Branches of Government and Sources of U.S. Law

Branches of Government and Sources of U.S. Law – A Comprehensive Guide for CIPP/US Exam Preparation

Why Is This Topic Important?

Understanding the branches of government and the sources of U.S. law is foundational to every area of U.S. privacy law. Privacy professionals must know where laws come from, who creates them, and how they interact with one another. The CIPP/US exam tests your ability to identify which branch of government is responsible for a particular legal action and how various sources of law — statutes, regulations, case law, and executive orders — fit into the broader privacy landscape. Without this foundational knowledge, it becomes extremely difficult to analyze more advanced privacy topics such as sectoral regulation, enforcement actions, and judicial interpretations of privacy rights.

What Are the Branches of Government?

The U.S. Constitution establishes three co-equal branches of government, each with distinct roles that directly affect the creation, implementation, and interpretation of privacy law:

1. The Legislative Branch (Congress)
Congress is composed of two chambers: the Senate and the House of Representatives. The legislative branch is responsible for creating statutes — the written laws that govern the country. In the privacy context, Congress has enacted landmark statutes such as the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Children's Online Privacy Protection Act (COPPA), and many others.

Key points to remember:
- Congress creates federal statutes through the legislative process (a bill must pass both chambers and be signed by the President).
- Congressional committees conduct hearings and investigations that can shape privacy policy.
- Congress can delegate rulemaking authority to federal agencies (e.g., directing the FTC or HHS to issue implementing regulations).

2. The Executive Branch (The President and Federal Agencies)
The executive branch enforces the law. It is headed by the President, who can also issue executive orders that direct federal agencies on matters of policy, including privacy. Federal agencies within the executive branch — such as the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), and the Department of Commerce — play critical roles in privacy regulation.

Key points to remember:
- Federal agencies issue regulations (also called rules) that have the force of law. These regulations implement and provide detail to the statutes passed by Congress.
- The rulemaking process is governed by the Administrative Procedure Act (APA), which typically requires notice-and-comment rulemaking.
- Executive orders can have significant privacy implications (e.g., Executive Order 12333 on intelligence activities, or executive orders addressing government surveillance).
- Federal agencies also enforce privacy laws through investigations, consent decrees, and civil penalties.

3. The Judicial Branch (The Courts)
The judicial branch interprets the law. Federal courts, headed by the U.S. Supreme Court, resolve disputes about the meaning and constitutionality of statutes, regulations, and executive actions. Court decisions create case law (also known as common law or judicial precedent), which is binding on lower courts within the same jurisdiction.

Key points to remember:
- The Supreme Court has issued landmark privacy rulings, including Griswold v. Connecticut (right to privacy in marital relations), Katz v. United States (reasonable expectation of privacy / Fourth Amendment), and Carpenter v. United States (cell-site location information and the Fourth Amendment).
- Federal courts review agency actions to ensure they are consistent with statutory authority and constitutional requirements.
- The concept of judicial review (established in Marbury v. Madison) allows courts to strike down laws or agency actions that violate the Constitution.
- Court opinions establish precedent that shapes how privacy laws are applied in future cases.

What Are the Sources of U.S. Law?

Understanding the hierarchy and interaction of legal sources is essential for the CIPP/US exam. The primary sources of U.S. law include:

1. The U.S. Constitution
The Constitution is the supreme law of the land. Any statute, regulation, or government action that conflicts with the Constitution can be struck down. The Constitution does not explicitly mention privacy, but the Supreme Court has recognized privacy rights through several amendments:
- First Amendment: Protects freedom of speech, association, and religion, which have privacy implications.
- Third Amendment: Prohibits quartering of soldiers, reflecting a privacy interest in the home.
- Fourth Amendment: Protects against unreasonable searches and seizures — a cornerstone of privacy law.
- Fifth Amendment: Protects against self-incrimination, reflecting a form of informational privacy.
- Ninth Amendment: States that rights not enumerated in the Constitution are retained by the people.
- Fourteenth Amendment: Due process and equal protection clauses have been used to establish substantive privacy rights.

2. Federal Statutes
These are laws enacted by Congress. U.S. privacy law is largely sectoral, meaning that different statutes address privacy in specific sectors (health, finance, education, telecommunications, etc.) rather than through a single comprehensive federal privacy law. Examples include HIPAA, GLBA, FERPA, COPPA, ECPA, and the Fair Credit Reporting Act (FCRA).

3. Federal Regulations
Regulations are issued by federal agencies pursuant to authority delegated by Congress. They fill in the details of statutes. For example, the HIPAA Privacy Rule and Security Rule were issued by HHS to implement the privacy and security provisions of HIPAA. Regulations are published in the Federal Register and codified in the Code of Federal Regulations (CFR).

4. Case Law (Common Law)
Judicial decisions interpreting statutes, regulations, and the Constitution become binding precedent. In privacy, common law torts are also significant. The Restatement (Second) of Torts recognizes four privacy torts originally articulated by William Prosser:
- Intrusion upon seclusion
- Public disclosure of private facts
- False light
- Appropriation of name or likeness

5. Executive Orders
These are directives issued by the President to manage operations of the federal government. While they do not require congressional approval, they must be consistent with the Constitution and federal statutes.

6. State Laws
States have their own constitutions, statutes, regulations, and common law. Many states have enacted privacy laws that go beyond federal protections. Examples include the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), as well as comprehensive privacy laws in Virginia, Colorado, Connecticut, and other states. State attorneys general often play a significant enforcement role.

7. Administrative Guidance and Self-Regulation
Federal agencies also issue guidance documents, advisory opinions, and best-practice frameworks. While not always legally binding, they signal how agencies interpret and enforce the law. Industry self-regulatory programs (e.g., the Digital Advertising Alliance's self-regulatory principles) also play a role in the U.S. privacy landscape.

How Do the Branches and Sources of Law Interact?

The U.S. system of checks and balances means that no single branch operates in isolation:
- Congress passes a statute (e.g., HIPAA).
- An executive agency (e.g., HHS) issues regulations to implement the statute (e.g., the HIPAA Privacy Rule).
- Courts interpret the statute and regulations when disputes arise, and can invalidate provisions that are unconstitutional or exceed the agency's statutory authority.
- The President may issue executive orders that direct agencies to prioritize certain privacy protections or enforcement activities.

Additionally, the concept of preemption is critical: when federal law conflicts with state law, federal law generally prevails under the Supremacy Clause of the Constitution. However, many federal privacy statutes set a floor rather than a ceiling, allowing states to enact stronger protections.

How to Answer Exam Questions on This Topic

When facing CIPP/US exam questions about the branches of government and sources of law, use the following analytical framework:

1. Identify the actor: Is the question about Congress (legislative), an agency like the FTC or HHS (executive), or a court (judicial)? This immediately tells you the source of the legal authority.

2. Identify the legal instrument: Is the question about a statute, a regulation, case law, an executive order, or a constitutional provision? Each has different legal weight and different processes for creation and modification.

3. Apply the hierarchy: Remember that the Constitution trumps statutes, statutes trump regulations, and federal law generally preempts conflicting state law (unless the federal statute allows for stronger state protections).

4. Consider the process: If the question asks about how a rule was made, think about the APA's notice-and-comment rulemaking process for regulations, the legislative process for statutes, or the adjudicative process for case law.

5. Look for keywords: Words like "enacted," "passed," or "signed into law" point to legislation. Words like "promulgated," "issued a rule," or "final rule" point to agency regulations. Words like "held," "decided," or "opinion" point to judicial decisions.

Exam Tips: Answering Questions on Branches of Government and Sources of U.S. Law

Tip 1: Know the roles clearly. The most common trap is confusing which branch does what. Remember: Congress makes the law, the executive branch enforces and implements the law, and the judiciary interprets the law. If a question asks who has the authority to issue binding regulations implementing a statute, the answer is the relevant federal agency (executive branch), not Congress.

Tip 2: Understand delegation. Congress frequently delegates rulemaking authority to agencies. Know that when an agency issues a regulation, it is exercising authority delegated by Congress through a statute. If the agency exceeds its statutory authority, courts can invalidate the regulation.

Tip 3: Remember the APA. The Administrative Procedure Act governs how agencies make rules. Notice-and-comment rulemaking is a frequently tested concept. Agencies must publish a proposed rule, allow public comment, and then issue a final rule that responds to significant comments.

Tip 4: Distinguish between binding and non-binding authority. Statutes, regulations, and court decisions are binding. Agency guidance documents, policy statements, and industry self-regulatory codes are generally not binding but can be highly influential. The exam may test whether you understand this distinction.

Tip 5: Pay attention to preemption. Know whether a particular federal privacy statute preempts state law entirely, partially, or not at all. For example, HIPAA preempts state laws that are less protective but allows state laws that are more protective to stand. The FCRA has more complex preemption provisions. Preemption questions frequently appear on the exam.

Tip 6: Know key constitutional amendments. Be able to identify which amendments relate to privacy. The Fourth Amendment (searches and seizures) and the Fourteenth Amendment (due process / substantive privacy rights) are the most commonly tested. Also remember that constitutional protections generally apply to government action, not private-sector conduct.

Tip 7: Understand the concept of standing and judicial review. Courts can only hear actual cases or controversies. A person must have standing — meaning they have suffered an injury in fact — to bring a lawsuit. This is particularly relevant in privacy cases where the harm may be difficult to demonstrate (e.g., data breaches where no misuse of data has yet occurred).

Tip 8: Use process of elimination. If a question asks about the source of a particular legal requirement, eliminate answers that attribute it to the wrong branch. For instance, if the question mentions a "rule" issued by the FTC, eliminate any answer choice that says it was enacted by Congress or decided by a court.

Tip 9: Connect the branches to real privacy examples. Strengthen your recall by associating each branch with specific privacy examples: Congress → COPPA statute; FTC → COPPA Rule (regulation); Courts → FTC v. Wyndham Worldwide (case law affirming FTC's authority under Section 5).

Tip 10: Read carefully for context clues. Many exam questions provide scenario-based facts. Look for clues about whether the scenario involves lawmaking (legislative), enforcement or rulemaking (executive), or dispute resolution and interpretation (judicial). The context will guide you to the correct answer.

Summary

The branches of government and sources of U.S. law form the structural foundation of the entire U.S. privacy framework. For the CIPP/US exam, you must be able to:
- Identify the three branches and their respective roles in creating, implementing, and interpreting privacy law.
- Distinguish among constitutions, statutes, regulations, case law, and executive orders.
- Understand the hierarchy of legal authority and the concept of preemption.
- Apply this knowledge to scenario-based questions that test your understanding of how U.S. privacy law is made, enforced, and adjudicated.

Mastering this topic will not only help you answer direct questions about government structure but will also provide the analytical framework you need to tackle more complex privacy questions throughout the exam.