A huge chunk of the free Internet is free because the data collected during its use is of monetary value, and enables more targeted (and effective) advertising. This is a highly dynamic field of law - it’s important that people who understand data be involved in the conversation.
The following is an extremely (irresponsibly?) short summary of information privacy law in the US. You can find a much more comprehensive version here.
There is no explicit right to privacy as we think of it in the US Constitution - without the technological ability to surveil, they were primarily worried about keeping the government physically out of their homes (in contrast to the British authorities who were able to use general warrants and writs of assistance to conduct sweeping searches and seizures without evidence). So, most Constitutional privacy law lies in three amendments in the Bill of Rights:
Note these do not protect privacy from other citizens or from companies.
The next most influential document as it relates to US privacy was a law review article, Warren and Brandeis’ “Right to Privacy.” Motivated by sensationalist journalism and the increasing ease of photography, Warren and Brandeis suggested that privacy be protected via “tort” - ie, lawsuits, rather than arrests. Most of their suggestions have been taken at the state level of most states, protecting from private eavesdropping or surveillance, offensive disclosure of offensive private facts if not of legitimate concern to the public, and appropriation of private images or documents (like using an unauthorized picture of a person in an advertisement).
From there, most privacy law has occurred through “common law,” or lawsuits in which judges interpret older laws through a newer lens. This makes privacy law very complex, with oft-unclear boundaries. An important artifact of this is from Katz v US (1967), where 4th amendment protections were expanded to include any area where a person has a “reasonable expectation of privacy.” Generally, this legal test falls short of what most people expect. It would likely not cover, for instance, the use of facial recognition and widespread cameras to track a citizen’s movements, because they’re in public, and therefore have no expectation of privacy. Nor does it cover the fact that someone called someone else, as they willingly gave that information to a third party (the phone company), who might do as they wish.
Beyond this, the US’s strongest privacy law is in California. This law gives California residents the right to:
Because it can be difficult to figure out who is a California resident, these rights are sometimes extended to other US citizens for the company’s convenience. You can try exercising your rights yourself.
By and large, however, US companies remain largely free to collect data, store data indefinitely, use data in money-making products, and sell data. This allows companies to make money, and provide free services (that collect data). However, it makes it difficult for the consumer to protect their own privacy.
We can compare this to the General Data Protection Regulation (GDPR), which is in place in the EU. The GDPR is big, but we can list some of the most significant protections. First, organizations may only collect the data they need for their purpose; no collecting for future products, or collecting just to sell. Appropriate information security protections must be in place. Data collection must be disclosed (all the popups saying which cookies are being collected, for instance).
Generally, we remain in the wild west of data privacy. It is easy for anybody to purchase a comprehensive online portfolio of almost anybody. In return, we get free online tools. Is it worth it to you?