identity theft. Section 151 directed these agencies to jointly develop a summary of the rights of identity theft victims that would be made available to all such victims. Regulations issued under Section 211 established a single source through which a consumer could obtain a free credit report. Section 216 directed these agencies and the Securities and Exchange Commission to promulgate regulations for the disposal of consumer report information and records, whether they are stored in electronic or paper form. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, and medical history.
Under the Children’s Online Privacy Protection Act (15 U.S.C. 6501-6506), the FTC is responsible for promulgating regulations (16 C.F.R. Part 312) implementing the protections of the act. These protections require that operators of commercial Web sites and online services directed to collect or knowingly collecting personal information from children under 13 must (1) notify parents of their information practices; (2) obtain verifiable parental consent before collecting a child’s personal information; (3) give parents a choice as to whether their child’s information will be disclosed to third parties; (4) provide parents access to their child’s information; (5) let parents prevent further use of collected information; (6) not require a child to provide more information than is reasonably necessary to participate in an activity; and (7) maintain the confidentiality, security, and integrity of the information.
The rule-making authority of the FTC described above illustrates a common relationship between statutory authority and regulation. The U.S. Congress passes legislation that lays out the general issues and principles in question, but leaves it to a regulating agency to work out the details of how that legislation should be implemented. But this relationship is not the only possible one, and in some instances, Congress has delegated extremely broad regulatory authority to an agency, thus making it the primary source of guidance on a major privacy-related topic.
A good example of this phenomenon is apparent in the privacy-protecting regulations of the Health Insurance Portability and Accountability Act of 1996. Legislators understood very well that the privacy of personal health information was a central issue for health insurance portability, but they were unable to reach agreement on the nature and scope of the appropriate privacy protections. Thus, Section 264 of HIPAA directed the secretary of the Department of Health and Human Services (DHHS) to promulgate regulations on appropriate privacy standards (covering at least the rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be