PRIA Logo
Back to search
GovernmentGovernment Operations & Accountability

Privacy Act of 1974

20 min read·Updated May 12, 2026

Privacy Act of 1974

The Privacy Act of 1974 (5 U.S.C. § 552a) is the primary federal law governing how executive branch agencies collect, store, use, and share records about individual Americans. Enacted in the wake of Watergate-era revelations about government surveillance and data abuse, the Act establishes a foundational rule: no agency may disclose a record about an individual without that person's written consent, subject to 12 specific statutory exceptions (including law enforcement requests, court orders, and agency need-to-know). The Act applies to records in a "system of records" — any group of records retrieved by name or personal identifier — and covers U.S. citizens and lawful permanent residents only. Individuals have the right to access their own records, request corrections to inaccurate data, and receive an accounting of disclosures. Agencies must publish System of Records Notices (SORNs) in the Federal Register whenever they create a new personal data system — a transparency mechanism that reveals what the government collects about you. Civil remedies include actual damages with a $1,000 minimum for intentional or willful violations; criminal penalties reach $5,000 for knowing violations by agency employees. The Privacy Act operates alongside FOIA (which governs public access to government records generally) — together they form the primary citizen access framework for federal government data.

Current Law (2026)

ParameterValue
Core statutePrivacy Act of 1974, 5 U.S.C. § 552a
CoverageRecords maintained by federal executive branch agencies about individuals (U.S. citizens and lawful permanent residents)
Key concept"System of records" — any group of records from which information is retrieved by name or personal identifier
Individual rightsAccess, amendment, accounting of disclosures
Disclosure restrictionsNo disclosure without written consent, subject to 12 enumerated exceptions
Civil remediesActual damages (minimum $1,000) for intentional or willful violations; attorney fees
Criminal penaltiesMisdemeanor — up to $5,000 for knowing and willful violations by agency officers/employees
Relationship to FOIAWorks in tandem — FOIA governs public access; Privacy Act governs individual access to their own records
  • 5 U.S.C. § 552a(b) — Conditions of disclosure (no agency shall disclose any record contained in a system of records to any person or agency except with written consent of the individual, or under one of 12 enumerated exceptions including: agency need-to-know, routine use, Census Bureau, statistical research, law enforcement, Congressional, court order, and others)
  • 5 U.S.C. § 552a(d) — Access to records (individuals may request access to their own records; agencies must grant access or explain denial; individuals may request amendment of inaccurate records; agency must acknowledge request within 10 working days)
  • 5 U.S.C. § 552a(e) — Agency requirements (agencies must maintain only records relevant and necessary for their functions; collect information directly from the individual to the greatest extent practicable; publish System of Records Notices (SORNs) in the Federal Register; maintain records with accuracy, relevance, timeliness, and completeness)
  • 5 U.S.C. § 552a(g) — Civil remedies (individuals may bring civil actions in federal district court for agency refusal to amend records, refusal to grant access, failure to maintain accurate records resulting in an adverse determination, or other violations; courts may award actual damages of not less than $1,000 plus attorney fees)
  • 5 U.S.C. § 552a(i) — Criminal penalties (any officer or employee who knowingly and willfully discloses records in violation of the Act is guilty of a misdemeanor; any person who knowingly and willfully requests records under false pretenses is guilty of a misdemeanor)

How It Works

The Privacy Act of 1974 is the foundational federal law governing how the government handles your personal information. Enacted in the wake of Watergate — when revelations about government surveillance, secret files, and political misuse of personal data shocked the public — the Privacy Act establishes rules for how federal agencies collect, maintain, use, and disclose information about individuals.

The Act applies to "records" in a "system of records" maintained by federal executive branch agencies. A record is any item or grouping of information about an individual that includes their name or a personal identifier (Social Security number, fingerprint, photograph). A system of records is a group of records from which information is actually retrieved by name or personal identifier — a critical distinction, because if an agency has information about you but doesn't retrieve it by your identifier, the Privacy Act may not apply. The Act covers only U.S. citizens and lawful permanent residents. Individuals have three core rights: access (you can request to see any records about you in a system of records, with the agency required to respond or explain a denial); amendment (you can request correction of inaccurate, irrelevant, untimely, or incomplete records, and if the agency refuses you can file a statement of disagreement maintained with the record); and accounting of disclosures (agencies must log every disclosure of your records to third parties, and you can request that log). Before an agency can maintain a system of records, it must publish a System of Records Notice (SORN) in the Federal Register describing what records are collected, why, how they're used, who has access, and what exemptions apply. Agencies must also conduct Privacy Impact Assessments (PIAs) under the E-Government Act for new or significantly modified information systems.

The default disclosure rule is that agencies cannot disclose your records without your written consent — but 12 statutory exceptions substantially limit that protection. The most significant: the routine use exception allows disclosure for any purpose compatible with why the record was collected (agencies define "routine uses" in their SORNs, often very broadly); the law enforcement exception allows disclosure for civil or criminal enforcement; the Congressional exception allows disclosure to either house of Congress; and the court order exception allows disclosure pursuant to court order. Together these exceptions, particularly the elastic routine use provision, give agencies substantial room to share information. The Privacy Act and the Freedom of Information Act (FOIA) serve complementary purposes: FOIA governs public access to government records; the Privacy Act governs your individual access to records about yourself. When you request your own records, agencies process the request under both statutes and release the maximum information available under either.

How It Affects You

If you want to see what the government holds about you: File a Privacy Act access request directly with the agency. The process is different from a FOIA request — state specifically that you are requesting records under the Privacy Act, 5 U.S.C. § 552a, and provide enough identifying information (full name, date of birth, Social Security number) for the agency to locate your records. Key agencies and what they hold:

  • IRS: Tax records, audit history, correspondence — request through IRS.gov or Form 4506
  • SSA: Your complete earnings record, benefit payment history, medical determinations — request through ssa.gov/myaccount or mail to your local SSA office
  • VA: Service records, medical records, benefit determinations — request through va.gov or the National Personnel Records Center
  • DHS (CBP/TSA): Travel history, secondary inspection records, watchlist status — request through DHS Traveler Redress Inquiry Program (trip.dhs.gov) or cbp.gov/travel
  • OPM: Federal employment records, security clearance files — request through opm.gov or the National Personnel Records Center (NPRC)
  • FBI: Your CJIS identity file — request a personal Identity Summary through fbi.gov/services/cjis The agency must acknowledge your request and respond within 10 business days. If they need more time to locate records, they must tell you. Many agencies now offer online portals. Denial of access triggers your right to appeal within the agency, and then to sue in federal district court.

If you believe your federal records are wrong: This matters most when inaccurate records drive real-world consequences — an SSA earnings record with missing years that undercalculates your future benefit, an incorrect flag in a government database that caused a benefits denial, an OPM personnel record with a wrongful disciplinary notation affecting security clearance review. The amendment process: write to the agency's Privacy Act Officer explaining exactly what is incorrect and why, and provide supporting documentation (pay stubs, medical records, court documents as appropriate). The agency must acknowledge within 10 business days and either amend the record or explain why it refuses. If the agency refuses, you may file a Statement of Disagreement — the agency must attach your statement to the disputed record and include it in any future disclosures. You can then pursue an administrative appeal and, if that fails, sue in federal district court. Courts have awarded damages for harm caused by inaccurate government records — denial of benefits, wrongful criminal referrals, security clearance revocations.

If a government decision seems wrong and you think it's based on a flawed record: Request an accounting of disclosures — the log of every third party that received information from your file. This reveals whether your data was shared with law enforcement agencies, benefits programs, or other parties in ways you weren't aware of. The accounting can expose data flows that contributed to an adverse decision. Agencies don't have to keep accounting for disclosures made to agency employees doing their own jobs (intra-agency), but they do for most third-party disclosures. Compare what you find against the "routine uses" in that agency's SORN — if data was disclosed outside those stated purposes, that may be a Privacy Act violation.

If you've been materially harmed by a Privacy Act violation: The civil remedy is real but has limitations. To sue for damages under 5 U.S.C. § 552a(g), you must show: (1) the agency acted intentionally or willfully in violating the Act, and (2) that violation caused an adverse effect. Courts have allowed recovery where agencies disclosed records to unauthorized parties that led to job loss, wrongful prosecution, or benefit termination. The minimum statutory damages are $1,000 even if your actual harm was less — and if you prevailed, the agency must pay your attorney fees. The most common litigation involves agencies that wrongly shared records with employers or law enforcement, and agencies whose failure to maintain accurate records led to erroneous adverse determinations. One significant limitation: federal agencies are generally immune from punitive damages under the Privacy Act, and the statute of limitations is 2 years from the date you discovered the violation. If you believe you have a Privacy Act claim, consult a privacy or civil rights attorney promptly.

If you work for a federal agency or have access to government records systems: Agency employees who knowingly and willfully disclose records in violation of the Privacy Act face a misdemeanor punishable by a $5,000 fine. The same penalty applies to anyone who requests records under false pretenses. These are personal criminal penalties — not just the agency's problem. The requirement to access only records you need for your official duties is a legal obligation, not just a policy preference. Unauthorized access to colleague personnel files, constituent benefit records, or investigative databases violates both the Privacy Act and agency IT security policy — both of which can end a federal career and trigger prosecution.

State Variations

  • The Privacy Act applies only to federal agencies — state and local governments are not covered
  • Many states have their own government records privacy laws, varying widely in scope and strength
  • State open records laws (state equivalents of FOIA) typically include personal privacy exemptions
  • California, New York, and other states have enacted comprehensive data privacy laws that apply to both government and private sector
  • State employee records, health records, and education records are governed by state law plus federal sector-specific statutes (HIPAA, FERPA)

Implementing Regulations

  • 5 CFR Part 10001 — Privacy Act implementation (requests for records, definitions, responses, administrative appeals)

  • 5 CFR Part 1001 — OPM rules of conduct (Privacy Act rules for OPM employees)

  • 5 CFR Part 1830 — OSC Privacy Act procedures (processing requests for records)

  • 36 CFR Part 1202 — NARA Privacy Act Regulations (38 sections — the National Archives and Records Administration's implementation of the Privacy Act for its own operational records and for records of defunct agencies stored in NARA record centers; covers two distinct categories: NARA's own employment, administrative, and mission records, and the pre-transfer holdings of agencies that no longer exist):

    • § 1202.1 — Scope: Part 1202 covers Privacy Act requests for NARA operational records (staff personnel files, NARA administrative records) and records of defunct agencies stored in NARA record centers before formal transfer to the National Archives; it does not cover records already transferred into the National Archives of the United States for permanent preservation — those are governed by 36 CFR Part 1256 (archival access rules), not the Privacy Act
    • § 1202.10 — Defunct agency records: NARA handles Privacy Act requests for records of agencies that have been abolished, merged, or reorganized out of existence if those records are in a NARA record center; NARA acts in the capacity of the defunct agency — it applies the Privacy Act as that agency would have, using the agency's published system of records notices and exemptions
    • § 1202.18 — Collection practices: NARA collects information about individuals only when relevant and necessary for its programs; it collects directly from the individual to the greatest extent practicable; before collecting SSNs, NARA must disclose the legal authority, whether disclosure is mandatory or voluntary, and the consequences of not providing the number (§ 1202.22)
    • § 1202.30 — Safeguards: NARA's system managers must establish administrative, technical, and physical safeguards against unauthorized access; safeguards include access controls, security clearances, encryption, and employee training on Privacy Act requirements
    • § 1202.40 — How to request access: Written request to the NARA Privacy Act Officer, Room 3110, 700 Pennsylvania Avenue NW, Washington DC 20408; must identify yourself with full name, date of birth, and any other identifier needed to locate the record; NARA acknowledges within 10 workdays and provides access as promptly as possible (§ 1202.44)
    • § 1202.46 — Access methods: NARA provides copies by mail or allows in-person inspection at NARA facilities during business hours; NARA will waive fees for the first 100 pages or when collection costs exceed the fee amount; requests exceeding an estimated $250 require prepayment (§ 1202.48–1202.50)
    • § 1202.42 — Medical records: If disclosure of medical or psychological records could be harmful, NARA may provide them only through a physician or other health professional designated by the requester — the same protective approach used by OPM (§ 297.205)
    • § 1202.54 — Grounds for denial: NARA may deny access if the system of records is exempt from access requirements (NARA has published exemptions for certain law enforcement and national security records); denial must be in writing with the reason and appeal rights explained
    • § 1202.56 — Appeals: An access denial may be appealed to NARA's Deputy Archivist; the Deputy Archivist issues a final agency decision; after exhausting administrative remedies, the requester may sue in federal district court in the district where they reside, where the records are located, or in the District of Columbia

  • 5 CFR Part 297 — Privacy Procedures for Personnel Records (28 sections — OPM's Privacy Act regulations specifically for the federal personnel records systems it manages; covers how current and former federal employees access, correct, and appeal decisions about records in OPM-managed systems, including the Official Personnel Folder and governmentwide systems like the Central Personnel Data File):

    • § 297.104 — Three types of systems: OPM manages three categories of personnel records: (1) Internal systems — records under OPM's physical control for its own operational purposes; (2) Central systems — governmentwide records physically maintained by OPM on behalf of federal agencies (including the Official Personnel Folder, which follows the employee across agencies); and (3) Governmentwide systems — records maintained by individual agencies under OPM's regulatory framework; the applicable access and amendment procedures differ by category
    • § 297.201–297.202 — Access requests: individuals submit written requests to the appropriate system manager, citing the Privacy Act as the basis; the system manager must grant access or deny it; access may be provided by inspection in person during business hours or by providing copies of the records; the individual may bring a representative; inspection sites and hours must be designated
    • § 297.205 — Medical and psychological records: when an access request involves sensitive medical or psychological records, OPM advises the requester that the records will be provided only through a healthcare provider designated by the individual — protecting the requester from receiving records that require professional context to interpret safely
    • § 297.206 — No fees for own-record access: OPM does not charge fees for searching for, reviewing, or copying records requested by the subject of those records under the Privacy Act — the zero-fee rule is an important difference from FOIA, which charges for search and duplication in many circumstances
    • § 297.207–297.208 — Denial and judicial review: if access is denied, OPM must provide written notification with the reasons and the procedure to appeal; denied access may be appealed to a designated OPM official; after administrative denial, the individual has 2 years from the date of notification to seek judicial review in U.S. district court
    • § 297.301–297.302 — Amendment requests: individuals may request in writing that OPM amend any record they believe is inaccurate, incomplete, or irrelevant; the system manager must acknowledge the request within 10 working days and issue a determination as soon as practicable; OPM verifies the requester's identity before granting amendments
    • § 297.303 — Amendment limitations: amendment procedures are not available to challenge the accuracy of an event that actually occurred — they address inaccurate recording of facts, not the facts themselves; they also cannot be used to collaterally attack decisions that were made in prior adjudications (e.g., a performance rating, a disciplinary action); the proper remedy for a disputed employment action is the applicable appeal process (MSPB, grievance arbitration), not Privacy Act amendment
    • § 297.305–297.306 — Denial of amendment and appeal: if OPM denies an amendment request, the denial must be in writing with reasons; the requester may appeal to the designated appeal official; the requester also has the right to submit a Statement of Disagreement to be included in the disputed record and provided to future recipients of the record

    The Part 297 procedures matter most to federal employees who believe their Official Personnel Folder contains errors — inaccurate performance ratings, wrong separation codes, missing service credit documentation — that could affect their pay, retirement calculation, or future employment. Because the OPF follows the employee permanently and forms the basis for federal retirement and benefit calculations, errors in the folder can have long-term financial consequences. The standard path: request access to the OPF through the agency HR office (which is the custodian), identify the specific inaccurate record, and submit an amendment request citing the correcting documentation.

  • 41 CFR Part 105-64 — GSA Privacy Act Rules (44 sections — the General Services Administration's agency-specific implementation of the Privacy Act, last updated by 88 FR 32140 (2023); establishes GSA's internal framework for managing systems of records containing information about individuals who interact with GSA in any capacity — employees, contractors, MAS schedule applicants, building tenants, and members of the public who contact GSA):

    • § 105-64.101 — Enforcement responsibility: GSA Heads of Services and Staff Offices and Regional Administrators are responsible for ensuring that all systems of records comply with these rules; the rules explicitly govern record systems maintained by GSA contractors on GSA's behalf, covering outsourced data management
    • § 105-64.102 — Disclosure policy: no information in a Privacy Act system of records may be disclosed to third parties without written consent, subject to the statutory exceptions at 5 U.S.C. § 552a(b); this no-disclosure default applies to GSA's internal HR, procurement, and property management records
    • § 105-64.103 — Collection and use: system managers must collect only information that is used to determine rights, benefits, or entitlements; they may not collect information about an individual's religious beliefs, political affiliations, or other activities unless expressly authorized; purpose limitations are binding — information collected for one purpose may not be repurposed without authority
    • § 105-64.105 — Social Security Numbers: SSNs may be collected only when statutory or regulatory authority exists; GSA must disclose to individuals whether SSN disclosure is mandatory or voluntary and the consequences of non-disclosure; legacy systems that collected SSNs without authority must be remediated
    • § 105-64.110 — Computer matching: GSA may conduct computer matching programs (comparing records across systems to identify inconsistencies or verify eligibility) only under a written matching agreement approved by GSA's Data Integrity Board; matching agreements define the matching criteria, purpose, use limitations, and retention schedules
    • § 105-64.201 — How to request your records: submit a written request to the system manager for the relevant GSA system, citing the Privacy Act; in-person requests require photographic ID; mail requests require your full name, address, and enough identifying information to locate the record; GSA must acknowledge the request within 10 workdays
    • § 105-64.401 — Amendment requests: if you believe a record GSA maintains about you is inaccurate, incomplete, or irrelevant, submit a written amendment request identifying the specific record and the correction; GSA must acknowledge within 10 workdays and provide a determination as promptly as possible; GSA must inform any prior recipient of the record of the correction
    • § 105-64.501 — Denial of access: if GSA denies access, the denial must be in writing with the reason and the right to appeal to GSA's Deputy Chief FOIA Officer; after administrative denial, the requester may sue in federal district court (district of residence, record location, or DC)
    • § 105-64.801 — Privacy complaints: individuals who believe GSA has violated the Privacy Act may file a complaint with the GSA Privacy Act Officer; GSA must investigate and respond; if the individual is not satisfied, they may escalate to the Privacy and Civil Liberties Oversight Board or bring a civil action under 5 U.S.C. § 552a(g)

    GSA operates dozens of Privacy Act systems of records — from the Federal Acquisition Service's vendor and contractor databases to the Public Buildings Service's building access and occupancy records. GSA's GSA.gov portal provides a public index of all current GSA systems of records notices (SORNs) published in the Federal Register.

  • 44 CFR Part 6 — FEMA Implementation of the Privacy Act of 1974 (37 sections across 7 subparts — FEMA's agency-specific Privacy Act regulations governing the collection, use, and dissemination of records about individuals in FEMA's systems; authority: 5 U.S.C. § 552a; originally 44 FR 50293 (1979)):

    • Subpart A — General (§§ 6.1–6.19): establishes FEMA's framework for Privacy Act compliance; policies cover records in FEMA systems maintained about its employees, disaster assistance applicants, flood insurance policyholders, and others who interact with FEMA programs; FEMA must publish a system of records notice (SORN) in the Federal Register before establishing any new system of records; the Privacy Act Officer coordinates FEMA-wide compliance
    • Subpart B — Disclosure of Records (§§ 6.21–6.23): no information in a FEMA Privacy Act system may be disclosed to third parties without the individual's written consent except under the 12 statutory exceptions (law enforcement, routine use, Congress, court orders, etc.); FEMA must account for all disclosures made under exceptions and make those accounting records available to the subject individual; the routine use exception requires that each SORN specify what disclosures are "routine" for the purpose of the program
    • Subpart C — Individual Access to Records (§§ 6.31–6.40): individuals may submit written requests to the system manager of a specific FEMA system to determine whether it contains records about them and to obtain copies; FEMA must acknowledge within 10 workdays; medical records require special handling — FEMA may route them through a physician if direct disclosure could be harmful; in-person review requires photographic ID
    • Subpart D — Requests to Amend Records (§§ 6.41–6.60): individuals who believe a FEMA record is inaccurate, incomplete, untimely, or irrelevant may request an amendment; FEMA has 10 workdays to acknowledge and must make a determination as promptly as possible; if FEMA agrees to amend, it must notify prior recipients of the corrected information; if FEMA refuses, the individual may appeal to the Commissioner/Director; after exhausting administrative appeals, the individual may file suit in federal district court or file a statement of disagreement for inclusion in the record
    • Subpart E — Report on New Systems and Alterations of Existing Systems (§§ 6.61–6.63): FEMA must submit a report to OMB and Congress before establishing or significantly altering a Privacy Act system of records; reports must include the categories of individuals covered, the categories of records, the routine uses, and the safeguards; OMB review allows identification of compatibility issues with the Privacy Act framework before new systems are deployed
    • Subpart F — Fees (§§ 6.71–6.76): FEMA does not charge fees for the first copy of records provided to the subject individual; fees apply only to duplicate copies; waiver is available for low-income individuals
    • Subpart G — Exempt Systems of Records (§§ 6.91–6.96): FEMA has exempted certain systems of records from specific Privacy Act requirements under 5 U.S.C. § 552a(j) and (k); law enforcement records and certain investigative files may be exempted from the access and amendment provisions to protect ongoing investigations; the exemption does not eliminate the underlying privacy protections — it only limits the specific access and correction rights

    FEMA maintains Privacy Act systems covering disaster assistance applicants (individuals who received Individual Assistance after presidentially declared disasters), flood insurance policyholders under the National Flood Insurance Program, emergency management employees and contractors, and law enforcement and security investigation records. The disaster assistance systems are among the largest: after major disasters, FEMA may receive millions of registrations, and the Privacy Act governs how FEMA handles that data, who may access it, and how errors in disaster eligibility determinations can be corrected through amendment requests. FEMA's disclosure rules are particularly important in disaster contexts where state agencies, nonprofits, and contractors need access to applicant data to deliver assistance.

  • 41 CFR Part 51-9 — AbilityOne Program (CPPBSD) Privacy Act Rules (33 sections across 7 subparts — the Committee for Purchase From People Who Are Blind or Severely Disabled's Privacy Act implementation; authority: 5 U.S.C. § 552a; the Committee administers the AbilityOne Program, which directs federal procurement to nonprofit agencies employing blind and severely disabled workers):

    • Subpart 51-9.1 — General Policy (8 sections): the Executive Director is responsible for ensuring that all CPPBSD systems of records comply with the Privacy Act; § 51-9.101-1 — Collection and use: information about individuals may only be collected and used to the extent necessary to fulfill the agency's authorized functions; § 51-9.101-3 — Content of systems of records: only information that is relevant and necessary to accomplish a required purpose may be maintained; records must be collected directly from the subject individual to the greatest extent practicable; § 51-9.101-5 — Safeguarding: physical and electronic safeguards (limited access, encryption, locked facilities) must protect all Privacy Act records
    • Subpart 51-9.2 — Disclosure of Records (2 sections): Committee records about individuals may only be disclosed with the individual's written consent or under a statutory exception; each disclosure under an exception must be accounted for and the accounting made available to the subject individual
    • Subpart 51-9.3 — Individual Access to Records (13 sections): individuals may submit written requests to the CPPBSD System Manager to determine whether records exist about them and to review and copy those records; the Committee must respond within 10 workdays; access requests require sufficient identifying information to locate the records; medical information may require routing through a physician if direct disclosure could cause harm
    • Subpart 51-9.4 — Requests to Amend Records (5 sections): if an individual believes Committee records about them are inaccurate, incomplete, untimely, or irrelevant, they may file an amendment request; the Committee must acknowledge within 10 workdays; if amendment is denied, the individual may appeal to the Executive Director and, if unsuccessful, file a statement of disagreement for inclusion in the record
    • Subpart 51-9.6 — Exemptions (1 section): certain CPPBSD records may be exempt from the access and amendment provisions under 5 U.S.C. § 552a(k)(2) — records compiled for law enforcement purposes that, if disclosed, could reasonably be expected to compromise ongoing investigations

    The AbilityOne Program's Privacy Act records primarily concern nonprofit agency employees with disabilities (performance data supporting the agency's eligibility to hold a procurement set-aside) and procurement-related contractor information. Because the program links employment outcomes for blind and severely disabled workers to federal procurement decisions, the records system intersects both employment privacy and procurement integrity interests. The Committee's small size means its Privacy Act procedures are simple relative to major civilian agencies, but the program's impact on a vulnerable workforce makes careful records management essential.

Pending Legislation

  • HR 5028 (Rep. Min, D-CA) — Let people sue federal employees for intentional Privacy Act violations. Status: Introduced.
  • S 1819 (Sen. Warner, D-VA) — Sharply raise fines for unauthorized access/disclosure of federal data. Status: Introduced.
  • S 1208 (Sen. Wyden, D-OR) — Expand Privacy Act coverage, tighten rules for government PII handling. Status: Introduced.

Recent Developments

  • The Privacy Act has not been significantly amended since 1974, and critics argue it has not kept pace with the digital age — the "system of records" concept maps poorly to modern databases and data analytics
  • Government use of artificial intelligence, facial recognition, and predictive analytics raises questions about whether the Privacy Act adequately protects against algorithmic decision-making using personal data
  • The E-Government Act (2002) added Privacy Impact Assessment requirements but the underlying Privacy Act framework remains largely unchanged
  • Cross-agency data sharing has expanded dramatically (DHS, IRS, SSA, HHS data matching programs), testing the limits of the "routine use" exception
  • Debates continue about extending Privacy Act protections to non-citizens, particularly in the immigration context
  • In March 2026, DoD modified and reissued its System of Records Notice for the Defense Manpower Data Center, retitling it "Uniformed Services Human Resources Information System" to reflect updated data management practices.
  • In February 2026, the State Department proposed modifications to its System of Records Notice under the Privacy Act, updating data management practices for departmental records.

At My Address

See how Privacy Act of 1974 plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address