Management, compliance & auditing

Which states have the toughest privacy laws?

Introduction

Despite its high-tech advances, the United States lags behind other developed countries in protecting consumer privacy. Unlike most other developed countries, the United States only has a patchwork of federal privacy laws, primarily aimed at specific sectors like healthcare and financial. Even China, with all its government surveillance, is making better headway in restricting how companies handle its citizens’ private data.

The U.S. Congress has made attempts as recently as 2012 to enact a baseline federal consumer privacy law (known as the Consumer Privacy Bill of Rights). Currently, on the heels of European Union’s General Data Protection Regulation (GDPR), new discussions indicate renewed interest from U.S. lawmakers in this topic.

Congress, however, is not known for acting fast, and it could still be years before anything close to GDPR is enacted. In the meantime, the U.S. states have been carrying the flag for their own residents: Every state has at least one law that protects some aspect of online or data privacy.

Different types of state privacy and security laws

The state legislation related to data breaches and consumer privacy is not homogenous, and even definitions such as personally identifiable information (PII) vary from state to state. But generally speaking, the laws fall into similar categories.

At a high level, there are three major categories of state laws:

Data disposal

These laws regulate how either government or private entities need to dispose of PII, whether by destroying it or making it unreadable in other ways. As of January 1st, 2019, at least 35 states had data disposal legislation, according to the National Conference of State Legislatures (NCSL).

Among those 35, some were more limited in scope. For example, Arizona’s applies to paper records only, Delaware’s is limited to employers and Wisconsin’s only covers specific industries like healthcare and financial institutions.

Data breach notification

All 50 states have laws requiring entities to notify individuals when their PII becomes compromised as a result of a data breach. In 2018, Alabama became the last one to add this protection, while Colorado became the state with the strictest breach notification after it shortened its existing requirement for the notification window to 30 days.

Each state has different exemptions. Some don’t include paper records; others specify a minimum number of records affected before the requirement kicks in. A few states also require breached organizations to notify the state attorney general’s office. And at least one — Washington — publishes its list of breach notifications online, not unlike the U.S. Department of Health and Human Services does with its Office of Civil Rights’ HIPAA violations database.

Data security

According to NCSL, at least 24 states had general data security laws for private entities as of January 1st, aimed largely at protecting personal data of individuals. In some cases, a covered entity could be an individual, not necessarily a business or agency.

Like the other privacy laws, these vary from state to state, but typically include implementation and maintenance of reasonable security practices and procedures to protect data. For some states, only certain industries are affected, and for others, the law is specific to digital records.

Other types of laws that only a few states have include protecting biometric data, barring ISPs from sharing information with third parties and requiring a warrant for law enforcement to access users’ service provider data.

NCSL reports that this year, there are four trends based on the proposals on some states’ agendas:

• Expanding the definition of personal information (this could be data like biometrics, passport data and email/password combinations)
• Implementing or shortening the timeframe for breach reporting
• Requiring the state attorney general to be notified
• Providing free credit freezes to affected individuals

California, the toughest of all

California has consistently been a pioneer of consumer protection legislation, and not only related to privacy. Among other things, the Golden State is the one that started the trend for data breach disclosure laws, first enacting one back in 2002.

In 2018, California once again enacted a groundbreaking law — the California Consumer Privacy Act of 2018 (CCPA) — that will come into effect in 2020. One of the toughest privacy laws in the nation, CCPA has some similarities with GDPR. For example:

• It applies not only to locally based entities, but to anyone who does business in the state and collects personal information of its residents
• It enables consumers to request, free of charge, information such as what data the business is collecting about them, from what sources and for what purpose
• It allows consumers to opt out from having their personal information sold, as well as to request that their data be deleted

CCPA does exempt smaller businesses, specifically those with annual gross revenues under $25 million and with data for fewer than 50,000 consumers. The biggest differentiator is that this law only applies to companies that derive at least 50 percent of their annual revenue from selling Californians’ personal data. In other words, a vast number of businesses will not currently be subject to this law — but the state lawmakers could still amend some of the provisions before CCPA comes into effect.

In a ranking of all states, pro-consumer website Comparitech.com gave California the highest privacy score, 75 percent, while some states scored as low as 20 percent. Of 20 categories that Comparitech included in its analysis, California had protections in 14. In addition to being the only state to have the protections mentioned above, it was also the only one with a law specific to IoT data.

Other states with tough privacy laws

Based on Comparitech’s analysis, three other states came at the top: Delaware and Utah, tied for second place and each scoring 60 percent; and Illinois, scoring 50 percent. Here’s how they compare.

Delaware

Delaware, which was in the #1 spot on the list the previous year, has laws in 11 of the 20 categories analyzed by Comparitech. According to NCSL, Delaware’s laws include protections for children’s online privacy, e-book and library users and employee email.

Additionally, the state requires commercial website, online or cloud computing services and mobile or online applications that collect PII of Delaware residents over the Internet to make their privacy policies conspicuously available.

Utah

Utah is one of only two states that bar ISPs from sharing their customers’ data without consent with third parties. Recently, the state passed landmark legislation of its own: to protect private data stored electronically with entities like social networks from being freely available to the government. An article in Wired reported that in all other states, as well as at the federal level, law enforcement agencies could access consumer information through third-party channels, although some court cases have ruled in favor of third-party data privacy.

Additionally, one of Utah’s laws requires nonfinancial businesses to disclose to consumers the type of personal information the entities are selling to or sharing with third parties for marketing or for compensation.

Illinois

The state stands out in the Comparitech ranking because it has the toughest biometric law. Enacted in 2008, it requires consent for collecting sensitive information such as fingerprints. There was recent speculation whether the law was in jeopardy because of a state Supreme Court case involving a Six Flags customer, but the court ruled in favor of the law in January.

What to expect next

Cameron F. Kerry, who led the task force that developed the 2012 Consumer Privacy Bill of Rights, wrote in a Brookings Institution report that consumer privacy is a losing game today, both for individuals and the legal system.

“If we don’t change the rules of the game soon, it will turn into a losing game for our economy and society,” he wrote.

As if to prove him right, momentum seems to be stalling for the current Congressional effort to legislate privacy. One of the disagreements is whether a federal bill should override state laws. It’s perhaps ironic that the states’ efforts to close the gap at the federal level may be seen as a hindrance.

But don’t expect the issue to die out. About half of Americans distrust the government and social networks with their personal information, according to Pew Research Center. Which means the U.S. consumer pressure for digital privacy is likely to grow, especially in light of GDPR.

 

Sources

1. China’s Privacy Conundrum, Slate
2. Why a Push for Online Privacy Is Bogged Down in Washington, New York Times
3. Consumer Privacy Before Congress This Week: What We Learned and What’s Next, Public Knowledge
4. Data Security Laws, Security Breach Notification Laws and Data Disposal Laws, National Conference of State Legislatures
5. Cybersecurity Legislation 2019, National Conference of State Legislatures
6. The Strictest Data Privacy Law in the United States, The Privacy Report
7. Which U.S. States Best Protect Privacy Online?, Comparitech.com
8. Utah Just Became a Leader in Digital Privacy, Wired
9. State Laws Related to Internet Privacy, National Conference of State Legislatures
10. Victory! Illinois Supreme Court Protects Biometric Privacy, Electronic Frontier Foundation
11. Why Protecting Privacy Is a Losing Game Today — and How to Change the Game, Brookings Institution
12. Momentum Stalls for Federal Privacy Bill, MLex Market Insight
13. State Rules Complicate Push for Federal Data Privacy Law, The Hill
14. Americans and Cybersecurity, Pew Research Center