By drawing from a number of studies in the field as well as the Snowden revelations and the case of MegaUpload/MEGA, the article makes an analysis of relevant legislation on privacy in the digital context. The purpose of the analysis is to understand to what extent and how the current paradigm of privacy protection is, or is not, sufficient for contemporary needs. In particular, we ask how privacy is protected by policy in an American context and to what extent this is or is not insufficient in relation to an approach of “privacy by design”. In short, we conclude that privacy by policy is necessary but not sufficient and that efforts should be made to further implement policy by design.