Privacy Law

Annual Subscription with Automatic Renewal

Charlene Brownlee, Blaze D. Waleski

Add To Cart

Privacy Law has been a valuable resource for the privacy and legal teams at AOL. Charlene Brownlee manages to keep it ‘real' as she lays out both applicable law and strategies for compliance. [It] is often the first place I turn to quickly access the key privacy resources I need to address global privacy issues.” — Jules Polonetsky, Director and Co-chair of the Future of Privacy Forum

Privacy violations can occur at almost any level in an organization, with far-reaching consequences. Privacy Law thoroughly explains the legal obligations and potential liability of those who work with and share private information. It covers current law and emerging issues in depth, offering essential guidance on the privacy policies and practices organizations need to adopt to ensure compliance and the duty to notify employees and customers in the event of privacy breaches.

Beginning with the constitutional foundation of privacy rights, Privacy Law examines the impact of the laws, industry standards and consumer expectations regarding personal information and privacy in a variety of contexts, including: health care, financial institutions, the workplace, international business, e-commerce and corporate transactions.

Privacy officers, compliance officers, attorneys (both in private practice and in-house), record managers, IT staff, human resources and anyone else concerned with the steps that can and should be taken to protect privacy will find this book a constantly helpful resource.

Book #00686; looseleaf, one volume, 870 pages, published in 2006, updated as needed; no additional charge for updates during your subscription. Looseleaf print subscribers receive supplements. The online edition is updated automatically. ISBN: 978-1-58852-141-5

Satisfaction Guarantee: You will always have a full 30 days from receipt in which to review any book. If you don’t want the book, simply return it in resalable condition within 30 days of receipt and write “cancel” on the invoice. If you paid by credit or debit card you will receive a full refund of the purchase price (excluding return shipping & handling). eBook returns are only available if the eBook has not yet been downloaded and updates made available during any subscription term are not refundable.
For more information about online access and our downloadable EPUB format see our FAQ.

  • Availability: Available
  • Brand: Law Journal Press
  • Product Type: Books
  • Edition: 0
  • Page Count: 870
  • ISBN: 978-1-58852-141-5
  • Pub#/SKU#: 686
  • Volume(s): 1

Author Image
  • Charlene Brownlee

Charlene Brownlee is an attorney and Certified Information Privacy Professional. She was formerly a partner in the law firm of Davis Wright Tremaine LLP in Seattle, Washington, where her practice focused on privacy, data security, e-discovery and information management. Ms. Brownlee assists clients in identifying, evaluating and managing risks associated with privacy and information security practices, and conducts privacy and data protection assessments and information security policy audits. She also advises clients on and drafts and negotiates contractual agreements concerning technology acquisition, data uses, security and confidentiality, and develops records management programs, including policies, procedures, and retention schedules and training modules.

She participates in the Sedona Conference, is a member of the e-Discovery Advisory Group of the Association of Records Managers and Administrators, Inc. (ARMA) and the International Association of Privacy Professionals. She has lectured and published widely in the areas of records and information management and e-discovery, technology, and Internet law.

Ms. Brownlee received her LLB in 1991 from the University of Manitoba, Canada, and is admitted to practice in Alberta, Canada and the state of Texas.

Author Image
  • Blaze D. Waleski

Blaze D. Waleski is a technology and privacy legal consultant. He has extensive experienceadvising and structuring technology transfers in M&A, investment and credittransactions and corporate restructuring. He has negotiated the transfer of IPand IT in diverse business sectors, for financial institutions, retail companies,pharmaceuticals and biotechs, computer and information technology companies,manufacturers, fashion designers and hotels, casinos and real estate ventures,and others. Mr. Waleski regularly counsels companies on IP and IT issues,including the protection and the preservation of rights in patents, trademarksand copyrights..

Mr. Waleski's bar association involvement includes theExecutive Committee of the New York State Bar Association, IntellectualProperty Law Section; the Internet Law Committee of the New York State BarAssociation; the Information Technology Law Committee of the Association of theBar of the City of New York; and the Technology Transactions Subcommittee ofthe New York State Bar Association. He has published and lectured widely on IP,IT and data protection, security and privacy law issues. Mr. Waleski receivedhis J.D. from Rutgers University, where he was a member of the Law Review andMoot Court Board, and his B.A. from Fordham University. He is admitted topractice law in the states of New York and New Jersey as well as in the federalcourts of those states.

The Constitutional Right to Privacy, Privacy Legislation, and Government and Private Access to Personal Information

§ 1.01 Introduction
§ 1.02 Constitutional Considerations
[1] The Amendments to the United States Constitution
[2] The Constitutional Right of Privacy
[3] Key Cases Federal Court Cases Addressing the Constitutional Right of Privacy
[4] State Constitutions
§ 1.03 Privacy Laws That Impact Access to and Use of Personal Information by the Government
[1] Federal Wiretap Statute
[2] Electronic Communications Privacy Act and Stored Communications Act
[3] Pen/Trap Statute
[4] Right to Financial Privacy Act
[5] Privacy Protection Act
[6] Foreign Intelligence Surveillance Act
§ 1.04 USA Patriot Act
[1] Sunset Provision
[2] Permanent Provisions
[3] Challenges to the USA Patriot Act
[4] The USA Freedom Act of 2015
§ 1.05 Other Federal Privacy Statutes
[1] Fair Credit Reporting Act
[2] Health Insurance Portability and Accountability Act
[3] Gramm-Leach-Bliley Act
[4] Computer Fraud and Abuse Act of 1986
[5] Cable Communications Policy Act
[6] Telecommunications Privacy Act
[7] Family Educational Rights and Privacy Act
[8] Video Privacy Protection Act of 1988
[9] Employee Polygraph Protection Act of 1988
[10] Telephone Consumer Protection Act of 1991
[11] Children’s Online Privacy Protection Act of 1998
§ 1.06 Statutes Restricting Government’s Disclosure of Personal Information
[1] Privacy Act of 1974
[2] Freedom of Information Act
[3] Driver’s Privacy Protection Act of 1994
§ 1.07 Social Security Numbers
[1] Background
[2] Federal Laws Restricting Use of SSNs
[3] State Laws Restricting Use of SSNs
§ 1.08 State Privacy Statutes
[1] Data Security Breach Notification
[2] Social Security Numbers
[3] Merchant Liability
[4] Information Security
[5] Financial Industry Regulation
[6] Statutes Affecting Employment and Social Media
[7] Statutes Concerning Website and Mobile App Privacy Policies
[8] Statutes Regarding Internet Tracking
[9] Statutes Addressing Monitoring of Employee E-mail Communications and Internet Access
[10] Statutes Addressing Library Records, Books and e-Readers
[11] Statutes Addressing Online and Social Media Information About Students
[12] Statutes Regulating Use of Automated License Plate Readers
[13] Statutes on Collection and Use of Biometric Information
[14] Statutes Regulating the Sale of Personal Information (Data Brokers)
[15] Statutes Addressing the Internet of Things (IoT)
[16] Statutes Addressing Consumer Privacy and Personal Data Generally

Privacy and Security of Health Information

§ 2.01 Federal Regulation of Health Information
[1] The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
[2] The HIPAA Administrative Simplification Regulations
[3] The American Recovery and Reinvestment Act of 2009 (ARRA)
[4] The Health Information Technology for Economic and Clinical Health (HITECH) Act
[5] The Patient Protection and Affordable Care Act of 2010
[6] The Genetic Information Nondiscrimination Act of 2008 (GINA)
[7] The HIPAA Omnibus Final Rule of 2013
[8] Relationship to Other Federal Laws
§ 2.02 State Regulation of Health Information
[1] Health Information Laws
[2] Harmonizing State Privacy Laws
[3] Preemption of State Law
§ 2.03 Who Must Comply with HIPAA?
[1] Introduction
[2] Covered Entities
[3] Business Associates
[4] Who Are Not Business Associates
§ 2.04 The Business Associate Agreement
[1] Regulatory Background
[2] Required Terms of a Business Associate Agreement
[3] Compliance Dates
[4] Penalties
§ 2.04A Information Protected
[1] Protected Health Information
[2] Psychotherapy Notes
[3] De-identified Information
[4] Information Further Protected by Other Laws
[5] Wellness Programs
§ 2.05 Disclosures of Limited Data Sets
[1] General Rule
[2] Definition of Limited Data Set
[3] Data-Use Agreement
§ 2.06 Personal Representatives
[1] General Rule
[2] Exceptions
§ 2.07 Individual Rights
[1] Restriction of Otherwise Permitted Uses and Disclosures of PHI
[2] Notice of Privacy Provisions
[3] Access to the Designated Record Set
[4] Amendment of the Designated Record Set
[5] Accounting for Disclosures of PHI
[6] Complaints
§ 2.08 Minimum Necessary Standard
[1] Minimum Necessary Uses
[2] Minimum Necessary Disclosures
[3] Reasonable Reliance Permitted in Certain Circumstances
[4] Minimum Necessary Requests
[5] Exceptions
[6] HHS Guidance
§ 2.09 Required Disclosures of PHI
§ 2.10 Permitted Uses and Disclosures of PHI
[1] Disclosures of PHI to the Individual
[2] Uses and Disclosures of PHI for Treatment, Payment and Health Care Operations
[3] Incidental Uses and Disclosures
[4] Uses and Disclosures Required by Law
[5] Disclosures for Public Health Activities
[6] Use and Disclosures to Avert a Serious Threat to Health or Safety
[7] Uses and Disclosures for Certain Government Functions
[8] Uses and Disclosures for Health Oversight Activities
[9] Uses and Disclosures for Research Purposes
[10] Uses and Disclosures for Marketing
[11] Uses and Disclosures for Fundraising
[12] Disclosures by a Group Health Plan to a Plan Sponsor
[13] Disclosures for Workers’ Compensation
[14] Disclosures About Decedents and for Organ and Tissue Procurement
[15] Uses and Disclosures for Underwriting
[16] Uses and Disclosures for Facility Directories
[17] Uses and Disclosure Related to Persons Involved in the Individual’s Care
[18] Uses and Disclosures for Notification
§ 2.11 Authorization to Use or Disclose PHI
[1] Content Requirements
[2] Defective Authorization
[3] Conditioning Authorizations
[4] Compound Authorizations
[5] Revocation of an Authorization
[6] Administrative Requirements
§ 2.12 Breach Notification Requirements
[1] Requirements for Covered Entities and Business Associates
[2] Requirements for PHR Vendors and Other Non-HIPAA-Covered Entities
§ 2.13 Administrative and Managerial Requirements
[1] Privacy Official
[2] Policies and Procedures
[3] Duty to Mitigate
[4] Training
[5] Sanctions
[6] Safeguards
[7] Complaints
[8] Partial Exemption for Fully Insured Group Health Plans
§ 2.14 Security Rule Risk Analysis Requirements
[1] Introduction
[2] Office for Civil Rights (OCR) Guidance
[3] NIST Standards and Guidance
[4] Required Elements of a Risk Analysis
§ 2.15 [Reserved]
§ 2.16 Compliance and Enforcement
[1] Assistance with Compliance
[2] Compliance Reviews and Complaint Investigations
[3] Criminal Penalties 
[4] Civil Penalties
[5] Private Right of Action
[6] Distribution of Civil Penalties Collected
§ 2.17 Form: Key ARRA/HITECH Act Amendments 
§ 2.18 
Form: Sample Notice of Privacy Practices: Layered Notice for Healthcare Provider 
§ 2.19 
Form: Sample Acknowledgment of Receipt of Notice of Privacy Practices 
§ 2.20 
Form: Sample Authorization to Release Protected Health Information and Protected Financial Information (Health Insurance Plan) 
§ 2.21 
Form: Sample Agreement to Amend Existing Business Associate Agreement to Include Breach Notification Requirements 
§ 2.22 
Form: Sample Patient Consent for Electronic Communication 
§ 2.23 
Form: Sample Policy-Safeguarding Protected Health Information (PHI)

Financial Institutions and the Collection of Financial Data: The Gramm-Leach-Bliley Act and Related Laws and Rules

§ 3.01 The Gramm-Leach-Bliley Act: The Statutory Scheme
[1] Privacy Rules: Regulatory Agency Rulemaking
[2] Federal Trade Commission Regulatory Authority
[3] Security Guidelines and Rules: Regulatory Agency Rulemaking
[4] Overlapping Privacy Rules; Hybrid Entities
[5] No Private Cause of Action
§ 3.01A The Dodd-Frank Wall Street Reform And Consumer Financial Protection Act 
[1] Bureau of Consumer Financial Protection
[2] FCRA
§ 3.02 Relation to State Law
[1] Greater Protection
[2] State Law
§ 3.03 Who Must Comply with GLB?: “Financial Institutions”
[1] Definition of “Financial Institution”
[2] E-Commerce
[3] Exemptions
§ 3.04 What Information Is Covered?: “Nonpublic Personal Information”
[1] Publicly Available Information
[2] Personally Identifiable Financial Information
§ 3.05 Restrictions on Disclosures to a “Nonaffiliated Third Party”
[1] Affiliate
[2] Nonaffiliated Third Party
[3] Exceptions
§ 3.06 Disclosures to Affiliates
[1] FCRA Affiliate Sharing
§ 3.07 Consumer Versus Customer
[1] Consumer
[2] Customer
[3] Representatives of Individuals
[4] Trusts
§ 3.08 Privacy Notices: Initial Privacy Notice
[1] To Consumers
[2] To Customers
[3] Revised Privacy Notices
[4] Model Privacy Notice
§ 3.09 Opt-Out Notice
[1] When Required; Timing of
[2] Content of Opt-Out Notice
[3] Reasonable Means of Opting Out
[4] Reasonable Opportunity to Opt Out
[5] Partial Opt Out
[6] Duration of Opt Out
[7] New Opt-Out Notices
[8] Transfer of Accounts
[9] Joint Accounts
[10] When Information Is Disclosed Only Pursuant to the Opt-Out Exceptions (Section 6802(b)(2) or Section 6802(e))
§ 3.10 Annual Privacy Notice
[1] Continuation of Customer Relationship
[2] Termination of Customer Relationship
§ 3.11 Content of Privacy Notice
[1] Clear and Conspicuous/Format of Notice
[2] Websites
[3] Collection Versus Pass-Through of Information
[4] Level of Detail
[5] Affiliate-Sharing Disclosure in Initial and Annual Privacy Notices: FCRA Considerations
[6] FCRA Credit Header Information
[7] Simplified Notices
[8] Security and Confidentiality
§ 3.12 Delivery of Notices
[1] Notices Displayed on a Website
[2] Isolated Transactions; Oral Notice
[3] New Versions of Privacy Notice
[4] Joint Notices by More than One Financial Institution
[5] Joint Accounts
[6] Customer Requests Not to Send Information
[7] Recordkeeping
§ 3.12A Fair Credit Reporting Act
[1] Consumer Report Information
[2] Disclosure to Affiliates and to Nonaffiliates
[3] Consumer Opt-Out Rights
[4] Damages
§ 3.13 Reuse and Redisclosure of Nonpublic Personal Information
[1] Use of Agent by Financial Institution: to Which Entity Does the Customer Relationship Attach? 
[2] Nonaffiliated Third Parties (Including Service Providers) 
[3] Information Disclosed Pursuant to Section 6802(b)(2) and Section 6802(e) Exceptions
[4] Vendor Contract Requirements for Disclosures Made Pursuant to Section 6802(b)(2) Exception
[5] Account Number Information for Marketing Purposes
[6] FCRA Considerations: Redisclosure of GLB Information by Consumer Reporting Agencies
[7] USA Patriot Act Compliance
§ 3.14 Security
[1] SEC
[2] Joint Banking Security Guidelines
[3] FTC Security Rule
§ 3.15 State Financial Law
[1] California Financial Information Privacy Act
[2] California Insurance Law
[3] New York Department of Financial Services Cybersecurity Requirements
§ 3.16 Form: Model Privacy Notices 

Privacy and Surveillance in the Workplace

§ 4.01 Overview
§ 4.02 The Fair Credit Reporting Act (FCRA) 

[1] Who Is Affected? 
[2] The Privacy Implications of the FCRA
[3] Penalties for Noncompliance
[4] Additional Information About the FCRA
§ 4.03 The Americans with Disabilities Act (ADA) 
[1] Who Must Comply with the ADA? 
[2] Restrictions on Medical Inquiries and Medical Examinations
[3] Confidentiality of Medical Information
[4] Administrative Enforcement and Litigation
[5] Additional Resources
§ 4.04 The Family and Medical Leave Act (FMLA) 
[1] Covered Employees 
[2] Eligible Employees
[3] Health Information and Determining FMLA Eligibility
[4] Confidentiality and Storage of FMLA Records
[5] Enforcement and Penalties for Noncompliance
§ 4.05 Verification of Employment Eligibility
[1] Who Is Affected? 
[2] The Privacy Implications of the Employment Eligibility Verification Laws
[3] Penalties for Noncompliance
[4] Additional Resources
§ 4.06 The Employee Polygraph Protection Act of 1988 (EPPA) 
[1] Who Is Covered? 
[2] The Privacy Implications of the EPPA
[3] Penalties for Noncompliance
[4] Additional Resources
§ 4.07 Monitoring Employee Communications
[1] Telephone Conversations
[2] Online Communications (E-Mail and Internet Use) 
[3] Radio Frequency Identification Devices (RFID) 
[4] Penalties for Noncompliance
§ 4.08 The Health Insurance Portability and Accountability Act (HIPAA) 
[1] Who Is Covered? 
[2] The Privacy Implications of HIPAA
[3] Penalties for Noncompliance
[4] Employee Privacy and Personnel Information
[5] Additional Resources
§ 4.09 Searches at the Workplace
[1] Constitutional Limitations
[2] Employee Liability to Employers
[3] Employer Liability for Employee Actions
§ 4.10 Drug and Alcohol Testing
§ 4.11 Bring Your Own Device Programs

[1] What Is Bring Your Own Device (BYOD)
[2] Employee Personal Data?
[3] Regulatory Compliance
[4] Litigation and Discovery Procedures
[5] Information Security Risks
[6] Cloud Storage Applications
[7] Contractual Obligations
[8] Protection of Trade Secrets
[9] Employment Law Issues
[10] International Data Protection Laws
[11] Terms of BYOD Policies
§ 4.12 Post-Employment Inquiries
[1] EEOC Prohibited Practices
[2] State Qualified Privilege Statutes
[3] Recommended Practices
§ 4.13 Other Workplace Privacy Considerations
[1] Recording Obligations of Employers
[2] Questioning Employees About Voting
[3] Questioning Employees About Other Political Activity

Global Data Protection Laws
§ 5.01 International Models of Privacy Protection 
[1] Introduction
[2] Privacy Principles
[3] Approaches to Privacy
§ 5.02 Data Protection Law in Europe
[1] Introduction
[2] The Council of Europe
[3] The European Economic Area
§ 5.03 Member State Privacy Legislation
[1] Austria
[2] Belgium
[3] France
[4] Germany
[5] Italy
[6] The Netherlands
[7] Spain
[8] Sweden
[9] The United Kingdom
[10] Other EU Member States
§ 5.04 Data Transfers from Europe 
[1] Introduction
[2] Model Clauses 
[3] Data Transfers Between the U.S. and the EU
[4] The United States-Swiss Safe Harbor
[5] Binding Corporate Rules
[6] Exceptions
[7] Consent by the Data Subject
[8] Compliance Checklist for Data Transfers 
[9] Transfer of Passenger Name Records (PNR) to the United States
[10] The United States-European Union High Level Contact Group for Law Enforcement and Security
§ 5.05 Global Privacy Laws
[1] Canada
[2] Latin America
[3] Asia-Pacific
[4] India
[5] Israel
[6] United Arab Emirates: Dubai
§ 5.06 Multinational Data Protection Audit
[1] Purpose of the Audit
[2] Conducting the Audit
§ 5.07 Form: Sample Data Protection Audit Questionnaire for the European Union
§ 5.08 
Form: Sample Multinational Privacy Audit Checklist
§ 5.09 
Form: Sample Privacy Policy That Complies with Safe Harbor

Internet, Online and Mobile Privacy

§ 6.01 Introduction
§ 6.02 Federal Laws and Regulations

[1] Laws and Regulations
[2] Federal Policy and Initiatives
§ 6.03 The Federal Trade Commission and the Regulation of Internet, Online and Mobile Privacy 
[1] Overview of the FTC's Investigative and Law Enforcement Authority
[2] The FTC’s Authority to Regulate Data Security
[3] The FTC’s Self-Regulatory Principles
[4] The FTC’s Enforcement Actions
[5] Legal Resources
§ 6.04 State Laws and Enforcement of Internet and Online Privacy
[1] The Role of the State Attorneys General
[2] Privacy Enforcement Actions
[3] The National Association of Attorneys General (NAAG)
[4] State Laws
[5] Consumer Fraud and Deceptive Trade Practices Legislation
[6] Spyware Legislation
[7] Data Security Breach Legislation
[8] Tort of Invasion of Privacy
§ 6.05 Children’s Privacy
[1] The Children’s Online Privacy Protection Act
[2] State Legislation Protecting Children’s Privacy
§ 6.06 Industry Self-Regulation
[1] Introduction
[2] General Online Privacy Programs
[3] Online Behavioral Advertising
[4] Mobile Marketing Guidelines
[5] Self-Regulatory Programs for Children’s Information
[6] Privacy Seal Programs
§ 6.07 Consumer Privacy 
[1] Big Data Privacy Concerns
[2] Online Behavioral Advertising
[3] Do Not Track
[4] The Internet of Things
[5] Social Media Sites
[6] Mobile Privacy
[7] Mobile Location Analytics
§ 6.08 Cybersecurity and Government Surveillance
[1] Introduction
[1A] Data Breach Notification Laws
[2] The Federal Cybersecurity Framework
[3] Federal Laws Governing Surveillance

Privacy Concerns in Business Transactions: Mergers, Acquisitions, Corporate Restructuring, Bankruptcies, Liquidations

§ 7.01 Background: The Law Before the Year 2000
§ 7.02 The Case for Customer Lists as Business Assets

[1] General Intangibles
[2] Value
[3] Trade Secrets
[4] Intellectual Property
[5] Alienable Property
§ 7.03 The Intersection with Privacy
[1] The Influence of Technology
[2] Customer Lists Sold for Marketing Purposes
[3] Competing Legal Theories
§ 7.04 Consumer Protection Laws
[1] The Federal Trade Commission Act
[1A] The Federal Communications Act and FCC Authority to Regulate ISPs
[2] State Consumer Protection Laws
§ 7.04A Causes of Actions for Unauthorized Disclosures of Personal Information
[1] Theories of Liability
§ 7.04B Standing: U.S. Federal Court Subject Matter Jurisdiction
[1] Standing in Identity Theft Cases
[2] Standing in Cases Involving Internet Browsing History
[3] Standing in Cases Involving Inaccurate Data
§ 7.05 Breach of Contract
[1] Prerequisites for a Binding Contract
[2] Offline Contracts
[3] Online Contracts
[4] Damages
[5] Equitable Relief
[6] Privacy Seal Programs
[7] Commercial Contracts
[8] Breach of Contract Claims
§ 7.06 Privacy Rights
[1] Constitutional Right Versus Tort
[2] Origins of Right Against Invasion of Privacy
[3] Elements of Invasion of Privacy Claim
[4] Invasion of Privacy Claims Involving Personal Information
[5] The Law Is Evolving
[6] Negligence
§ 7.07 Special Concerns in Bankruptcy
[1] The Clash Between Privacy and Bankruptcy Law
[2] Goals of Bankruptcy
[3] The Toysmart Bankruptcy
[4] Transfer of Assets Under Bankruptcy Law
[5] Automatic Stay
[6] Bankruptcy Abuse Prevention and Consumer Protection Act of 2005
§ 7.08 Additional Concerns in Mergers, Acquisitions and Divestitures
[1] Ownership of Personal Information
[2] Fair Information Practice Principles
[3] Considerations for Business Transactions
[4] U.S. “Consumer Privacy Bill of Rights”

Appendix A: Summary of State Data Breach Notification Laws