Data Privacy Laws by State

Taylor Leamey
Taylor Leamey
Feature Writer
16

Your Data Travels Even If You Don’t

The more connected we become, the more data we will continue to share. Think about how often you access the internet and input or view sensitive information. From accessing health care information to paying bills online to even tagging your location on social media, you’re sharing information that can be collected.

According to a recent study, 47% of Americans were not sure they understood what was done with their personal information and 59% were confused by the privacy policy presented by companies. In a time when our lives are so heavily entwined with the internet, knowing what’s done with the data you share is critical.

Why it matters

Landmark security breaches remind us how vulnerable our data really is. Equifax, one of the top three credit reporting agencies, disclosed a data breach in September of 2017. Information like social security numbers, names, addresses, and driver’s license numbers were compromised for 147 million people, along with 209,000 customer credit card numbers. Given the severity and importance of the information leaked, the Equifax breach is regarded as unprecedented in impact. The settlement reached with the Federal Trade Commission amounted to $425 million to be paid out to help people who were affected.

Facebook has experienced a series of security breaches, which has resulted in federal investigation. In 2019, the user data of 540 million Facebook users was exposed on Amazon’s cloud computing services. It was revealed that Facebook partnered with more than 150 companies to share personal information of the hundreds of millions of people who use the social media platform. Users were not aware of this exchange. In a focus group conducted by the Pew Research Center, people spoke negatively about the consequences of sharing data and cited that companies could have an ulterior motive for collecting their data.

Federal Laws

  • U.S. Privacy Act of 1974: This act established regulations on the collection, maintenance, use, and sharing of information. It requires that agencies obtain written consent from the individual before disclosing any of their information, unless it is part of the 12 statutory exceptions. Under this act, individuals are also able to request amendments to their records.
  • Federal Trade Commission Act: This act gives the Federal Trade Commission the power to protect consumers from unfair or deceptive practices taken by companies and seek monetary compensation. They also have the right to enforce federal data and privacy protections.
  • Children’s Online Privacy Protection Act (COPPA): COPPA prohibits the collection of data from anyone under the age of 13 without obtaining verifiable parental consent.
  • Video Privacy Protection Act (VPPA): VPPA bans the disclosure of personal information or data unless the customer is aware and consents. This act includes streaming services.

There is no single catch-all data privacy law. Instead, there are a mixture of federal and state laws that try to address the different aspects of data protection. The lack of federal laws pertaining to consumer privacy led individual states to pass their own laws protecting citizens. Even still, all-encompassing laws are not widely held. There is still a lot of ground that needs to be covered to ensure that American consumers are completely protected.

Types of Data Privacy Laws

Consumer privacy

Do you ever wonder why things like Facebook or Instagram are free? You pay in privacy. These types of online services are free of monetary charge because they collect your data in exchange for their hosted services. However, 38% of surveyed Americans said that they were confused by the information presented in a privacy policy.

As of January 2020, the California Consumer Privacy Act addresses that exact issue. This law puts pressure on companies to be transparent with their practices and gives residents the right to know what personal information has been collected, shared, or sold. Additionally, consumers have the right to delete personal information that’s already been collected and the right to opt-out of the sale of personal information. The idea of trading your personal information for a free service is better accepted when the consumer has control.

Children’s online privacy

One of the only inclusive data privacy laws is concerned with children’s online privacy. Children’s Online Privacy Protection Act (COPPA) is a federal law that prohibits the collection of data from children who are under 13 years old. This means that parents have control over the information the companies can have and can request that any collected data be deleted.

In February 2019, TikTok paid $5.7 million to the FTC over concerns that the video app was in violation of COPPA. The largest children’s privacy civil penalty to date, TikTok was accused of illegally collecting personal information from children without parental consent. In addition to the substantial settlement, TikTok was required to update its practices and remove all videos that are made by children under the age of 13. TikTok is only one example, Google and YouTube have also been investigated by the FTC.

E-reader

There are only a handful of states that have laws governing consumer privacy when it comes to e-readers. These laws prohibit entities from collecting or sharing information regarding the type of material being rented or bought using the e-reader. Within the states that have laws pertaining to e-readers, most have focused on information that can be gathered by public entities like libraries. However, efforts are being made to protect the privacy of the content people choose to read on their electronic devices. The Electronic Frontier Foundation took the time to comb through the popular e-book platforms’ privacy policies to give you the answers you’ve been searching for.

Online services

Consumers are seeing changes when it comes to online services and privacy data. Companies are now more transparent when it comes to their efforts in collecting information about your browsing habits, whether in a good-faith effort to keep their consumer’s trust or because of the laws that require it. Additionally, approximately 86% of internet users have taken steps to maintain their online privacy. Clearing cookies, using a virtual network and encrypting their email are some of the actions taken. Still, 61% say that they still would like to do more to protect themselves.

Information sharing by business

While businesses collecting and sharing your information is nothing new, recent changes require that companies clearly inform you of what their intentions are when collecting that information. The reason why the company collects your data will vary, though generally companies use it to improve customer experience, assess their marketing strategy, or make money. The relationship around data privacy is a give and take between both consumers and data collectors. Businesses must be held accountable for the data privacy methods they have in place and be transparent about how they use the data they harvest. It’s also imperative that consumers know their rights and ability to impact how companies collect and use their information.

Notice when recording phone calls

Generally, the biggest concern when recording phone calls is consent. Many states are one-party consent states, meaning that phone calls can be recorded as long as one person consents. But what is considered consent? Think about when you call a customer service line and hear the ever-identifiable “this call may be monitored or recorded…” message. When a caller continues with the call, many states take that as implied consent.

There are 11 states that require both parties to consent to the recording: California, Delaware, Florida, Illinois, Maryland, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Sometimes regardless of which law the state follows, there are exceptions to the rules. Which include: police recordings, court orders, and emergency services.

Breach notification laws

Every single state has a data breach notification law in place, although some states were slower than others to adopt one. Still, many states are actively amending their laws and expanding the definitions they hold. States like New Jersey, New York, and Oregon have broadened the scope of what is protected and established what regulations they impose on companies. Breach notification laws require that companies notify consumers of any data breaches involving personal or otherwise identifying information. Each law has a specified time frame in which action needs to be taken.

Data disposal

Data disposal laws are concerned with what happens to your information when the company no longer wants to store it. To prevent unauthorized access, both government and private agencies are required to destroy or make indecipherable information in consumer reports. The Federal Trade Commission has impressed a disposal rule that outlines what the rule applies to and what constitutes proper disposal. Proper disposal of consumer records should be a part of every company’s security program.

Understandably, the mashup of federal and state laws can be hard to navigate. This table can help you break it down.

State Title Type of Law
Alabama SB318 Data breach notification
Alaska Alaska Stat. § 45.48.010 Data breach notification
#rowspan# Alaska Stat. § 45.48.500 Data disposal
Arizona Ariz. Rev. Stat. § 41-151.22 e-reader
#rowspan# A.R.S. §§ 18-55 Data breach notification
#rowspan# Ariz. Rev. Stat. § 44-7601 Data disposal
Arkansas Ark. Code §§ 4-110-105 Data breach notification
#rowspan# Ark. Code §§ 4-110-104(b) Consumer data
#rowspan# Ark. Code §§ 4-110-104(a) Data disposal
California Cal. Civ. Code §§ 1798.100 et seq. Consumer data
#rowspan# Cal. Bus. & Prof. Code § 22948.20 Consumer data
#rowspan# Cal. Civ. Code §§ 1798.81 Data disposal
#rowspan# Calif. Bus. & Prof. Code §§ 22580-22582 Children’s online privacy
#rowspan# Cal. Ed. Code § 99122 Online services and websites
#rowspan# Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A) Online services and websites
#rowspan# Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA) Online services and websites
#rowspan# Calif. Bus. & Prof. Code § 22575 Online services and websites
#rowspan# Cal. Civ. Code §§ 1798.83 to .84 Information sharing
Colorado Colo. Rev. Stat. § 6-1-716 Data breach notification
#rowspan# Colo. Rev. Stat. § 6-1-713: Data disposal
Connecticut Conn. Gen. Stat. § 42-471 Data disposal
#rowspan# Conn. Gen Stat. § 36a-701b Data breach notification
Delaware Del. Code § 1204C Children’s online privacy
#rowspan# Del. Code tit. 6, § 1206C e-reader
#rowspan# Del. Code Tit. 6 § 205C Information sharing
#rowspan# Del. Code tit. 6 § 5002C Data disposal
Florida Fla. Stat. §§ 501.171(3)-(6) Data breach notification
#rowspan# Fla. Stat. §§ 501.171(2) Consumer data
#rowspan# Fla. Stat. §§ 501.171(8) Data disposal
Georgia Ga. Code §§ 10-1-910 et. seq. Data breach notification
#rowspan# Ga. Code §§ 10-15-2(b) Data disposal
Hawaii Haw. Rev. Stat. § 487N-2 Data breach notification
#rowspan# Haw. Rev. Stat. §§ 487R-2 Consumer data and data disposal
Idaho Idaho Code § 67-831 through § 67-833 Data breach notification
Illinois 20 ILCS § 450 Consumer data
#rowspan# 815 ILCS § 530/45 Consumer data
#rowspan# 815 ILCS §§ 530/1 to 530/25 Data breach notification
#rowspan# 815 ILCS § 530/30 Data disposal
Indiana Ind. Code §§ 4-1-11 et. seq Data breach notification
#rowspan# Ind. Code §§ 24-4-14-8 Data disposal
Iowa Iowa Code §§ 71.C.1 – 715C.2 Data breach notification
Kansas Kan. Stat. § 50-7a01 et seq. Data breach notification
Kentucky KRS § 365.732 and KRS § 61.931 to 61.934 Data breach notification
#rowspan# KRS § 365.725 Data disposal
Louisiana La. Rev. Stat. §§ 51:3071 et seq. Data breach notification
Maine 35-A MRSA § 9301(active 7/1/20) Online services and websites
#rowspan# Me. Rev. Stat. tit. 10 § 1346 et seq Data breach notification
Maryland Md. State Govt. Code § 10-624 (4) Information sharing
#rowspan# Md. State Govt. Code §§ 10-1303 Data disposal
#rowspan# Md. Code Com. Law §§ 14-3504 Data breach notification
Massachusetts Mass. Gen. Laws § 93H-3 Data breach notification
#rowspan# Mass. Gen. Laws § 93H-2 Consumer data
#rowspan# Mass. Gen. Laws § 93I-2 Data disposal
Michigan Mich. Comp. Laws §§ 445.72 Data breach notification
#rowspan# Mich. Comp. Laws §§ 445.72a Data disposal
Minnesota Minn. Stat. §§ 325M.01 to .09 Online services and websites
#rowspan# Minn. Stat. §§ 325E.64 Data breach notification
Mississippi Miss. Code § 75-24-29 Data breach notification
Missouri Mo. Rev. Stat. §§ 182.815, 182.817 e-reader
#rowspan# Mo. Rev. Stat. § 407.1500 Data breach notification
Montana Mont. Code §§ 30-14-1701 et seq Data breach notification
#rowspan# Mont. Code §§ 30-14-1703 Data disposal
Nebraska Neb. Rev. Stat. §§ 87-801 et seq. Data breach notification
#rowspan# Neb. Stat. § 87-302(15) Inaccuracies in privacy policies
Nevada NRS § 603A.300 Consumer data
#rowspan# NRS § 603A.340 Information sharing
#rowspan# SB 220 Online services and websites
#rowspan# NRS § 205.498 Online services and websites
New Hampshire N.H. Rev. Stat. §§ 359-C Consumer data, information sharing, data breach notification, data disposal
New Jersey N.J. Rev. Stat. §§ 56:8-163 Data breach notification
#rowspan# N.J. Rev. Stat. §§ 56:8-162 Data disposal
New Mexico 2017 H.B. 15, Chap. 36, Section 6 Data breach notification
#rowspan# 2017 H.B. 15, Chap. 36, Section 3 Data disposal
#rowspan# 2017 H.B. 15, Chap. 36, Section 4 Consumer data
New York S5575B Consumer data
#rowspan# N.Y. Gen. Bus. Law § 399-H Data disposal
#rowspan# 23 NYCRR 500 Data breach notification
Oregon ORS § 646.607 Information sharing
#rowspan# SB684 Data breach notifications
North Carolina N.C. Gen. Stat. § 75-65 Data breach notifications
#rowspan# N.C. Gen. Stat. § 75-65 Data disposal
North Dakota N.D. Cent. Code §§ 51-30-01 et seq Data breach notifications
Ohio Ohio Rev. Code §§ 1347.12 and Ohio Rev. Code §§ 1349.19 et seq Data breach notifications
Oklahoma 24 OK Stat § 24-163 (2016) Data breach notifications
Oregon Oregon Rev. Stat. § 646A.604 Data breach notifications
#rowspan# Oregon Rev. Stat. § 646A.622 Data disposal
Pennsylvania 18 Pa. C.S.A. § 4107(a)(10) Inaccuracies in privacy policies
#rowspan# 73 P.S. §§201-1 – 201-9.2 Consumer data
Rhode Island R. I. Gen. Laws §§ 11-49.3-1 to .3-6 Data breach notification
#rowspan# R. I. Gen. Laws § 6-52-2 Data disposal
South Carolina S.C. Code Ann. § 30-2-40 and S.C. Code Section 30-2-20 Consumer data
#rowspan# S.C. Code SECTION 39-1-90 Data breach notification
#rowspan# S.C. Code Section 37-2-190 Data disposal
South Dakota SD SB62 Data breach notification
Tennessee Tenn. Code §§ 47-18-2107 Consumer data
#rowspan# Tenn Code §§ 8-4-119 Data breach notification
#rowspan# Tenn Code § 39-14-150(g) Data disposal
Texas Tex. Bus. & Com. Code § 521.053 Data breach notifications
#rowspan# Tex. Bus. & Com. Code § 521.052(a) Consumer data
#rowspan# Tex. Bus. & Com. Code § 521.052(b) Data disposal
Utah Utah Code §§ 13-37-201 to -203 Information sharing
#rowspan# Utah Code § 13-44-201(1)(a) Consumer data
#rowspan# Utah Code § 13-44-202 Data breach notifications
#rowspan# Utah Code § 13-44-201(1)(b) Data disposal
Vermont NRS § 603A.300 Consumer data
Virginia Va. Code §§ 18.2-186.6. Data breach notifications
#rowspan# Va. Code § 59.1-442 Information sharing
Washington Wash. Rev. Code §§ 19.255.010 Data breach notifications
#rowspan# Wash. Rev. Code §§ 19.215.030 Data disposal
West Virginia W.V. Code §§ 46A-2A-101 Data breach notifications
Wisconsin Wis. Stat. § 134.98 Data breach notifications
#rowspan# Wis. Stat. § 134.97 Data disposal
Wyoming Wyo. Stat. §§ 40-12-501 et seq. Data breach notification
District of Columbia D.C. Code §§ 28-3851 et seq. Data breach notification
Puerto Rico 10 L.P.R.A. § 4051 Consumer data and data breach notification

Quick Tips to Protect Data at Home

Possible security breaches and companies collecting your information are only one facet of data safety. Your data is also susceptible to being stolen or compromised by hackers. Thankfully, there are a number of things you can do at home to combat them. You don’t need advanced tech skills or world-class equipment; these are things you can do on your home computer.

Security software

Installing security software on your computer is one of the first steps you should take. Security software keeps your computer healthy and your information safe from attacks or computer viruses. Make sure you stay up to date with any and all updates of your software. It’s easy to close out the persistent pop-up box that reminds you to update, but don’t ignore it! Security software is especially important if you are regularly connected to public WiFi networks. While most in-home routers are encrypted, there is no way to know if the internet you are connecting to is safe.

Use a password manager

Using the same password for everything leaves you vulnerable to potentially giving someone access to all of your information. But remembering a gaggle of passwords is no easy feat. Using a password manager is an easy way to ease the burden. Password managers are designed to generate long and complicated passwords that are less likely to be compromised. Your passwords are encrypted and can only be accessed through the master password you create. Depending on the password manager, it may offer an automatic fill feature that kicks in when you go to a page you have a saved password for.

Backup your data

In the event that your information is lost, compromised or stolen, backing up your data is a way to make sure all of your hard work and cherished memories are not lost. When you back up your data, you’re making a copy that is not stored on your computer. Whether you use a local storage option or the cloud, the point is to make your files unavailable to anyone else except you.

Data encryption

Data encryption is an essential way to keep your personal information safe. It works by taking readable text from an email or document and scrambling it into an unreadable cipher text. Encrypting your data will secure it not only on your computer, but also when it is transmitted over the internet. For the information to revert back to its original form, both the sender and recipient have to have the encryption key.

What to do After a Data Breach

So you’ve heard on the news or received an email that there has been a breach and your data may have been affected. A security breach does not automatically mean someone is going to steal your identity. Before you panic, use these steps to help you through the process.

1. Confirm if you were affected by the security breach

Beware of scammers attempting to coax more information out of you with fake emails. If you receive an email that a breach has occurred, contact the company directly to confirm. Do not reply to the email.

2. Find out what information was compromised

What you do after a security breach may vary slightly depending on the type of company that was breached. You should tailor your response to the circumstances and to what information was stolen. If you find that you are the victim of the security breach, don’t pass up the company’s offer to help.

3. Change your passwords

The next important step to take is to address your personal security. Update your login information and security questions for all of your sensitive accounts – not just the ones affected by the breach. Take this time to enact two-factor authentication into your login process to add another layer of security to your accounts.

4. Contact a credit reporting bureau to report

To make sure you aren’t the victim of identity theft, call any of the major credit reporting bureaus and have them file a fraud alert on your name. This alert makes it harder for someone to open new accounts under your name and lasts for one year. Additionally, you may also consider putting a credit freeze on your report, which will restrict access to your credit report. Bear in mind this will require you to manually lock and unlock your credit report when filing for new lines of credit, like a rewards card or a house.

5. Monitor all accounts closely

Finally, after you’ve changed your passwords and placed a fraud alert in your name, the last thing to do is closely monitor your account for any suspicious activity. A fraud alert and credit freeze will make it harder for thieves to open new accounts, though it does not guarantee safety to the accounts they may already have access to.

Helpful resources

Knowing your data is being collected is one thing, knowing your rights and what power you have is another thing entirely. Check out these resources to make sure you’re as prepared as possible.

About the Authors

Taylor Leamey

Taylor Leamey Feature Writer

Taylor Leamey is a feature writer for Reviews.com. After graduating with a BS in Psychology and Sociology, she worked as a retail copywriter before joining the Reviews team in October 2019. In her spare time, Taylor enjoys painting and spending time with her cats.