Third Party Privacy Rights Under Federal Law

Federal law creates a complex and often counterintuitive framework for privacy protections that depend significantly on whether the person asserting a right is a direct party to a transaction or relationship — or stands outside it as a third party. This page examines how statutes, constitutional doctrine, and agency rules define, limit, and occasionally extend privacy protections to third parties, with particular attention to the mechanisms through which those rights arise, fail, or are contested.

Definition and scope

Third party privacy rights under federal law refer to the legal protections — or the absence thereof — that apply to individuals whose personal information is held, shared, or accessed by an entity with whom they have no direct relationship. The scope of these rights is shaped by a patchwork of statutes rather than a single omnibus privacy law. The United States has no general federal data protection statute equivalent to the European Union's General Data Protection Regulation; instead, sectoral laws govern specific categories of information and specific types of actors.

The principal federal statutes governing third-party privacy include:

The third-party doctrine under the Fourth Amendment further shapes the constitutional floor of these protections, establishing that individuals who voluntarily convey information to third parties generally retain no reasonable expectation of privacy in that information — a rule with sweeping implications for digital-era data.

Core mechanics or structure

The mechanics of third-party privacy rights under federal law operate through three distinct channels: statutory data subject rights, agency access restrictions, and constitutional standing.

Statutory data subject rights vest in the individual whose information is at issue. Under the Privacy Act, federal agencies must maintain only records that are "relevant and necessary" to accomplish a lawful agency purpose (5 U.S.C. § 552a(e)(1)). Individuals may request access to their records, request corrections, and bring civil suits for violations. However, the statute applies only to agencies operating "systems of records" — not to private-sector entities, contractors operating outside a federal system of records, or foreign governments.

Agency access restrictions function by limiting when agencies may disclose records to other parties, including other federal agencies. The Privacy Act's "routine use" exception permits disclosure for purposes compatible with the original collection purpose, but this compatibility standard has been interpreted broadly by agencies and narrowly by courts in different contexts.

Constitutional standing for third parties asserting privacy rights in federal court is constrained by the requirement that the plaintiff demonstrate a cognizable injury traceable to the defendant's conduct. As examined in detail at Third Party Legal Standing in U.S. Law, a third party cannot typically assert the privacy rights of another person — with narrow exceptions recognized by the Supreme Court in cases involving associational rights or where the rights holder faces obstacles to self-assertion.

Causal relationships or drivers

The fragmented nature of third-party privacy rights under federal law stems from four identifiable drivers.

Sectoral legislative history. Congress addressed privacy concerns reactively, statute by statute, in response to specific harms: financial data exposure drove GLBA; medical record misuse drove HIPAA; government dossier abuse drove the Privacy Act. Each statute created a silo of protection with different definitions of covered entities, data types, and enforcement mechanisms.

The third-party doctrine's constitutional origin. The doctrine traces to United States v. Miller, 425 U.S. 435 (1976), in which the Supreme Court held that bank customers had no Fourth Amendment privacy interest in records held by their banks, because those records were the bank's business records, not the customer's private papers. Smith v. Maryland, 442 U.S. 735 (1979), extended this principle to telephone call records. These decisions removed constitutional pressure to create statutory protections, leaving Congress to act — or not act — voluntarily.

Technology outpacing legal categories. The ECPA was enacted in 1986, when cloud computing, smartphones, and persistent location data did not exist. Courts have applied ECPA to fact patterns the drafters did not anticipate, producing inconsistent results across circuits. The Supreme Court's 2018 decision in Carpenter v. United States, 585 U.S. 296 (2018), introduced a narrow exception to the third-party doctrine for historical cell-site location information covering at least 7 days of data, but explicitly declined to overrule Miller or Smith more broadly.

Agency rulemaking capacity. Agencies like the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) hold rulemaking authority that shapes how statutes translate into operational obligations. The HHS Office for Civil Rights (OCR) issues guidance on HIPAA's applicability to new technology categories, creating de facto privacy rules for third-party service providers even absent new legislation.

Classification boundaries

Not all third parties occupy the same legal position relative to federal privacy statutes. The boundaries of protection depend on the classification of both the information holder and the person asserting rights.

Covered entities vs. business associates. Under HIPAA, a covered entity (a health plan, health care clearinghouse, or health care provider) bears direct regulatory obligations. A business associate — a third-party contractor who handles protected health information on behalf of a covered entity — bears derivative obligations through contractual Business Associate Agreements (BAAs) and, since the HITECH Act of 2009, direct HIPAA liability (42 U.S.C. § 17934). A business associate's subcontractor who handles the same data is a "subcontractor business associate," adding a third tier of obligation.

Federal agency contractors. The Privacy Act applies to federal agencies and to contractors operating a system of records on behalf of a federal agency — but only to that system. A contractor who holds employee data under a separate commercial arrangement is not necessarily bound by the Privacy Act for that data.

Nonpublic persons vs. public officials. Courts have recognized a reduced privacy expectation for public officials with respect to information related to their official duties. The Privacy Act's exceptions for law enforcement, statistical research, and congressional oversight further compress the practical scope of protections for individuals whose records intersect with government accountability interests.

More on how these distinctions map to federal program administration appears at Third Party Verification in Federal Programs and Third Party Administrators in Public Benefits.

Tradeoffs and tensions

Third-party privacy rights under federal law sit at the intersection of competing institutional interests, producing persistent tensions that no single statute has resolved.

Transparency vs. confidentiality. The Freedom of Information Act (5 U.S.C. § 552) creates a presumption of public access to federal records, while the Privacy Act creates a presumption of confidentiality for personal records. These statutes operate simultaneously, and agencies must balance them for every record request that touches personal information. Courts apply a balancing test that weighs the public interest in disclosure against the individual's privacy interest — a test that produces unpredictable outcomes at the margins.

Law enforcement access vs. privacy protection. Federal statutes routinely include law enforcement exceptions that permit disclosure without consent. ECPA, for instance, permits real-time surveillance of electronic communications pursuant to a court order under 18 U.S.C. § 2518, and permits access to stored communications with varying standards depending on the age and type of content. Privacy advocates and law enforcement agencies have contested the adequacy of these standards continuously since ECPA's enactment.

Data utility vs. consent requirements. Health research, actuarial analysis, and fraud detection all depend on access to individual-level data held by third parties. HIPAA's research exception (45 C.F.R. § 164.512(i)) permits use of protected health information without authorization under specified conditions, trading individual consent for population-level benefit. The adequacy of those conditions is contested by bioethicists, patient advocates, and institutional review boards.

The broader tensions in how third parties gain or lose rights across different legal contexts are mapped at Key Dimensions and Scopes of Third Party.

Common misconceptions

Misconception: All personal data held by the federal government is protected by the Privacy Act.
The Privacy Act applies only to records retrieved by an individual's name or personal identifier within a designated "system of records." Data held by federal agencies outside such systems — including analytical datasets, aggregated records, and contractor-held data not formally constituting a system of records — falls outside the statute's direct protections.

Misconception: HIPAA gives patients the right to prevent all third-party disclosure of their health information.
HIPAA permits disclosure without authorization in at least 12 specific categories listed under 45 C.F.R. § 164.512, including public health activities, judicial proceedings, and law enforcement. The right to restrict disclosure is narrower than common understanding suggests.

Misconception: The Carpenter decision eliminated the third-party doctrine.
The Supreme Court in Carpenter v. United States (2018) held that the government's acquisition of 127 days of historical cell-site location information constituted a Fourth Amendment search requiring a warrant. However, the 5-4 majority opinion explicitly stated it was not overruling Miller or Smith, and it declined to specify what quantity of location data triggers the warrant requirement below the 7-day threshold discussed in the opinion.

Misconception: Private companies handling government data bear no federal privacy obligations.
Contractors operating federal systems of records bear direct Privacy Act obligations. Business associates under HIPAA bear direct HITECH Act liability. Government contractors subject to the Federal Acquisition Regulation (FAR) may also face clause-specific privacy requirements at 48 C.F.R. § 24.1.

Checklist or steps (non-advisory)

The following sequence describes the analytical steps typically applied when determining whether a federal privacy protection applies to a third-party information disclosure scenario:

  1. Identify the information holder. Determine whether the entity holding the relevant data is a federal agency, a covered entity under HIPAA, a financial institution under GLBA, an educational institution receiving federal funding under FERPA, or a private actor outside any sectoral framework.

  2. Classify the data type. Establish whether the information qualifies as protected health information, nonpublic personal financial information, education records, personally identifiable information in a federal system of records, or electronic communications content.

  3. Identify the third party's legal relationship to the data. Determine whether the third party is the data subject, a business associate, a government contractor, an unauthorized recipient, or a requester under FOIA.

  4. Locate the applicable statute and exceptions. Map the disclosure to the governing statute and identify which exceptions — routine use, law enforcement, research, public health — may apply.

  5. Apply constitutional overlay. Assess whether the disclosure involves government action sufficient to trigger Fourth Amendment analysis and whether any Carpenter-type exception to the third-party doctrine applies.

  6. Evaluate enforcement mechanism. Determine whether the applicable statute provides a private right of action, administrative remedy through an agency such as HHS OCR or the FTC, or only government enforcement authority.

  7. Check for state law preemption issues. Federal sectoral statutes often set floors, not ceilings. State laws may provide additional third-party privacy protections where federal law is silent or provides only minimum standards — though federal preemption clauses vary by statute.

Reference table or matrix

Statute Governing Body Applies To Third-Party Data Subject Rights Key Enforcement Mechanism
Privacy Act of 1974 (5 U.S.C. § 552a) Federal agencies Federal agency systems of records Access, correction, civil suit U.S. district court; agency Inspector General
HIPAA Privacy Rule (45 C.F.R. Part 164) HHS Office for Civil Rights Covered entities and business associates Access, amendment, accounting of disclosures HHS OCR complaint; civil monetary penalties up to $1.9 million per violation category per year (HHS OCR)
GLBA Privacy Rule (15 U.S.C. § 6803) FTC and federal banking regulators Financial institutions Opt-out of certain disclosures Federal agency enforcement; no private right of action
FERPA (20 U.S.C. § 1232g) U.S. Dept. of Education Institutions receiving federal education funds Inspect, amend records; consent to disclosure Complaint to Dept. of Education; loss of federal funding
ECPA (18 U.S.C. §§ 2510–2523) DOJ / courts Electronic communications providers Civil damages for unlawful interception Private right of action; criminal penalties
Fourth Amendment (via Carpenter) Federal courts Government actors Warrant requirement for extended location data Suppression of evidence; § 1983 claims

References