Damages for Breaches of Privacy, Legal Authorizations

and Mergers and Takeovers in U.S. Law

This responds to the request by the European Commission for clarification of U.S. law with respect to (a) claims for damages for breaches of privacy, (b) "explicit authorizations" in U.S. law for the use of personal information in a manner inconsistent with the safe harbor principles, and (c) the effect of mergers and takeovers on obligations undertaken pursuant to the safe harbor principles.
 

A. Damages for Breaches of Privacy
 

Failure to comply with the safe harbor principles could give rise to a number of private claims depending on the relevant circumstances. In particular, safe harbor organizations could be held liable for misrepresentation for failing to adhere to their stated privacy policies. Private causes of action for damages for breaches of privacy are also available under common law. Many federal and state statutes on privacy also provide for the recovery of damages by private individuals for violations.
 

The right to recover damages for invasion of personal privacy is well established under U.S. common law.
 

Use of personal information in a manner inconsistent with the safe harbor principles can give rise to legal liability under a number of different legal theories. For example, both the transferring data controller and the individuals affected could sue the safe harbor organization which fails to honor its safe harbor commitments for misrepresentation. According to the Restatement of the Law, Second, Torts(1):
 

One who fraudulently makes a misrepresentation of fact, opinion, intention or law for the purpose of inducing another to act or to refrain from action in reliance upon it, is subject to liability to the other in deceit for pecuniary loss caused to him by his justifiable reliance upon the misrepresentation.
 

Restatement, § 525. A misrepresentation is "fraudulent" if it is made with the knowledge or in the belief that it is false. Id., § 526. As a general rule, the maker of a fraudulent misrepresentation is potentially liable to everyone who he intends or expects to rely on that misrepresentation for any pecuniary loss they might suffer as a result. Id. 531. Furthermore, a party who makes a fraudulent misrepresentation to another could be liable to a third-party if the tortfeasor intends or expects that his misrepresentation would be repeated to and acted upon by the third-party. Id., § 533.
 

In the context of the safe harbor, the relevant representation is the organization's public declaration that it will adhere to the safe harbor principles. Having made such a commitment, a conscious failure to abide by the principles could be grounds for a cause of action for misrepresentation by those who relied on the misrepresentation. Because the commitment to adhere to the principles is made to the public at large, the individuals who are the subjects of that information as well as the data controller in Europe that transfers personal information to the U.S. organization could all have causes of action against the U.S. organization for misrepresentation.(2) Moreover, the U.S. organization remains liable to them for the "continuing misrepresentation" for as long as they rely on the misrepresentation to their detriment. Restatement, § 535.
 

Those who rely on a fraudulent misrepresentation have a right to recover damages. According to the Restatement:
 

The recipient of a fraudulent misrepresentation is entitled to recover as damages in an action of deceit against the maker the pecuniary loss to him of which the misrepresentation is a legal cause.
 

Restatement, § 549. Allowable damages include actual out-of-pocket loss as well as the lost "benefit of the bargain" in a commercial transaction. Id.; see, e.g., Boling v. Tennessee State Bank, 890 S.W.2d 32 (1994) (bank liable to borrowers for $14,825 in compensatory damages for disclosing borrowers' personal information and business plans to bank president who had a conflicting interest).
 

Whereas fraudulent misrepresentation requires either actual knowledge or at least the belief that the representation is false, liability can also attach for negligent misrepresentation. According to the Restatement, whoever makes a false statement in the course of his business, profession, or employment, or in any pecuniary transaction can be held liable "if he fails to exercise reasonable care or competence in obtaining or communicating the information." Restatement, § 552(1). In contrast with fraudulent misrepresentations, damages for negligent misrepresentation are limited to out-of-pocket loss. Id.., § 552B(1).
 

In a recent case, for example, the Superior Court of Connecticut held that a failure by an electric utility to disclose its reporting of customer payment information to national credit agencies sustained a cause of action for misrepresentation. See Brouillard v. United Illuminating Co., 1999 Conn. Super. LEXIS 1754. In that case, the plaintiff was denied credit because the defendant reported payments not received within thirty days of the billing date as "late". The plaintiff alleged that he had not been informed of this policy when he opened a residential electric service account with the defendant. The court specifically held that "a claim for negligent misrepresentation may be based on the defendant's failure to speak when he has a duty to do so." This case also shows that "scienter" or fraudulent intent is not a necessary element in a cause of action for negligent misrepresentation. Thus, a U.S. organization which negligently fails to fully disclose how it will use personal information received under the safe harbor could be held liable for misrepresentation.
 

Insofar as a violation of the safe harbor principles entailed a misuse of personal information, it could also support a claim by the data subject for the common law tort of invasion of privacy. American law has long recognized causes of action relating to invasions of privacy. In a 1905 case,(3) the Georgia Supreme Court found a right to privacy rooted in natural law and common law precepts in holding for a private citizen whose photograph had been used by a life insurance company, without his consent or knowledge, to illustrate a commercial advertisement. Articulating now-familiar themes in American privacy jurisprudence, the court found that the usage of the photograph was "malicious," "false," and tended to "bring plaintiff into ridicule before the world."(4) The foundations of the Pavesich decision have prevailed with minor variations to become the bedrock of American law on this topic. State courts have consistently upheld causes of action in the realm of invasion of privacy, and at least 48 states now judicially recognize some such cause of action.(5) Moreover, at least twelve states have constitutional provisions safeguarding their citizens' right to be free from intrusive actions,(6) which in some cases could extend to protect against intrusion by non-governmental entities. See, e.g., Hill v. NCAA, 865 P.2d 633 (Ca. 1994); see also S. Ginder, Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 S.D. L. Rev. 1153 (1997) ("Some state constitutions include privacy protections which surpass privacy protections in the U.S. Constitution. Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington have broader privacy protection.")
 

The Second Restatement of Torts provides an authoritative overview of the law in this area. Reflecting common judicial practice, the Restatement explains that the "right to privacy" encompasses four distinct causes of action in tort under that umbrella. See Restatement, § 652A. First, a cause of action for "intrusion upon seclusion" may lie against a defendant who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns.(7) Second, an "appropriation" case may exist when one takes the name or likeness of another for his own use or benefit.(8) Third, the "publication of private facts" is actionable when the matter publicized is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public.(9) Lastly, an action for "false light publicity" is appropriate when the defendant knowingly or recklessly places another before the public in a false light that would be highly offensive to a reasonable person.(10)
 

In the context of the safe harbor framework, "intrusion upon seclusion" could encompass the unauthorized collection of personal information whereas the unauthorized use of personal information for commercial purposes could give rise to a claim of appropriation. Similarly, the disclosure of personal information that is inaccurate would give rise to a tort of "false light publicity” if the information meets the standard of being highly offensive to a reasonable person. Finally, the invasion of privacy that results from the publication or disclosure of sensitive personal information could give rise to a cause of action for "publication of private facts." (See examples of illustrative cases below.)
 

On the issue of damages, invasions of privacy give the injured party the right to recover damages for:
 

(a) the harm to his interest in privacy resulting from the invasion;
 

(b) his mental distress proved to have been suffered if it is of a kind that normally results from such an invasion; and
 

(c) special damage of which the invasion is a legal cause.
 

Restatement, § 652H. Given the general applicability of tort law and the multiplicity of causes of action covering different aspects of privacy interests, monetary damages are likely to be available to those who suffer invasion of their privacy interests as a result of a failure to adhere to the safe harbor principles.
 

Indeed, state courts are replete with cases alleging invasion of privacy in analogous situations. Ex Parte AmSouth Bancorporation et al., 717 So. 2d 357, for example, involved a class action that alleged the defendant "exploited the trust depositors placed in the Bank, by sharing confidential information regarding Bank depositors and their accounts" to enable a bank affiliate to sell mutual funds and other investments. Damages are often awarded in such cases. In Vassiliades v. Garfinckel's, Brooks Bros., 492 A.2d 580 (D.C.App. 1985), an appellate court reversed a lower court judgement to hold that the use of photographs of the plaintiff "before" and "after" plastic surgery in a presentation in a department store constituted an invasion of privacy through the publication of private facts. In Candebat v. Flanagan, 487 So.2d 207 (Miss. 1986), the defendant insurance company used an accident in which plaintiff's wife was seriously injured in an advertising campaign. Plaintiff sued for invasion of privacy. The court held that plaintiff could recover damages for emotional distress and appropriation of identity. Actions for misappropriation can be maintained even if the plaintiff is not personally famous. See, e.g.,Staruski v. Continental Telephone Co., 154 Vt. 568 (1990) (defendant derived commercial benefit in using employee's name and photograph in newspaper advertisement). In Pulla v. Amoco Oil Co., 882 F.Supp. 836 (S.D Iowa 1995), an employer intruded on plaintiff employee's seclusion by having another employee investigate his credit card records in order to verify his sick day absences. The court upheld a jury award of $2 in actual damages and $500,000 in punitive damages. Another employer was held liable for publishing a story in the company newspaper about an employee who was terminated for allegedly falsifying his employment records. See Zinda v. Louisiana-Pacific Corp., 140 Wis.2d 277 (Wis.App. 1987). The story invaded the plaintiff's privacy by publication of a private matter because the newspaper circulated in the community. Finally, a college which tested students for HIV after telling them the blood test was for rubella only was held liable for intrusion upon seclusion. See Doe v. High-Tech Institute, Inc., 972 P.2d 1060 (Colo.App. 1998). (For other reported cases, see Restatement, § 652H, Appendix.)
 

The United States is often criticized for being overly litigious, but this also means that individuals actually can, and do, pursue legal recourse when they believe they have been wronged. Many aspects of the U.S. judicial system make it easy for plaintiffs to bring suit, either individually or as a class. The legal bar, comparatively larger than in most other countries, makes professional representation readily available. Plaintiffs' counsel representing individuals in private claims will typically work on a contingency fee basis, allowing even poor or indigent plaintiffs to seek redress. This brings up an important factor - in the United States, each side typically bears its own lawyers' fees and other costs. This contrasts with the prevailing rule in Europe wherein the losing party has to reimburse the other side for costs. Without debating the relative merits of the two systems, the U.S. rule is less likely to deter legitimate claims by individuals who would not be able to pay the costs on both sides if they should lose.
 

Individuals can sue for redress even if their claims are relatively small. Most, if not all U.S. jurisdictions, have small claims courts which provide simplified and less costly procedures for disputes below the statutory limits.(11) The potential for punitive damages also offers a financial reward for individuals who might have suffered little direct injury to bring suit against reprehensible misconduct. Finally, individuals who have been injured in the same way can marshal their resources as well as their claims to bring a class-action lawsuit.
 

A good example of the ability of individuals to bring suit to obtain redress is the pending litigation against Amazon.com for invasion of privacy. Amazon.com, the large online retailer, is the target of a class action, in which the plaintiffs allege that they were not told about, and did not consent to, the collection of personal information about them when they used a software program owned by Amazon called "Alexa." In that case, plaintiffs have alleged violations of the Computer Fraud and Abuse Act in unlawful access to their stored communications and of the Electronic Communications Privacy Act for unlawful interception of their electronic and wire communications. They also claim an invasion of privacy under common law. This stems from a complaint filed by an Internet security expert in December. The suit seeks damages of $1,000 per class member, plus attorneys' fees and profits earned as a result of violations of laws. Given that the number of class members could be in the millions, damages could total billions of dollars. The FTC is also investigating the charges.
 

Federal and state privacy legislation often provides private causes of action for money damages.
 

In addition to giving rise to civil liability under tort law, noncompliance with the safe harbor principles could also violate one or another of the hundreds of federal and state privacy laws. Many of these laws, which address both government and private-sector handling of personal information, allow individuals to sue for damages when violations occur. For example:
 

Electronic Communications Privacy Act of 1986. The ECPA prohibits the unauthorized interception of cellular telephone calls and computer-to-computer transmissions. Violations can result in civil liability of not less than $100 for each day of violation. The protection of the ECPA also extends to unauthorized access or disclosure of stored electronic communications. Violators are liable for damages suffered or forfeiture of profits generated by a violation.
 

Telecommunications Act of 1996. Under section 702, customer proprietary network information (CPNI) may not be used for any purpose other than to provide telecommunications services. Service subscribers can either submit a complaint to the Federal Communications Commission or file suit in federal district court to recover damages and attorneys' fees.
 

Consumer Credit Reporting Reform Act of 1996. The 1996 Act amended the Fair Credit Reporting Act of 1970 (FCRA) to require improved notice and right of access for credit reporting subjects. The Reform Act also imposed new restrictions on resellers of consumer credit reports. Consumers can recover damages and attorneys' fees for violations.
 

State laws also protect personal privacy in a broad range of situations. Areas where the states have taken action include bank records, cable television subscriptions, credit reports, employment records, government records, genetic information and medical records, insurance records, school records, electronic communications, and video rentals.(12)
 

B. Explicit Legal Authorizations
 

The safe harbor principles contain an exception where statute, regulation or case law create "conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests further by such authorization." Clearly, where U.S. law imposes a conflicting obligation, U.S. organizations whether in the safe harbor or not must comply with the law. As for explicit authorizations, while the safe harbor principles are intended to bridge the differences between the U.S. and European regimes for privacy protection, we owe deference to the legislative prerogatives of our elected lawmakers. The limited exception from strict adherence to the safe harbor principles seeks to strike a balance to accommodate the legitimate interests on each side.
 

The exception is limited to cases where there is an explicit authorization. Therefore, as a threshold matter, the relevant statute, regulation or court decision must affirmatively authorize the particular conduct by safe harbor organizations.(13) In other words, the exception would not apply where the law is silent. In addition, the exception would apply only if the explicit authorization conflicts with adherence to the safe harbor principles. Even then, the exception "is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization." By way of illustration, where the law simply authorizes a company to provide personal information to government authorities, the exception would not apply. Conversely, where the law specifically authorizes the company to provide personal information to government agencies without the individual's consent, this would constitute an "explicit authorization" to act in a manner that conflicts with the safe harbor principles. Alternatively, specific exceptions from affirmative requirements to provide notice and consent would fall within the exception (since it would be the equivalent of a specific authorization to disclose the information without notice and consent). For example, a statute which authorizes doctors to provide their patients' medical records to health officials without the patients' prior consent might permit an exception from the notice and choice principles. This authorization would not permit a doctor to provide the same medical records to health maintenance organizations or commercial pharmaceutical research laboratories, which would be beyond the scope of the purposes authorized by the law and therefore beyond the scope of the exception.(14) The legal authority in question can be a "stand alone" authorization to do specific things with personal information, but, as the examples below illustrate, it is likely to be an exception to a broader law which proscribes the collection, use, or disclosure of personal information.
 

Telecommunications Act of 1996
 

In most cases, the authorized uses are either consistent with the requirements of the Directive and the principles, or would be permitted by one of the other allowed exceptions. For example, section 702 of the Telecommunications Act (codified at 47 U.S.C. § 222) imposes a duty on telecommunications carriers to maintain the confidentiality of personal information that they obtain in the course of providing their services to their customers. This provision specifically allows telecommunications carriers to:
 

use customer information to provide telecommunications service, including the publication of subscriber directories;
 

provide customer information to others at the written request of the customer; and
 

provide customer information in aggregate form.
 

See 47 U.S.C. § 222(c)(1)-(3). The Act also allows telecommunications carriers an exception to use customer information:
 

to initiate, render, bill, and collect for their services;
 

to protect against fraudulent, abusive or illegal conduct; and
 

to provide telemarketing, referral or administrative services during a call initiated by the customer.(15)
 

Id., § 222(d)(1)-(3). Finally, telecommunications carriers are required to provide subscriber list information, which can only include the names, addresses, telephone numbers and line of business for commercial customers to publishers of telephone directories. Id., § 222(e).
 

The exception for "explicit authorizations" might come into play when telecommunications carriers use CPNI to prevent fraud or other unlawful conduct. Even here, such actions could qualify as being in the "public interest" and allowed by the principles for that reason.
 

Department of Health and Human Services Proposed Rules
 

The Department of Health and Human Services (HHS) has proposed rules regarding standards for the privacy of individually identifiable health information. See 64 Fed. Reg. 59,918 (Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160-164). The rules would implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191. The proposed rules generally would prohibit covered entities (i.e. health plans, health care clearinghouses, and health providers that transmit health information in electronic format) from using or disclosing protected health information without individual authorization. See proposed 45 C.F.R. § 164.506. The proposed rules would require disclosure of protected health information for only two purposes: 1) to permit individuals to inspect and copy health information about themselves, see id. at § 164.514; and 2) to enforce the rules, see id. at § 164.522.
 

The proposed rules would permit use or disclosure of protected health information, without specific authorization by the individual, in limited circumstances. These include for example oversight of the health care system, law enforcement, and emergencies. See id. at § 164.510. The proposed rules set out in detail the limits on these uses and disclosures. Moreover, permitted uses and disclosures of protected health information would be limited to the minimum amount of information necessary. See id. at § 164.506.
 

The permissive uses explicitly authorized by the proposed regulations are generally consistent with the safe harbor principles or are otherwise allowed by another exception. For example, law enforcement and judicial administration are permitted, as is medical research. Other uses, such as oversight of the health care system, public health function, and government health data systems, serve the public interest. Disclosures to process health care payments and premiums are necessary to the provision of health care. Uses in emergencies, to consult with next-of-kin regarding treatment where the patient's consent "cannot practicably or reasonably be obtained," or to determine the identity or cause of death of the deceased protect the vital interests of the data subject and others. Uses for the management of active duty military and other special classes of individuals aid the proper execution of the military mission or similar exigent situations; and in any event, such uses will have little if any application to consumers in general.
 

This leaves only the use of personal information by health care facilities to produce patient directories. While such use might not rise to the level of a "vital" interest, the directories do benefit patients and their friends and relations. Also, the scope of this authorized use is inherently limited. Therefore, reliance on the exception in the principles for uses "explicitly authorized" by law for this purpose presents minimal risk to the privacy of patients.
 

Fair Credit Reporting Act
 

The European Commission has expressed the concern that the "explicit authorizations" exception would "effectively create an adequacy finding" for the Fair Credit Reporting Act (FCRA). This would not be the case. In the absence of a specific adequacy finding for the FCRA, those U.S. organizations that would otherwise rely on such a finding, would have to promise to adhere to the safe harbor principles in all respects. This means that where FCRA requirements exceed the level of protection embodied in the principles, the U.S. organizations need only to obey the FCRA. Conversely, where the FCRA might fall short, then those organizations would need to bring their information practices into conformity with the principles. The exception would not alter this basic assessment. By its terms, the exception applies only where the relevant law explicitly authorizes conduct that would be inconsistent with the safe harbor principles. The exception would not extend to where FCRA requirements merely do not meet the safe harbor principles.(16)
 

In other words, we do not intend the exception to mean that whatever is not required is therefore "explicitly authorized." Furthermore, the exception applies only when what is explicitly authorized by U.S. law conflicts with the requirements of the safe harbor principles. The relevant law must meet both of these elements before non-adherence with the principles would be permitted.
 

Section 604 of the FCRA, for example, explicitly authorizes consumer reporting agencies to issue consumer reports in various enumerated situations. See FCRA, § 604. If in so doing, section 604 authorizes credit reporting agencies to act in conflict with the safe harbor principles, then the credit reporting agencies would need to rely on the exception (unless, of course, some other exception applied). Credit reporting agencies must obey court orders and grand jury subpoenas, and use of credit reports by government licensing, social and child support enforcement agencies serves a public purpose. Id., § 604(a)(1), (3)(D), and (4). Consequently, the credit reporting agency would not need to rely on the "explicit authorization" exception for these purposes. Where it acts in accordance with written instructions by the consumer, the consumer reporting agency would be fully in compliance with the safe harbor principles. Id., § 604(a)(2). Likewise, consumer reports can be procured for employment purposes only with the consumer's written authorization (id., §§ 604(a)(3)(B) and (b)(2)(A)(ii)) and for credit or insurance transactions that are not initiated by the consumer only if the consumer had not opted out from such solicitations (id., § 604(c)(1)(B)). Also, FCRA prohibits credit reporting agencies from providing medical information for employment purposes without the consent of the consumer. Id., § 604(g). Such uses comport with the notice and choice principles. Other purposes authorized by section 604 entail transactions involving the consumer and would be permitted by the principles for that reason. See id., § 604(a)(3)(A) and (F).
 

The remaining use "authorized" by section 604 relates to secondary credit markets. Id., § 604(a)(3)(E). There is no conflict between use of consumer reports for this purpose and the safe harbor principles per se. It is true that the FCRA does not require credit reporting agencies, for example, to give notice and consent to consumers when they issue reports for this purpose. However, we reiterate the point that the absence of a requirement does not connote an "explicit authorization" to act in a manner other than as required. Similarly, section 608 allows credit reporting agencies to provide some personal information to government agencies. This "authorization" would not justify a credit reporting agency ignoring its commitments to adhere to the safe harbor principles. This contrasts with our other examples where exceptions from affirmative notice and choice requirements operate to explicitly authorize uses of personal information without notice and choice.
 

Conclusion
 

A distinct pattern emerges even from our limited review of these statutes:
 

The "explicit authorization" in the law generally permits the use or disclosure of personal information without the individual's prior consent; thus, the exception would be limited to the notice and choice principles.
 

In most cases, the exceptions authorized by the law are narrowly drawn to apply in specific situations for specific purposes. In all cases, the law otherwise prohibits the unauthorized use or disclosure of personal information that does not fall within these limits.
 

In most cases, reflecting their legislative character, the authorized use or disclosure serves a public interest.
 

In almost all cases, the authorized uses are either fully consistent with the safe harbor principles or fall into one of the other allowed exceptions.
 

In conclusion, the exception for "explicit authorizations" in the law will, by its nature, likely be rather limited in scope.
 

C. Mergers and Takeovers
 

The Article 29 Working Party expressed concern over situations where an organization within the safe harbor is taken over by, or merged with, a firm which has not made a commitment to follow the safe harbor principles. The Working Party, however, appears to have assumed that the surviving firm would not be bound to apply the safe harbor principles to personal information held by the firm that is taken over, but that is not necessarily the case under U.S. law. The general rule in the United States as to mergers and takeovers is that a company which acquires the outstanding stock of another corporation generally assumes the obligations and liabilities of the acquired firm. See 15 Fletcher Cyclopedia of the Law of Private Corporations § 7117 (1990); see also Model Bus. Corp. Act § 11.06(3) (1979) ("the surviving corporation has all liabilities of each corporation party to the merger"). In other words, the surviving firm in a merger or takeover of a safe harbor organization by this method would be bound by the latter's safe harbor commitments.
 

Moreover, even if the merger or takeover were effectuated through the acquisition of assets, the liabilities of the acquired enterprise could nevertheless bind the acquiring firm in certain circumstances. 15 Fletcher, § 7122. Even where liabilities did not survive the merger, however, it is worth noting that they also would not survive a merger where the data were transferred from Europe pursuant to a contract -- the only viable alternative to the safe harbor for data transfers to the United States. In addition, the safe harbor documents as revised now require any safe harbor organization to notify the Department of Commerce of any takeover and permit data to continue to be transferred to the successor organization only if the successor organization joins the safe harbor. See FAQ Self-Certification. Indeed, the United States has now revised the safe harbor framework to require U.S. organizations in this situation to delete information they have received under the safe harbor framework if their safe harbor commitments will not continue or other suitable safeguards are not put in place.

1. Second Restatement of the Law - Torts; American Law Institute (1997).

2. This might be the case, for example, where the individuals relied on the U.S. organization's safe harbor commitments in giving their consent to the data controller to transfer their personal information to the United States.

3. Pavesich v. New England Life Ins. Co., 50 S.E. 68 (Ga. 1905)

4. Id., at 69.

5. An electronic search of the Westlaw database found 2703 reported cases of civil actions in state courts that pertained to "privacy" since 1995. We have previously provided the results of this search to the Commission.

6. See, e.g., Alaska Constitution, Art. 1 Sec. 22; Arizona, Art. 2, Sec. 8; California, Art. 1, Sec. 1; Florida, Art. 1, Sec. 23; Hawaii, Art. 1, Sec. 5; Illinois, Art. 1, Sec. 6; Louisiana, Art. 1, Sec. 5; Montana, Art. 2, Sec. 10; New York, Art. 1, Sec. 12; Pennsylvania, Art. 1, Sec. 1; South Carolina, Art. 1, Sec. 10; and Washington, Art. 1, Sec 7.

7. Id., at Chapter 28, Section 652B.

8. Id., at Chapter 28, Section 652C.

9. Id., at Chapter 28, Section 652D.

10. Id., at Chapter 28, Section 652E.

11. We had previously provided the Commission with information on small-claims actions.

12. A recent electronic search of the Westlaw database yielded 994 reported states cases that related to damages and invasion of privacy.

13. As a point of clarification, the relevant legal authority will not have to specifically reference the safe harbor principles.

14. Similarly, the doctor in this example could not rely on the statutory authority to override the individual's exercise of the opt-out from direct marketing provided by FAQ Choice – Timing of Opt-Out. The scope of any exception for "explicit authorizations" is necessarily limited to the scope of the authorization under relevant law.

15. The scope of this exception is very limited. By its terms, the telecommunications carrier can use CPNI only during a call initiated by the customer. Furthermore, we have been advised by the FCC that the telecommunications carrier may not use CPNI to market services beyond the scope of the customer's inquiry. Finally, since the customer must approve the use of CPNI for this purpose, this provision is not really an "exception" at all.

16. Our discussion here should not be taken as an admission that the FCRA does not provide "adequate" protection. Any assessment of the FCRA must consider the protection provided by the statute in its entirety and not focus only on the exceptions as we do here.