In the U. S., the law on privacy derives from three sources: common law, the constitution, and federal and state legislation.

The Constitution does not explicitly mention a right to privacy. Nevertheless, the Fourth Amendment provides an important zone of privacy in "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." This prohibits the police (without a warrant or probable cause) from searching computer files in our homes. Other privacy protections have been found in the Fifth Amendment (self-incrimination), the Ninth Amendment (rights reserved to the people), and the Fourteenth Amendment (due process of law). However, it's not this kind of privacy invasion that raises most concern in connection with computers.

Common law, in most states, has recognized four kinds of torts (grounds for civil lawsuits) involving privacy:

1. intruding upon solitude or seclusion;
2. appropriating a person's name or image for commercial purposes;
3. publicly disclosing private facts; and
4. publicity that puts a person in a false light.

Beginning in 1970, Congress has passed specific laws relating to privacy.

The Fair Credit Reporting Act (1970) aims to avoid reporting obsolete or incorrect credit information. The law provides that people must be informed why they have been denied credit. They have the right to challenge information kept by a credit rating company and to add information to the file. The credit company doeds not have to change data in its file just because it is challenged, but it must at least put in a statement of the person's point of view about it.

The Freedom of Information Act (1970) gives people the right to see any information about them collected by any federal agency.

The Federal Privacy Act (1974) says that the government must have a reason for collecting or disclosing personal information. The information cannot be used for another purpose without the consent of the individual whom it concerns. The agency which collects the information is responsible for its accuracy; individuals have the right to inspect their records, and may ask a judge to order an error to be corrected, if the agency does not do so. The act also prohibits any secret personal information systems run by the government.

The Privacy Protection Act (1980) protects materials (such as computer files) from search and seizure by the government if there is reason to believe the owner of the materials intends to publish them. (There are exceptions if a criminal offense is involved and for emergency situations.)

The Electronic Communications Privacy Act (1986) prohibits the "unauthorized interception and disclosure of electronic communications, while in transit or in storage" (Rosenoer 1997). The prohibition applies both to the government and to non-government organizations and persons. In effect, the law makes it illegal to "listen in" on someone else's email or other electronic communications. People whose messages are intercepted may sue for damages. There are certain exceptions for system operators. Also, note that internal email networks maintained by corporations may be exempt, i.e., employers may be allowed to monitor employee email, unless the company gave its employees a reasonable expectation that their email messages were private. Many government email messages are also excepted, as they are considered public records.

While not directly aimed to protect privacy, the Computer Fraud and Abuse Act makes it a crime to obtain unauthorized access to a computer system. This, of course, legally protects personal data (among other things) from "hackers" who break into a computer system.

Other federal laws include the Right to Financial Privacy Act (1988), the Family Educational Right to Privacy Act (1988), the Video Privacy Protection Act (1988), and the Cable Communications Policy Act (1984).

American federal legislation on privacy has been piecemeal. Only the federal government and a few specific industries (education, videotape rental, and cable TV) are affected. Medical, insurance, and employment records are completely unregulated. States have often taken a more aggressive legislative approach to privacy than the federal government, but all a privacy invader need do to circumvent state laws is move to another state.

Legal protection for privacy as affected by computer databases appears to be stronger in Europe than in the U.S. In the United Kingdom, for example, the Data Protection Act of 1984 requires individuals or organizations which routinely process personal data to register with the government, describing the kinds of data they collect and the uses they make of it. In most cases, individuals may obtain copies of personal information about them in computerized databases and can insist on corrections for incorrect or obsolete data. Victims of data misuse or error may complain to the Data Protection Registrar, as well as go to court---important, because lawsuits are an expensive way to obtain privacy. To resolve the problem, the Registrar may require the database owner to take corrective action or face criminal penalties (Forester and Morrison 1994). However, some observers question whether the stricter privacy laws in European countries have actually resulted in any greater privacy for their citizens, and propose, instead, a market-based approach to personal information (Laudon 1996)