Resources: Official Guidance and Legal References
Curated reference library of federal and state guidance on privacy law, tracking technologies, wiretap statutes, and compliance frameworks. Full set of links and details for compliance work.
A working collection of government guidance, statutory text, and industry resources for companies building privacy compliance programs.
Federal Wiretap Act
18 U.S.C. § 2511 et seq. – Full Text The federal baseline. Criminal and civil liability for intercepting wire, oral, or electronic communications without consent.
DOJ Wiretap Enforcement Statistics Annual reports on authorized wiretap interceptions. Useful for understanding federal enforcement volume and patterns.
FTC Guidance on Tracking Technologies
FTC Guidance: Endorsements and Testimonials (Updated 2023) Covers disclosure requirements for tracking cookies and pixels deployed across third-party websites. This guidance is worth reviewing to understand what the FTC views as necessary disclosure.
FTC Staff Report: A Look Behind the Screens – Social Media and Video Streaming (2024) This report examined how major tech companies use tracking pixels, harvest cookies, and share data without proper disclosure. The most detailed public accounting of these practices. Cite it when talking to your board about what regulators see as problematic.
FTC Health Breach Notification Rule Rules for tracking health data and notifying users when it's breached. Matters if you're in healthcare, connected to healthcare, or processing sensitive health information.
HHS / HIPAA Guidance
HHS Office for Civil Rights – HIPAA and Tracking Technologies How HIPAA-covered entities and their vendors handle tracking pixels, analytics tools, and third-party monitoring. Worth reading carefully if you deal with healthcare.
HHS Breach Notification Rule (45 CFR §§ 164.400–414) When PHI is exposed through unauthorized surveillance or data access, here's what you legally owe patients.
State Wiretap Statutes
California
Cal. Penal Code § 632 (Invasion of Privacy Act) – All-party consent. Private right of action. Damages up to $5,000 per violation. Most aggressive enforcement in the country.
California CCPA (Cal. Civ. Code §§ 1798.100–1798.199) – Broad privacy law covering tracking pixels, cookies, and data brokers. Gives consumers opt-out rights.
Illinois
740 ILCS 14 (Biometric Information Privacy Act) – Statutory damages of $1,000–$5,000 per violation for unauthorized biometric collection. No proof of harm required. Illinois courts have been consistent on this interpretation, making the state a strong model for plaintiff-friendly privacy litigation.
740 ILCS 25 (Wiretap Statute) – All-party consent. Applies the same per-violation damages approach to non-biometric surveillance.
Florida, Massachusetts, New York, and the Rest
Fla. Stat. § 934.03 (All-Party Consent Wiretap Law) – All-party consent to recording; statutory damages available. Courts there treat these claims sympathetically.
Mass. Gen. Laws c. 272, § 99 (Wiretap and Eavesdropping Statute) – Most restrictive state statute in the U.S. Criminalizes surveillance device use to record anyone, anywhere, without consent. Up to 5 years in prison. The AG enforces it aggressively.
N.Y. General Business Law § 349 (Consumer Protection Act) – Prohibits deceptive business practices. New York's AG has reinterpreted this to cover privacy violations--tracking pixels, location harvesting, cookie collection. Opens a different enforcement path.
N.Y. Penal Law § 250.00 et seq. (Wiretapping and Eavesdropping) – One-party consent but with real criminal teeth. The AG has filed cases against tech companies for unauthorized tracking.
Tex. Penal Code § 16.02 (Unlawful Interception) – All-party consent. Texas AG enforcement is increasing, especially around location tracking.
MCL 750.539 (Michigan – Telecommunications Service) – All-party consent. Michigan courts receptive to statutory damages arguments.
Conn. Gen. Stat. § 53a-187 (Illegal Wiretapping and Surveillance) – All-party consent with civil liability. Connecticut AG has filed recent cases.
Ohio Rev. Code § 2933.52 (Eavesdropping) – All-party consent, recently tightened.
18 Pa. Cons. Stat. § 5702 (Eavesdropping on Conversations) – All-party consent to recording. Both criminal and civil penalties.
Data Broker Registration and Privacy Notice Laws
Vermont Data Broker Registration Law (6 V.S.A. § 4726) Vermont enforces this more seriously than any other state. Defines who's a data broker and mandates registration and opt-out mechanisms.
California CCPA – Data Broker Provisions (Cal. Civ. Code § 1798.140(w)) Registration and consumer opt-out rights under California's regime. Enforced by the AG.
New York Privacy Notice Law (N.Y. Gen. Bus. Law § 599-i) Requires "reasonable security" for personal data. The AG has used this statute to bring cases against companies with weak security practices or deceptive data practices.
Web Accessibility (Unexpected Privacy Connection)
W3C Web Content Accessibility Guidelines (WCAG) 2.1 State AGs cite accessibility standards in privacy enforcement actions. A site with poor accessibility that also has hidden tracking pixels looks worse to regulators.
FTC Enforcement Cases
FTC v. Amazon (2023) – Location Data Tracking Amazon collected location and device data without meaningful disclosure. The FTC treated unauthorized collection as a central violation.
FTC v. Meta Platforms (2023) – Tracking Pixels and Deceptive Practices Meta deployed tracking pixels across third-party websites and misrepresented privacy controls to users. The case demonstrates how the FTC now treats tracking technology deployment as a core violation.
FTC Enforcement Actions – Directory Searchable database of FTC privacy cases going back decades. Useful for finding settlements, consent orders, and amounts.
Department of Justice Enforcement
DOJ Criminal Division – Computer Fraud and Abuse Act Prosecutions Federal prosecutions for unauthorized computer access and data theft. These overlap with privacy surveillance cases.
DOJ Press Releases – Cybercrime and Privacy Real-time updates on federal prosecutions involving unauthorized surveillance or wiretapping.
State Attorneys General
NAAG Consumer Protection Resource Center Clearinghouse of state AG enforcement initiatives. Track what the AGs are coordinating on nationally.
California Attorney General – Privacy Enforcement California leads on privacy enforcement. Check this office's activity to see where enforcement trends are heading.
New York Attorney General – Internet Bureau New York's Internet Bureau is unusually active in tracking technology cases. Follow their announcements.
Industry Resources
IAPP State Privacy Law Tracker Real-time map of state privacy laws, updated continuously. The best single resource for figuring out which laws apply to your operations.
IAPP Privacy by Design Framework Regulatory authorities reference privacy-by-design principles as best practice. Worth understanding for your program architecture.
IAPP Certification Programs CIPM, CIPP, and other credentials. Having certified professionals on staff signals competence to regulators.
Full Statutory Text
18 U.S.C. §§ 2511–2522 (Federal Wiretap Act) House.gov maintains the authoritative version with all amendments.
DOJ Manual on Electronic Surveillance Law Internal DOJ guide on federal wiretap law requirements. Gives you a sense of how prosecutors think about these statutes.
How to Use These Resources
For statutory language: The links point to accurate, current versions. State laws vary--don't assume one applies everywhere. For enforcement trends: Check FTC and DOJ press releases and state AG announcements every quarter. Enforcement priorities shift. For compliance design: Official guidance (FTC, DOJ, HHS) carries weight with regulators. IAPP and industry frameworks are helpful but secondary. For multi-state operations: The IAPP tracker helps you identify which statutes apply to each data practice in each state.