Federal Privacy Laws


The two main federal privacy laws are the Privacy Act of 1974 and the Freedom of Information Act. They apply only to federal government agencies. At first glance, the two laws seem diametrically opposed. The Privacy Act deals with keeping government records about individuals confidential, and the Freedom of Information Act is commonly used to pry open government files. However, these laws are attempts to balance the public's right to know about the actions of government with the rights of an individual to retain his or her privacy. (Legal cites are located at the end of this guide.)



The Privacy Act gives an individual the right to:

  • See and copy files that the federal government maintains on him or her
  • Find out who else has had access to the information
  • And request a change in any information that is not accurate or relevant

A government agency is required to:

  • Respond to a request for information within 10 days; notify the public about the types of files they maintain via the Federal Register; inform the public how they use the information; make sure the information in files is relevant
  • Not use the information for any purpose other than the one for which it was initially collected

Government files on an individual may be opened to others in a few cases including:

  • A purpose similar to the original reason for collecting the information
  • For statistical research
  • For law enforcement purposes
  • When ordered by a court
  • If it is medically necessary for the requester to have access to the information

There is no central index of federal government records about individuals. If you want to look at your records, you must first identify which agency has them. Then use the Privacy Act to ask to see your files. The agency must respond to your request within 10 days. You may be charged a "reasonable" fee for copying the file.

You may be denied access to government records about you if they involve:

  • Law enforcement activities
  • The Central Intelligence Agency (CIA)
  • Litigation
  • Civil service exams (to the extent access would affect the fairness of the tests)
  • Confidential government sources

If you are denied access to your records, you can appeal in court. You may also take a government agency to court if you believe it has improperly disclosed information about you or if you want to block impending disclosures.

The Freedom of Information Act was designed to help individuals obtain information about the actions of government. It requires that citizens be given access to government records unless disclosure involves:

  • Litigation
  • The Central Intelligence Agency (CIA)
  • Internal agency memos
  • Personnel matters
  • Trade secrets
  • Classified documents
  • Law enforcement activities
  • Confidential government sources
  • Violating an individual's privacy interests
  • Civil service exams (to the extent it would affect the fairness of the tests)

The agency has 20 days to make a determination on a request for access. If you are denied, you may appeal the denial either within the agency itself or in court.

Financial Privacy

The Gramm-Leach Bliley Act

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC. For more information on the types of financial activities covered, click here.

The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."