Protecting Personal Privacy

The protection of personal privacy has become a more significant issue in recent years with the advent of new technologies and the proliferation of personal information. The federal government collects and uses personal information on individuals in increasingly sophisticated ways for things like law enforcement, border control, and enhanced online interactions with citizens. In the private sector, commercial entities collect, share, and sell vast amounts of personal information for marketing and other purposes. Most recently, some companies have started using the technology to monitor the spread of COVID-19—such as to identify individuals that came in contact with people displaying symptoms.

The collection or use of personal information by the federal government is governed primarily by two laws: the Privacy Act of 1974 and the privacy provisions of the E-Government Act of 2002. In contrast, there is no overarching federal privacy law that governs the collection and sale of personal information among private-sector companies (although a variety of laws are tailored to specific purposes, situations, or entities).

Policymakers face some key challenges to protecting personal privacy. For instance:

• Many federal IT systems need stronger privacy practices and safeguards to protect the personally identifiable information they hold.
• Appropriate regulation needs to be determined for the collection, use, and sale of online personal information by commercial entities, which is often done without the consumer’s knowledge or consent. We have recommended that Congress consider strengthening the consumer privacy framework to reflect the effects of changing technologies and markets.
• Threats to anonymity and other privacy risks of emerging technologies used for law enforcement or commercial purposes (such as facial recognition and geolocation applications) need to be addressed.