Research / Insights on current and emerging industry topics
A state-by-state evaluation of internet privacy lawsFebruary 6, 2023 | By Paul Bischoff – Editor, Comparitech @pabischoff
Laws governing online privacy in the U.S. vary widely from state to state. To find out how each U.S. state ranks from least to most private, Comparitech evaluated each and every one of them based on 25 key criteria. The results reveal a wide range of varying privacy protections, that are visualized in the map below. Scores are displayed as percentages, with a score of 25 out of 25 being 100%.
The criteria range from laws that govern how companies can use and disclose customer data to those that protect journalists, children, and employees. The results of our research are compiled into the table below, with a simple “yes” or “no” answer as to whether an applicable law exists in each state. In some cases, where laws partially cover an area (e.g. genetic data protection is only offered for insurance purposes), states may score half a point. This is depicted by an orange square in the chart below.
2023 key updates and trends
During our 2023 edition of this evaluation, several key updates provided insight into privacy law trends within the U.S.:
- Connecticut enacted a law to protect personal data and to regulate online monitoring (it’s effective from July 1, 2023)
- Utah enacted its Consumer Privacy Act (it’s effective from December 31, 2023)
- California strengthened its data privacy laws to protect employee data and children’s data
- New York added a section to its Civil Rights Code to create safeguards for electronic monitoring in the workplace
- Hawaii created social media privacy laws for employers and educational institutions
- Hawaii, Kentucky, Minnesota, Tennessee, Vermont, and Wisconsin added insurance data security laws, taking the number of states that have implemented the Data Security Model Law, which was created by the National Association of Insurance Commissioners (NAIC), to 22
- Colorado introduced a statute to govern artificial intelligence (AI) use, particularly surrounding the use of facial recognition technology. It becomes one of only a handful of states (6) that govern the use of AI within the state
- Only 23 states offer specific safeguards for genetic data–and ten of these only provide some protections (e.g. for insurance purposes)
- Only five states have laws to protect the collection and sale of geolocation data by organizations
- Only four states stipulate that consumers have the right to request inaccurate personal data be amended by companies
Since last year’s evaluation, we added sections to cover specific laws on:
- Employee data privacy
- Genetic data
- Geolocation data
- Companies allowing customers to correct inaccurate data
We also combined:
- Shield laws and court-recognized privileges for journalists into one category with the former scoring a full point and the latter scoring half a point (if no shield law is in place)
The states in the U.S. that most rigorously govern online privacy
Our top scorer for the fourth update running, California, has enacted many laws for specific privacy issues that other states ignore. Not only did the state create what the ACLU called the most comprehensive digital privacy law in the nation, but it continues to add to and strengthen this law. As mentioned above, California has strengthened its privacy protections by ensuring employees’ data is governed by the law, making it the only state to have this provision in place at the time of writing. It’s also one of just two states to enact a law that specifically protects data gathered from the internet-of-things (Oregon is the other) and to protect privacy rights and enforce marketing restrictions for minors (Delaware is the other). It’s also one of a handful of states to protect the collection and sale of geolocation data.
The Electronic Communications Privacy Act prevents any law enforcement or investigative entity from forcing a company to give up electronic data or communications without a warrant. This includes cloud data, metadata, emails, text messages, location data, and device searches. Although other states have similar laws protecting some of these forms of data, California has so far been the only state to protect it all.
On June 26, 2018, California passed one of the toughest privacy laws in the United States, the Consumer Privacy Act of 2018. Effective in 2020, this bill empowers consumers with the right to know what information any company has collected about them and with whom that information is shared. Furthermore, consumers can demand that a company delete their personal data and have any inaccurate data amended.
Utah’s recent enactment of the Consumer Privacy Act sees it rising through the rankings this year to take second place (alongside Virginia). This act, which comes into power on December 31, 2023, ensures consumers are aware of the data companies are collecting on them, can opt out of third-party data sharing, and can request that their data is deleted. The act also protects geolocation data, making Utah one of just five states to have this specific provision within its data protection laws.
Other key areas for Utah include data disposal laws for governments and companies, social media privacy laws for employers and educational institutions, and laws to govern the use of artificial intelligence and genetic data.
While there aren’t any new laws within Virginia for this update, its Consumer Data Protection Act ensures companies must delete personal data on demand, must enable customers to opt out of third-party data sharing, must disclose what data they’re collecting from customers, and must correct any inaccurate data. This law also provides protection for consumers’ geolocation data.
Virginia’s DMV doesn’t use facial recognition technologies and doesn’t share its photo database with federal agencies.
Delaware remains within the top five this year. Laws that require the government to dispose of customer data after a set period of time, protect genetic data, protect the privacy of e-reader and library data, and protect minors help the state stand out.
There were no updates for Delaware this year. However, it is one of the states that require consent from both parties before call recording can be carried out.
Illinois paved the way for legislation that specifically protects biometric data like fingerprints, face recognition scans, and retina scans, being the first state to enact this way back in 2008. It is only in recent years that several other states (California, Texas, and Washington) have followed suit. It is also one of 18 states to have a comprehensive genetic data protection law.
Both companies and the government must dispose of personal data after a set period of time. Employers and schools cannot force employees and students to hand over social media account login information. The state also enforces strict regulations regarding the use of artificial intelligence for video interviews and requires consent from both parties when recording calls.
States lagging in enacting privacy laws
None of the below states have comprehensive data privacy laws. None protect IoT data, biometric data, geolocation data, employee data, minors’ data, e-reader privacy, or the use of AI. Only South Dakota offers some protection to genetic data when it comes to the use for insurance purposes. ISPs are able to share customer data without explicit consent and law enforcement has unwarranted access to service provider data on users.
All of them have failed to introduce laws on data disposal, electronic monitoring by employers, social media monitoring by employers and educational institutions, and to govern data brokers.
Idaho scores one point for its law to protect K-12 student information and half a point for its court-recognized privilege for journalists.
Pennsylvania has a shield law to protect journalists and requires two parties to consent to their calls being recorded.
Mississippi also scores 8% or 2/25. Like Pennsylvania it also has a shield law to protect journalists but only one party is required to consent to call recording. Mississippi’s second point comes from its insurance data security law.
In addition to a law to protect K-12 student information and a shield law to protect journalists, SD scores an additional 0.5 points thanks to some of the safeguards offered when it comes to genetic data. South Dakotan law specifies that the use of genetic tests in offer, sale, or renewal of insurance is prohibited, as is the sharing of genetic information with health carriers or life/long-term care insurers.
Iowa has a law to protect K-12 student information and an insurance data security law. It also scores 0.5 points for its court-recognized privilege for journalists.
Federal privacy laws
Some aspects of online privacy are governed by the federal U.S. government rather than state governments. Partial regulations exist, but there is no all-encompassing law regulating the collection, storage, or use of personal data in the U.S.
The U,S. Constitution never mentions privacy specifically and only protects against state actors, not individuals. However, the First, Fourth, Ninth, and Fourteenth Amendments limit government intrusion on individuals’ right to privacy.
In 2018, the Supreme Court ruled in Carpenter vs. United States that the Fourth Amendment protects cell phone location information. This means police now have to seek a warrant to obtain this data. While a success for privacy, there are still numerous questions over the government’s and law enforcement’s geolocation tracking abilities. Recently, it was found that law enforcement is purchasing commercially-available geolocation data so as to circumnavigate the warrant requirements.
The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable info about individuals stored by federal agencies. Again, this restricts how the government can access and use records and does not apply to individuals or businesses.
HIPAA was enacted in 1996 to protect medical records.
The Fair Credit Reporting Act (FCRA) allows individuals to opt out of unwanted credit offers and obtain one free credit report from each of the major credit reporting agencies every year.
The Electronic Communications Privacy Act can be used to impose criminal sanctions on anyone who intercepts electronic communications without consent, but a number of loopholes have rendered the law mostly useless, experts say.
The 1998 Children’s Online Privacy Protection Act requires that websites directed at children under the age of 13 must get parental consent among other compliance standards. The law has widely been discredited as ineffective and even counterproductive when it comes to protecting kids online.
Other federal laws relating to computer security and privacy law include (source: Wikipedia):
- 1970 U.S. Fair Credit Reporting Act
- 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
- 1974 U.S. Privacy Act
- 1980 Organization for Economic Cooperation and Development (OECD) Guidelines
- 1984 U.S. Medical Computer Crime Act
- 1984 U.S. Federal Computer Crime Act (strengthened in 1986 and 1994)
- 1986 U.S. Computer Fraud and Abuse Act (amended in 1986, 1994, 1996 and 2001)
- 1986 U.S. Electronic Communications Privacy Act (ECPA)
- 1987 U.S. Computer Security Act (Repealed by the Federal Information Security Management Act of 2002)
- 1988 U.S. Video Privacy Protection Act
- 1990 United Kingdom Computer Misuse Act
- 1991 U.S. Federal Sentencing Guidelines
- 1992 OECD Guidelines to Serve as a Total Security Framework
- 1994 Communications Assistance for Law Enforcement Act
- 1995 Council Directive on Data Protection for the European Union (EU)
- 1996 U.S. Economic and Protection of Proprietary Information Act
- 1996 Health Insurance Portability and Accountability Act (HIPAA) (requirement added in December 2000)
- 1998 U.S. Digital Millennium Copyright Act (DMCA)
- 1999 U.S. Uniform Computer Information Transactions Act (UCITA)
- 2000 U.S. Congress Electronic Signatures in Global National Commerce Act (“ESIGN”)
- 2001 U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act
- 2002 Homeland Security Act (HSA)
- 2002 Federal Information Security Management Act of 2002
Prospects for future privacy legislation
Federal privacy legislation has been proposed a few times since 2019 but until recently such proposals didn’t have much bipartisan support. 2022 saw the first bipartisan bill, the American Data Privacy and Protection Act. That could result in some federal privacy law being passed in 2023, but it’s no guarantee.
My concern is that a federal law would preempt state laws like California’s CCPA, and the federal law might do less to protect people’s privacy. Influence from anti-privacy lobbyists could neuter the federal law by the time the president signs it, leaving individual states with little recourse.
A global federal privacy law is still a long way off. As the home of the world’s biggest tech companies, I think the U.S. needs to set a precedent first.
About the author
Paul Bischoff is editor of Comparitech and a regular commentator on cyber security and privacy topics in national and international media including New York Times, BBC, Forbes, The Guardian and many others. He’s been writing about the tech industry since 2012 for publications like Tech in Asia, Mashable, and various startup blogs.