP contracts exceeding $391.3 million (2008–July 2024); ICE $6.8 million contract (2017) via West Publishing for access to Vigilant’s ALPR database containing over 1.5 billion license plate records.[67]
The Warrant Bypass Problem
The practice of purchasing commercially available data raises a critical constitutional question: Can the government circumvent Fourth Amendment warrant requirements simply by buying data from brokers instead of collecting it directly? As established in Carpenter v. United States, the Supreme Court recognized that individuals have a reasonable expectation of privacy in detailed digital records of their movements, yet the ruling addressed only government compulsion of data, not government purchase of it.[23]
Federal agencies continue to purchase location data, consumer profiles, and other sensitive information from data brokers who compile it from mobile apps, websites, and public records, obtaining the same type of information that the Carpenter ruling held requires judicial oversight, but through a commercial transaction rather than a legal process. Critics argue this practice undermines warrant protections by creating a market-based exception to constitutional privacy safeguards.
As Senator Ron Wyden stated in a 2021 letter to intelligence agencies: “The government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.”[66]
Backbone Surveillance and Internet Exchange Point Tapping
Beyond purchasing commercial surveillance tools, the United States operates extensive infrastructure for Section 702 upstream collection, the backbone interception program described in the FISA section above. While Section 702 authorizes the legal framework, the operational scale of these programs, conducted jointly under Section 702 and Executive Order 12333, exceeds traditional targeted surveillance in both scope and constitutional implications.
The Upstream Programs: FAIRVIEW, STORMBREW, BLARNEY, and OAKSTAR
The NSA’s “upstream” collection operates through partnerships with major telecommunications carriers, documented in the Snowden disclosures and subsequent reporting:[68]
FAIRVIEW (AT&T): The NSA’s oldest and most valuable corporate partnership, dating to 1985. AT&T provides access to fiber-optic cables carrying internet traffic into and out of the United States. Documents show the NSA paid AT&T $188.9 million in 2013 alone for access to infrastructure and data flows. The partnership is described in NSA documents as “highly collaborative” with AT&T providing “unique accesses to other telecoms and ISPs.”[69]
STORMBREW (Verizon): A partnership providing access to international cables, gateway switches, and domestic trunk lines. NSA paid Verizon $46.06 million in 2013. Documents indicate STORMBREW provides “foreign and domestic gateway” access.[68]
BLARNEY: Focuses on “computer network exploitation” through telecommunications infrastructure, targeting network management and administrative traffic.
OAKSTAR: Provides access to communications from satellite and microwave relay systems.
These programs operate under the legal framework of Section 702 of FISA (for communications with at least one foreign endpoint) and Executive Order 12333 (for purely foreign communications). Crucially, the NSA conducts “about” collection, intercepting communications that merely mention a surveillance target, not just communications to or from that target. This sweeps in vast amounts of wholly domestic communications that simply reference foreign selectors.
Room 641A and the AT&T Whistleblower Case
In 2006, former AT&T technician Mark Klein revealed the existence of Room 641A, a secret NSA surveillance facility inside AT&T’s Folsom Street switching center in San Francisco. Klein documented that all internet traffic passing through the facility was being split using a fiber-optic splitter: one stream continued to its destination, while a duplicate stream was diverted to NSA equipment.[70]
The room contained Narus STA 6400 surveillance systems capable of high-speed Deep Packet Inspection (DPI) of all passing traffic. Klein’s evidence showed that the splitter was installed on the peering links (the connections that carry traffic between AT&T and other internet providers), meaning it captured traffic from non-AT&T customers as well. Similar facilities were subsequently identified in at least 10 other major US cities, including Seattle, Los Angeles, San Diego, and Atlanta.[71]
The resulting lawsuit, Hepting v. AT&T, was dismissed after Congress passed the FISA Amendments Act of 2008, which included retroactive immunity for telecommunications companies that had assisted in warrantless surveillance programs.
XKeyscore: Global Internet Monitoring
XKeyscore is the NSA’s search and analysis system for intercepted internet data, described in agency documents as its “widest-reaching” system for searching and analyzing global internet traffic. As of 2013, XKeyscore was deployed at more than 150 field sites worldwide, operating over 700 servers, and collecting data from over 150 sources, including upstream collection from cables and switches, as well as foreign partner contributions.[72]
The system allows analysts to search collected data without prior authorization, using queries like email addresses, IP addresses, user activity, or browser fingerprints. NSA training materials describe XKeyscore as providing “nearly everything a typical user does on the internet” including content of emails, websites visited, searches, and online activity. The system claims to sweep up “nearly everything” because, as one slide states, “You can’t search what you don’t collect.”
XKeyscore’s global reach means that internet users in allied nations, including Germany, Denmark, and others, have their communications collected and searchable by NSA analysts, often through partnerships with those countries’ own intelligence agencies.
TAO: Submarine Cable Interception
The NSA’s Tailored Access Operations (TAO) unit conducts submarine cable interception operations, installing intercept equipment directly on undersea fiber-optic cables that carry the majority of global internet traffic. Documents describe TAO as the NSA’s “premier hacking unit,” conducting both offensive operations and cable tapping.[73]
Submarine cables are attractive targets because they carry enormous volumes of concentrated international traffic through physical chokepoints. The NSA has developed specialized intercept probes that can be attached to cables without interrupting service, using inductive coupling to copy optical signals.
MUSCULAR: Tapping Cloud Provider Private Networks
In 2013, the Washington Post revealed the NSA’s MUSCULAR program, a joint NSA-GCHQ operation that intercepted data from the private fiber-optic networks connecting Google and Yahoo data centers. The program operated by tapping the cables outside the United States, thereby bypassing both companies’ encryption and legal oversight under FISA.[74]
By tapping Google’s “GFE” (Google Front End) connections between data centers, the NSA collected hundreds of millions of user account records. Internal NSA documents showed engineers celebrating their ability to collect data “wholesale” from the “cloud.” The revelation prompted Google, Yahoo, Microsoft, and other cloud providers to implement encryption on their internal networks, infrastructure previously assumed to be secure simply by being private.
RAMPART-A: 37 Partner Countries Providing Cable and IXP Access
The NSA operates a program designated RAMPART-A encompassing partnerships with 37 foreign countries that provide access to telecommunications infrastructure, including submarine cables, internet exchange points, and gateway switches. These “third-party” partnerships (distinct from the Five Eyes alliance) allow the NSA to intercept traffic passing through strategic locations worldwide.[75]
While the full list remains classified, disclosed partners include Oman (monitoring cables through the Strait of Hormuz), Denmark (DE-CIX Frankfurt access), and other strategic locations. These partnerships typically involve the NSA providing funding, intercept equipment, and technical support in exchange for access to collected traffic.
Constitutional and Jurisdictional Implications
Upstream collection creates a fundamental jurisdictional problem: The NSA collects communications in bulk directly from infrastructure, then applies “selectors” (search terms) to filter results, meaning the initial collection is indiscriminate and precedes any determination of whether communications involve foreigners or Americans. The Foreign Intelligence Surveillance Court has acknowledged that upstream collection “acquires tens of thousands of wholly domestic communications each year”, communications that should require a warrant under the Fourth Amendment.[76]
In 2017, the NSA announced it would end “about” collection under Section 702 due to its inability to separate domestic from foreign communications. However, the underlying infrastructure remains operational, and collection continues under Executive Order 12333 for communications deemed “foreign”, a determination made after collection, based on technical indicators that are acknowledged to be imperfect.
The existence of this infrastructure means that jurisdictional privacy, the idea that being in a particular country or using services based in that country provides legal protection, is, as privacy scholars have argued, largely illusory. Traffic passing through US infrastructure is subject to upstream collection regardless of the nationality or location of the communicating parties. Foreign users communicating with each other through services that route through US cables or switches are swept up in NSA collection, and Americans communicating with foreigners or merely mentioning foreign targets are collected as well.
International Data Sharing Agreements: MLATs, CLOUD Act, and the Privacy Backdoor
Beyond cable surveillance and commercial procurement, the United States maintains an extensive network of data sharing agreements, treaties and executive agreements that allow foreign law enforcement to request data on US persons, and US law enforcement to access data held in foreign countries. These frameworks raise significant questions about the scope of Fourth Amendment protections: data that would require a probable cause warrant if sought by domestic law enforcement can be obtained through international agreements with lower evidentiary standards and minimal judicial oversight.
Mutual Legal Assistance Treaties (MLATs): 65+ Countries
The United States maintains Mutual Legal Assistance Treaties with over 65 individual countries, plus a comprehensive EU framework that extends MLAT coverage to all EU member states. These treaties allow law enforcement agencies to request evidence, freeze assets, locate individuals, issue warrants, and compel witness testimony across borders.[77]
In 2014, the Department of Justice’s Office of International Affairs (OIA) processed 3,250 incoming MLAT requests from foreign countries seeking data on US persons, and sent over 1,000 outgoing requests to foreign law enforcement. The backlog stood at 4,800 pending requests, with an average processing time of 10 months. For computer records specifically, the backlog increased over 1,000% between 2000 and 2017 as digital evidence requests exploded.[78]
US MLAT Partners Include: United Kingdom, France, Germany, Denmark, Switzerland (1973 – the first modern US MLAT), Australia, Canada, New Zealand, Netherlands, Belgium, Spain, Norway, Sweden, Ireland, Italy, and 50+ others.
The MLAT Backdoor Problem
MLATs create a constitutional paradox: When US law enforcement seeks the content of a US person’s communications, the Fourth Amendment requires a warrant based on probable cause, issued by an independent judge. But when foreign law enforcement requests the same data via MLAT, the DOJ must show only “reasonable belief” of criminal activity, a lower standard than probable cause. The target is typically not notified until after the data has been shared, and there is no mechanism for individuals to challenge their inclusion in MLAT requests before data is transferred.
Privacy International and the Electronic Frontier Foundation have documented that MLATs allow foreign governments to obtain data that would require domestic warrants in the requesting country, creating a reciprocal privacy backdoor: Both the US and the foreign country can access each other’s citizens’ data through channels that bypass their own domestic privacy protections.[79]
The CLOUD Act: Direct Access to Tech Companies
The CLOUD Act, described above in the Surveillance & Intelligence Laws section, provides the legal framework that directly addresses the MLAT bottleneck. By allowing the DOJ to negotiate executive agreements with foreign countries, it enables those countries to request data directly from US tech companies without going through the slow MLAT process.[80]
UK-US CLOUD Act Agreement: The first executive agreement entered into force on October 3, 2022, and expires in 2026-2027 (5-year term). Under this agreement, UK law enforcement can directly serve legal process on US tech companies (Google, Microsoft, Meta, Apple) to obtain communications data of UK persons, reducing access time from months to potentially days. The agreement is reciprocal: US law enforcement can directly request data from UK companies.[81]
Australia-US CLOUD Act Agreement: The second agreement entered into force on January 31, 2024, and expires in 2029. It applies only to “serious crimes” (punishable by 3+ years imprisonment) and includes restrictions on death penalty cases. Australian Federal Police and ASIO can now directly request data from US tech companies without MLAT procedures.
In Negotiation: Agreements are being negotiated with Canada, New Zealand, and the European Union. If the EU agreement is finalized, all 27 EU member states would gain direct access to US tech company data.
Civil Rights Concerns: The EFF, ACLU, Amnesty International, and Human Rights Watch argued that the CLOUD Act strips Fourth Amendment protections against unreasonable searches, allows the government to bypass US courts through data sharing agreements, and provides no notification to users when warrants are issued. The Act creates a market-based jurisdiction problem: Because US tech companies dominate global markets, the CLOUD Act effectively allows dozens of foreign governments to access communications of anyone using US services, regardless of where they live.
Five Eyes Intelligence Sharing: Default Data Exchange
The United States is a founding member of the Five Eyes intelligence alliance (UKUSA Agreement, signed 1946), along with the United Kingdom, Canada, Australia, and New Zealand. Under this agreement, all signals intelligence (SIGINT), human intelligence (HUMINT), military intelligence (MILINT), and geospatial intelligence (GEOINT) is shared by default between member countries.[82]
The Five Eyes agreement creates a reciprocal surveillance bypass: The NSA can collect data on UK, Canadian, Australian, or New Zealand persons and share it with those countries’ intelligence agencies, circumventing restrictions on domestic surveillance in those countries. Conversely, GCHQ, CSE, ASD, and GCSB can collect on US persons and share with the NSA, bypassing limitations on NSA domestic collection.
Nine Eyes Expansion: The original Five Eyes alliance expanded to include Denmark, France, Netherlands, and Norway (Nine Eyes). These countries can use Five Eyes resources but do not have access to all collected data, a less privileged tier of access.
Fourteen Eyes (SIGINT Seniors Europe): The alliance further expanded to include Germany, Belgium, Italy, Spain, and Sweden. The Fourteen Eyes coordinate exchange of military signals intelligence, with information flowing hierarchically: Five Eyes members have access to all Nine Eyes and Fourteen Eyes intelligence, but not vice versa.
According to Privacy International, data collected via Five Eyes programs can be shared with law enforcement, bypassing warrant requirements. The legal underpinning of intelligence-sharing remains classified and immune from public scrutiny, creating a framework where domestic legal protections can be circumvented through intelligence channels.
EU-US Data Sharing Frameworks
EU-US Umbrella Agreement (Law Enforcement Data Protection): Entered into force February 1, 2017, this agreement provides a comprehensive data protection framework for criminal law enforcement cooperation. It covers all personal data exchanged between the EU and US for prevention, detection, investigation, and prosecution of criminal offenses including terrorism. The agreement grants EU citizens equal treatment with US citizens for judicial redress rights before US courts, addressing long-standing European concerns about lack of legal recourse.[83]
EU-US MLAT Enhancement (2010): On February 1, 2010, 27 bilateral instruments/agreements/protocols entered into force, either supplementing existing MLATs or creating new mutual legal assistance relationships with every EU member state. This framework streamlined evidence sharing between US and EU law enforcement.
SWIFT/TFTP Agreement (Financial Data Sharing): The Terrorist Finance Tracking Program (TFTP) agreement, which entered into force August 1, 2010, allows the US Treasury to issue subpoenas to SWIFT (Society for Worldwide Interbank Financial Telecommunication), a Belgium-based company operating the worldwide financial messaging system. Europol verifies each US request before SWIFT provides financial transaction data from its EU operations center. The Snowden disclosures alleged that the NSA was systematically undermining this agreement, collecting SWIFT data through other channels.[84]
PNR Agreements (Passenger Name Record Data): The EU-US PNR agreement enables transfer of passenger data from EU air carriers to US Customs and Border Protection. Every passenger on EU-US flights has their name, travel dates, itinerary, seat assignment, baggage information, contact details, and payment method transferred to CBP. The data is ostensibly for counterterrorism but is also used for “serious crime” investigations. Retention periods extend for years, and all passengers are subject to data sharing regardless of suspicion.
EU-US Data Privacy Framework (Commercial Data Transfers): Agreed in October 2022 and validated by the European General Court in September 2025, this framework governs commercial data transfers from the EU to the US. It replaced Privacy Shield (invalidated 2020) and Safe Harbor (invalidated 2015), both of which were struck down over concerns about NSA surveillance. The new framework remains under legal challenge.
Other Multilateral Frameworks
Interpol I-24/7 System: The US participates in Interpol’s secure global communications network, which processes over 100,000 messages daily across 195 member countries. The system enables real-time sharing of Red/Blue notices, biometric data, lost documents, and stolen vehicle/weapons information. Queries to national and Interpol databases return results within seconds.[85]
Egmont Group (Financial Intelligence Units): The US Financial Crimes Enforcement Network (FinCEN) participates in the Egmont Group, a network of 164+ Financial Intelligence Units that share financial intelligence on money laundering, terrorist financing, and financial crimes. Suspicious transaction reports and financial intelligence flow between FIUs under bilateral/multilateral agreements.
Customs Mutual Assistance Agreements: The US maintains customs data sharing agreements with the EU (since 1997, expanded in 2004), UK (post-Brexit), and numerous other countries. These agreements enable exchange of information to enforce against customs offenses, including duty evasion, IP violations, trafficking, and fraud. Border crossing data and shipping manifests are shared routinely.
The Cumulative Privacy Impact
The combination of MLAT treaties (65+ countries), CLOUD Act agreements (UK, Australia, soon Canada/New Zealand/EU), Five Eyes default intelligence sharing, EU-US frameworks, and multilateral systems like Interpol and SWIFT creates a global data sharing infrastructure that operates with limited public transparency, with minimal judicial oversight and no individual notification.
For US persons, this means that data nominally protected by the Fourth Amendment can be accessed through:
- Foreign MLAT requests (3,250 annually) with lower evidentiary standards than domestic warrants
- CLOUD Act agreements allowing foreign police to directly request data from US tech companies
- Five Eyes intelligence sharing, where allied agencies collect on US persons and share with NSA
- Financial surveillance via SWIFT/TFTP subpoenas affecting millions of international transactions
- Border surveillance via PNR agreements collecting data on all international travelers
For foreign nationals, the disparity is even greater: The US can request their data via MLAT, compel US tech companies to produce it via CLOUD Act, collect it through NSA upstream surveillance, access it via SWIFT/TFTP for financial data, or obtain it through Interpol/Europol cooperation, all without the protections afforded to US persons under the Fourth Amendment, and often without the protections of their home country’s privacy laws.
The result is that jurisdictional privacy, the expectation that strong privacy laws in one’s home country will protect against surveillance, is, as critics contend, undermined by international data sharing frameworks that create reciprocal backdoors, allowing governments to access each other’s citizens’ data through channels that bypass domestic privacy protections.
Data Breach & Security
FTC Act Section 5
Citation: 15 U.S.C. § 45 | Enacted: 1914 (FTC Act); privacy enforcement evolved primarily since the late 1990s
Section 5 of the Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Through over 100 enforcement actions, the FTC has used this broad authority to build a comprehensive, case-by-case common law of privacy and data security.[44]
Deception standard: A representation or omission is deceptive if it is likely to mislead consumers acting reasonably and is material.
Unfairness standard: An act or practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and not outweighed by countervailing benefits.
FTC consent orders typically require companies to implement comprehensive security programs, undergo third-party assessments for 20 years, delete improperly collected data, and provide consumer notice and choice.[44]
Scope: Most commercial entities in the United States. Notable exceptions include banks, savings institutions, federal credit unions, common carriers (FCC-regulated entities), and certain other regulated industries.
Penalties: First-time Section 5 violations carry no direct monetary penalty (the FTC can only seek equitable relief, consent orders and injunctions). Violations of consent orders carry penalties up to $53,088 per violation per day (2025 amount). Since 2021, the FTC has used “Penalty Offense Authority” (Section 5(m)(1)(B)) to seek civil penalties by sending “Notices of Penalty Offenses” to companies.[44]
Major enforcement actions:
- Meta/Facebook – $5 billion (2019): Largest FTC privacy penalty ever. Facebook violated its 2012 consent order by deceiving users about privacy controls. Required an independent privacy committee on Facebook’s board and mandatory CEO privacy compliance certifications.[45]
- Epic Games – $520 million (December 2022): $275 million COPPA penalty plus $245 million for dark patterns[19]
- Amazon (Alexa) – $25 million (May 2023): Retained children’s voice data after parent deletion requests[17]
- Amazon (Ring) – $5.8 million (2023): Employees and contractors had unrestricted access to private customer videos[44]
- BetterHelp – $7.8 million (2023): Banned from sharing mental health data with advertisers[44]
- GoodRx (2023): First enforcement under the Health Breach Notification Rule; banned from sharing health data with advertisers[44]
- Rite Aid (December 2023): First FTC enforcement against biased AI facial recognition technology[44]
- Data broker settlements (2024): Four settlements with X-Mode/Outlogic, InMarket Media, Mobilewalla, and Gravy Analytics for unlawful sale of precise location data, the first-ever FTC data broker settlements of this kind[44]
- GoDaddy (May 2025): Consent order for data security failures; misrepresented security while failing to implement MFA, threat monitoring, and secure connections[46]
2025–2026 enforcement trends: Under the current administration, the FTC has moved toward more established statutory theories (COPPA, GLBA) rather than novel Section 5 theories. Focus continues on youth privacy, online safety, AI, and data security. The FTC gained new enforcement authority in 2024 under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) and in February 2026 sent warning letters to 13 data brokers regarding PADFAA compliance obligations.[47]
Pending Federal Legislation
American Data Privacy and Protection Act (ADPPA)
Status as of February 2026: Effectively dead. The ADPPA was the first American consumer privacy bill to pass committee markup (53–2 vote in the House Energy and Commerce Committee in July 2022) but never received a full House vote. The bill expired with the end of the 117th Congress in January 2023 and has not been reintroduced in subsequent sessions.[48]
The ADPPA would have created a comprehensive federal consumer privacy framework with individual rights to access, correct, delete, and port data; a private right of action (delayed 2 years); general preemption of state privacy laws (with 16 categories of exceptions); data minimization requirements; prohibition of discriminatory data uses; and an FTC Bureau of Privacy. It stalled over disagreements about state law preemption (California opposed preemption of its stronger CCPA/CPRA) and the scope of the private right of action.[48]
Kids Online Safety Act (KOSA)
Passed the Senate 91–3 in July 2024 but died in the House at the end of the 118th Congress. Reintroduced in the 119th Congress (S.1748) by Senator Blumenthal in May 2025 with revised language clarifying it would not censor content. Would establish a “duty of care” for covered platforms to prevent harm to minors and require disabling “addictive” design features (notifications, infinite scrolling, autoplay) for minors. Described by observers as the most likely federal children’s online safety legislation to advance.[49]
COPPA 2.0
Would broaden COPPA coverage from children under 13 to minors under 17, prohibit targeted advertising to all minors, and require an “eraser button” for deleting minors’ data. Approved by Senate Commerce Committee in July 2023 alongside KOSA but has not passed either chamber.[49]
Protecting Americans’ Data from Foreign Adversaries Act (PADFAA)
Status: Enacted April 2024 (Pub. L. No. 118-50); effective June 23, 2024. Prohibits data brokers from selling, licensing, or disclosing personally identifiable sensitive data to foreign adversary countries (China, Russia, North Korea, Iran) or entities with 20% or more ownership by those countries. Covers health, financial, genetic, biometric, geolocation, sexual behavior data, login credentials, and government-issued identifiers. Enforced by the FTC with violations up to $53,088 per violation. In February 2026, the FTC sent warning letters to 13 data brokers about PADFAA compliance obligations.[47]
Comprehensive Federal Privacy Law Prospects
House Energy and Commerce Committee Chair Brett Guthrie (119th Congress) indicated preference for a comprehensive privacy bill but stated the committee would at minimum focus on children’s online safety. A committee working group and request for information were launched, representing the third attempt in three consecutive congressional terms. Most observers expect no comprehensive federal privacy law will pass in 2026 given congressional dynamics. Meanwhile, 20 states now have comprehensive data privacy laws, with 8 new state laws enacted in 2025 alone.[2]
Enforcement Bodies
Federal Trade Commission (FTC)
The FTC serves as America’s de facto federal privacy regulator, wielding primary enforcement authority under Section 5 of the FTC Act, COPPA, CAN-SPAM, the GLBA Safeguards Rule, FCRA (shared with CFPB), the Health Breach Notification Rule (for non-HIPAA entities), and PADFAA. The FTC has no general privacy rulemaking authority and must proceed case by case under Section 5 or through specific statutes.[44]
Recent major privacy actions (2022–2025): Meta/Facebook – $5 billion (2019, ongoing oversight); Epic Games – $520 million (2022); Amazon (Alexa + Ring) – $30.8 million combined (2023); BetterHelp – $7.8 million (2023); location data broker settlements (2024); GoDaddy consent order (2025); Verkada CAN-SPAM – $2.95 million (2024).
2026 outlook: Focus on youth privacy, AI/companion chatbots, informational injury evaluation, data broker restrictions under PADFAA, and potential first PADFAA enforcement action.[50]
Federal Communications Commission (FCC)
The FCC enforces the TCPA, telecommunications customer privacy rules (Customer Proprietary Network Information / CPNI rules), and adopted revised data breach notification rules in 2024 (upheld by the Sixth Circuit in August 2025). In 2024, the FCC declared AI-generated voices subject to TCPA restrictions.[51]
Recent major actions: The FCC fined AT&T, Verizon, Sprint, and T-Mobile a combined $196 million (2024) for selling customer location data to third-party aggregators. The carriers challenged these fines on Seventh Amendment grounds, creating a circuit split with the potential for Supreme Court review. The FCC also proposed a $6 million fine for the AI-generated Biden impersonation robocalls and removed 1,200 or more voice service providers from the Robocall Mitigation Database in August 2025 for deficient filings.[51]
HHS Office for Civil Rights (OCR)
OCR enforces the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule through complaint investigations, compliance reviews, and civil monetary penalties. The office conducted 22 enforcement actions in 2024 (totaling approximately $9.4 million) and 21 in 2025 (the second-highest annual total ever). Its Risk Analysis Initiative, launched in late 2024, has resulted in eight enforcement actions with combined settlements of nearly $900,000 through early 2025. The largest settlement in OCR history remains the $16 million Anthem settlement (2018).[14]
Consumer Financial Protection Bureau (CFPB)
The CFPB holds primary federal enforcement of the FCRA (since Dodd-Frank, 2010), enforces GLBA Regulation P for entities under its jurisdiction, and oversees financial data privacy including proposed rules on personal financial data rights (Section 1033 of Dodd-Frank). In 2024, the CFPB took approximately 173 public enforcement actions against financial services providers, with over 35% resulting in monetary penalties.[52]
In 2025, the CFPB was significantly restructured, reducing examinations by 50%, prioritizing large banks, focusing on clear consumer harm (particularly fraud affecting servicemembers and veterans), and emphasizing consumer remediation over penalties. The agency withdrew its proposed rule on data broker regulation and several FCRA guidance documents in May 2025.[52]
Securities and Exchange Commission (SEC)
The SEC enforces cybersecurity disclosure requirements for public companies under rules effective December 2023: material cybersecurity incidents must be disclosed within 4 business days of materiality determination (Item 1.05 of Form 8-K), and annual disclosures about cybersecurity risk management, strategy, governance, and board oversight are required (Regulation S-K Item 106).[53]
Recent actions: R.R. Donnelley & Sons – $2.1 million (July 2024) for disclosure deficiencies related to a 2021 cyberattack. Four additional companies settled in October 2024 for cybersecurity disclosure violations. In February 2025, the SEC created the Cyber and Emerging Technologies Unit (CETU) to target cyber-related misconduct. The high-profile SolarWinds/CISO enforcement action was jointly dismissed in November 2025.[53]
State Attorneys General
State attorneys general play an increasingly important role in federal privacy enforcement. The HITECH Act (2009) authorized state AGs to bring civil actions to enforce HIPAA. COPPA, CAN-SPAM, GLBA, FCRA, and TCPA all provide state AG enforcement authority. Many federal privacy settlements involve coordinated action between federal agencies and state attorneys general. The Equifax settlement, for example, included $175 million to the states. Texas’s $1.4 billion settlement with Meta over biometric privacy violations in 2024 demonstrated the outsized enforcement power state AGs can wield, particularly where federal authority is limited.[54]