Calm abstract legal illustration related to 2009 02 technology raises significant privacy concerns experts say.
ArchivesNews & Cases

How technology privacy concerns are handled under federal and state law

By Lucas S.
7 Min Read

The information below explains general legal concepts for educational purposes. It is not legal, financial, or tax advice, and it does not create an attorney-client relationship. Laws and procedures vary by jurisdiction and may change. The author and publisher disclaim liability for actions taken based on this content.

Key Facts
  1. Federal level: FTC Act Section 5 declares unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce unlawful and authorizes the FTC to prevent them.
  2. Federal level: FTC privacy and security materials explain that when companies make privacy promises, the FTC Act requires companies to live up to those claims and maintain security appropriate to the nature of the data they have.
  3. Federal level: HHS explains that HIPAA Rules apply to covered entities and business associates, and entities outside those definitions do not have to comply with HIPAA Rules under the HIPAA framework.
  4. Federal level: The GLBA Safeguards Rule in 16 CFR Part 314 requires reasonable safeguards for customer information and includes an FTC notification timing trigger for qualifying events affecting at least 500 consumers, with notice generally due no later than 30 days after discovery.
  5. State level: California’s CCPA gives consumers a right to request deletion of personal information and a right to opt out of sale or sharing, and generally requires responses within 45 days of receiving a verifiable request with a possible additional 45-day extension.
  6. State level: California’s data breach notification statute generally requires disclosure to affected California residents within 30 calendar days of discovery or notification and specifies notice content such as “Notice of Data Breach” with required headings like “What Happened?” and “What You Can Do”.

Last reviewed: May 2026. Legal rules, forms, deadlines, and procedures can change by jurisdiction, agency, and court system.

Contents

Technology privacy concerns often sound like a single issue, but U.S. law usually treats them as separate questions: what kind of information is involved, what type of organization is being regulated, what harm the law is trying to prevent (privacy misuse versus security failures), and which regulator has authority.

A common federal starting point is consumer-protection enforcement. FTC Act Section 5 declares that unfair methods of competition and unfair or deceptive acts or practices are unlawful in or affecting commerce under 15 USC 45).

The FTC’s privacy-and-security guidance connects privacy promises to enforceable expectations. It explains that when companies make privacy promises to consumers, those statements can create duties under the FTC Act, and it also describes an obligation to maintain security that is appropriate to the nature of the data a company holds.

Some technology privacy issues involve health information, where HIPAA can matter—but only within HIPAA’s coverage limits. HHS explains that HIPAA Rules apply to covered entities and business associates, and that an entity that does not meet those HIPAA definitions generally does not have to comply with HIPAA Rules under the HIPAA framework.

For certain financial institutions, technology privacy and security obligations often fall into the Gramm-Leach-Bliley Act safeguards lane. The GLBA Safeguards Rule in 16 CFR Part 314 requires reasonable administrative, technical, and physical safeguards for customer information, and includes a notification timing trigger for qualifying events affecting at least 500 consumers.

California illustrates how state law can address technology privacy as a set of consumer rights while also treating security-breach notice as a separate obligation. California’s CCPA statute includes a right to request deletion of personal information and a right to opt out of sale or sharing, and generally requires a business to respond within 45 days of receiving a verifiable consumer request (with a possible additional 45-day extension when reasonably necessary).

California also separates breach-notice duties from consumer privacy rights. Under Cal. Civ. Code § 1798.82, the state generally requires disclosure to affected California residents within 30 calendar days of discovery or notification, and the statute specifies notice content and required headings such as “What Happened?” and “What You Can Do.”

A frequent confusion in technology privacy concerns is treating “privacy” and “security” as the same category. Federal and state rules often split into different objectives: consumer privacy rights, security safeguards standards, and breach-notice disclosure requirements.

Legal focus What the rule aims to control Example authority in this article
Privacy rights (consumer choices or access/deletion rights) How consumers can direct a business regarding certain uses or retention of personal information California CCPA deletion right and opt-out of sale or sharing (1798.105 and 1798.120) in California CCPA right to delete and opt out
Security safeguards (ongoing protections) Whether an entity maintains reasonable safeguards for covered customer information GLBA Safeguards Rule (16 CFR Part 314) in GLBA Safeguards Rule (16 CFR Part 314)
Breach notifications (what to disclose after certain events) When and how notice is delivered after discovery/notification of a qualifying event California data breach notice timing and required headings in California data breach notification statute (1798.82)

This distinction matters because a breach-notice duty does not automatically mean the underlying privacy rights come from the same legal source, and consumer privacy rights do not automatically replace sector safeguards obligations. Finally, coverage questions often matter more than the technology label itself: HIPAA’s obligations hinge on whether an entity is a covered entity or business associate, and FTC Act enforcement hinges on consumer-facing privacy representations and resulting “unfair” or “deceptive” conduct—an idea reflected in related privacy framing like invasion of the personal information snatchers.

Sources

Share This Article
ByLucas S.
Follow:
I am an independent writer and researcher with a deep interest in law, public affairs, and how the U.S. legal system operates in the real world. Regarding the key facts about my work, my role consists of providing plain-English legal explanations and covering various lawsuits and legal disputes. My approach involves preparing articles using the primary sources listed on each page. I am not an attorney or a lawyer and I do not provide legal advice. The primary areas where I focus my research include explaining complex legal topics in plain English, translating official legal materials into accessible explanations, and following current lawsuits and court cases. You should consult a qualified professional for advice regarding your own situation.
Previous Article Calm abstract legal illustration related to 2008 08 aba ethics committee issues opinion detailing lawyer responsibilities when outsourcing legal work domestically or internationally. Lawyer responsibilities when outsourcing legal work under ABA Model Rules
Next Article Calm abstract legal illustration related to 2009 07 aba gpsolo division presents 2009 trainer award to alan j klevan. ABA GPSolo Division Trainer Award archive recovery for Alan J Klevan
Most Popular

You Might Also Like