How Online Privacy Laws Stack Up Across the United States
Cybercrime in the US is expected to cost $10 trillion by 2025. In response to this and other factors, such as the increase in remote working and the cyberwar with Russia, the US has passed an increasing amount of cybersecurity legislation.
Let’s take a look at what the US is currently doing on federal and state levels to protect your online privacy. I’ll also show you which states are best for online privacy and how you can protect your privacy if you live in one that falls short.
The State of Online Privacy in The US
Your online privacy – the extent to which your personal, financial, and browsing data remains private when you’re online – depends on where you are in the US. Online privacy laws differ from state to state. For example, in some states, it’s not illegal for sites and services to share your information with third parties or track your online activity.
Without adequate online privacy laws in place, companies can collect, store, share or sell your personal information for questionable ends. You could find you’re being charged more than others based on your online spending habits, income level, or location.
More troubling, a lack of online privacy and protection on websites leaves security holes that cybercriminals can use to steal your data or identity. Alaska alone saw an average loss of $500 per person due to cybercrime in 2021.
Online privacy laws give you more control over how sites and services collect, store, and use your data. This includes being able to access, view, or delete any of your personal data or opt out of certain data collection practices on websites. Online privacy laws may also reduce the amount of personal information cybercriminals can retrieve in a data breach.
The US does not have a unified privacy law that brings all the states under a single regulatory body. While there are some individual laws that protect user privacy, almost all of these exclusively focus on individual privacy rights and glaze over other aspects of privacy like consent, purpose definition, and legal basis of processing. We could therefore expect more laws (definitely more amendments) coming in this respect.
Rajesh Parthasarathy, CEO of Mage Data
The lack of cohesive laws for online privacy in the US means it’s up to you to protect your privacy until such laws exist. PIA’s 50 Servers in 50 States Campaign is our attempt to give US citizens more control over their online data immediately. Now, you can use PIA to get an IP address from any US state. That way your data and online activity will remain private no matter where you are.
Federal Digital Privacy and Security Laws
Currently, federal (nationwide) laws on digital privacy and security are well-meaning but ambiguous. Each tends to isolate one sector, issue, age group, or industry instead of providing a stable solution for all consumers and companies. I’ll show you what I mean – here are a few of the major federal laws pertaining to online privacy today.
HIPAA’s Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) created a national standard for the security of electronically protected health information (e-PHI), electronic exchange, and privacy of e-PHI.
It applies to any care provider who sends health information electronically in connection with transactions. Ultimately, HIPAA is a branch of the Privacy Rule and encompasses all of the personally identifiable health information (PHI) related to patients.
HIPAA covers only e-PHI
Federal Trade Commissions Act (FTC)
The FTC has enacted several fair information practices to protect your online privacy. Most relate to sites being transparent about what information they request, how it’s used, and why they require the information. Site operators must provide a notice of the site’s privacy practices, including:
- Consumers’ access to correct/delete personal information.
- If the consumer has a say in how the site uses the information it collects.
- Parental control over the use/collection of information gathered from children.
- How the site safeguards any collected information.
Sites must also have enforcement mechanisms to prove they’re following fair information practices.
While sites must let you know if you have a say in how they use the information collected, it doesn’t prevent sites from sharing or selling your online data to third parties. The site only needs to tell you if it does, if you have any control over it, and if it has security in place for collected information.
Electronic Communication Protections Act (ECPA)
Adopted in 1986, the ECPA originally only protected telephone communications. The amended ECPA now protects computer/electronic communications during creation, transit, and storage. Electronic communications covered include email, telephone calls, and electronically stored data.
The ECPA also contains an amendment called the Stored Communications Act (SCA) which protects all subscriber records kept by service providers, including your name, billing information/records, and IP addresses.
While email and electronically stored data are covered, the wording of the ECPA makes it unclear whether VOIP communications are protected.
Children’s Online Privacy Protection Act (COPPA)
Under COPPA, sites are required to verify parental or legal guardian consent if they intend to collect or use a minor’s personal information. Other notable online privacy protections in COPPA include:
- When/how verifiable consent must be acquired from a parent/legal guardian.
- The responsibilities, if any, that the site’s operator holds in regard to the online safety and privacy of the child.
- Limits to the forms and amount of online data collection acceptable for children under 13.
- Requires site operators to post the privacy policy on any page data is collected.
COPPA doesn’t provide a definitive set of rules for how verifiable parental/legal guardian consent must be collected, though the FTC does provide some guidelines and suggestions.
Do Federal Laws Supersede State Laws?
As a general rule, federal laws take precedence over state laws in the US. The Supremacy Clause states that when laws conflict between the branches, federal law will override state law. Unfortunately, not even this is an absolute rule, meaning loopholes exist for both branches.
States have the right to refuse any federal law they can prove goes against the United States Constitution. The same precedent doesn’t apply to federal laws that a state believes go against the State Constitution. Individual states also have the right to include or modify requirements.
On the other hand, the federal government can sue states on behalf of the national government. A perfect example of these loopholes in action is California’s recent fight to keep its Internet Consumer Protection and Net Neutrality Act in place.
In September of 2018, the Justice Department sued the State of California to prevent the state’s new net neutrality bill, despite the fact it had already been signed by Governor Jerry Brown. Then-Attorney General Jeff Sessions felt strongly that states don’t have the right to regulate interstate commerce, and that it’s still the job of the federal government to do so.
The Attorney General believed the legislature was enacted illegally after the FCC abolished net neutrality protections nationwide. Ultimately, a lower court ruled that California could keep its net neutrality law in place and a federal appeals court upheld this ruling in January 2022.
Enter the American Data Privacy and Protection Act
On June 3, 2022, the House and Senate released the American Data Privacy and Protection Act (“ADPPA”), which could supersede California’s law, according to Omer Tene, Attorney & Speaker on Data, Privacy, and Cybersecurity.
The biggest development these days is the three corner US federal privacy bill introduced in the House. If it passes, it will be a watershed event with implications greater than those of GDPR and CCPA. The bill introduces new concepts such as algorithm impact assessments, dark patterns and senior officer responsibility. It would greatly tighten regulation over data brokers and ad tech companies in the US. It would wipe out state privacy laws such as California’s, Virginia’s and Colorado’s, and provide individuals with a robust private right of action
While the online privacy bill has yet to pass, it would limit data collection, processing, and transfer to what is absolutely ‘necessary’ to provide and maintain products or services requested by consumers.
The ADPPA would also prohibit activities including the collection, processing, and transfer of SSNs, biometric information, genetic information, and non-consensual sexual imagery. The transfer of geolocation information, passwords, browsing history, and even physical activity from smartphones and wearable devices is also restricted.
The ADPPA is a bit murky when it comes to cohesive legislation for the policies and procedures around data collection, processing, and transfer, though. It calls for companies to ‘consider’ reducing privacy risks to minors and provides allowances dependent upon a company’s size, the volume of data handled, and other criteria.
Unfortunately, the words ‘reasonable’, ‘necessary’, and ‘consider’ pop up quite a bit in the bill in regard to procedures, all of which leave room for interpretation. What’s reasonable for one is excessive for another, consideration doesn’t mean compliance, and necessary is in the eye of the data broker. It sounds like less of a cohesive solution at this point, but it’s far more online privacy protection than previously available on a federal level.
Online Privacy Laws in Specific States
While each state has become more diligent about online privacy, no one set of regulations is in place for the US as a whole. The problem is a one-size-fits-all solution may not work for online privacy. Separate cohesive legislation is needed for businesses, consumers, children, and federal and state entities, so everyone knows where they stand. Professor of Law at Buffalo Law School Mark Bartholomew, shares similar concerns.
Digital privacy laws, at this point in time, are a frustrating hodgepodge, differing from jurisdiction to jurisdiction and business sector to business sector. Some of this is by necessity, but I wish there was greater legislative will for broader, consistent protections to help outmatched consumers and to provide businesses with more of a predictable playing field.
| Online Privacy Laws Across the US | ||
|---|---|---|
| Protection Level | Applies To | Adopted In |
| Ability to access, delete, or change personal data already collected by businesses | Consumer | UT, CA, VA, NV |
| Possibility to opt-out of the collection/use of personal data | Consumer | CO, UT, VA, CA |
| Right to request a business disclose what personal information it collects, the source, and how it’s used | Consumer | CA, UT, NV |
| Option to opt-out of having personal data sold to third parties | Consumer | CO, NV, UT, VA |
| Require ISPs to keep certain information about subscribers private, unless the subscriber requests otherwise | Consumer | NV, MN |
| ISPs must get permission from subscribers before disclosing a subscriber’s surfing habits or sites visited | Consumer | NV, MN |
| Prohibits ISPs from using, disclosing, selling, or permitting access to subscriber personal information except on request of the subscriber | Consumer | ME |
| Prohibits site or online service operators from advertising certain products to minors based on information specific to the minor, or knowingly using, disclosing, and compiling a minor’s information or allowing third parties to do so | Children | DE, CA |
| Permits minors to remove, or request removal, of personal content or information on online sites, services, and mobile apps | Children | CA |
| Requires the privacy policy to be publicly and noticeably displayed on websites | Consumer | CO, CA, CT, UT, VA |
| Requires the operator to disclose whether third parties are/may conduct tracking on the operator’s site/service | Consumer | DE, CA |
| Requires operators to disclose how a site/service responds to ‘Do Not Track signals/similar transmissions | Consumer | CA |
| Prohibits knowingly making false or misleading statements in privacy policies | Consumer | NE, PA |
| Requires government sites or state portals to establish privacy policies or procedures or incorporate machine-readable privacy policies | Consumer | AZ, AR, CA, CO, DE, IA, IL, ME, MD, MN, MT, NY, SC, TX, UT, VA |
| Employers must give notice to employees prior to monitoring electronic communications or internet access | Employees | CT, DE, NY |
| Require states and public entities to adopt policies in regard to monitoring public employee emails | Employees | CO, TN |
| (A) Prohibits employers from requiring employees to download a mobile app to their personal devices that allow their location to be tracked or personal information to be revealed. (B) Prohibits any form of retribution for refusing or opposing any practice forbidden as stated in part (A). | Employees | HI |
| Private sector employers must provide written notice immediately on hiring any employee that makes them aware if they are subject to electronic, internet, or phone monitoring | Employees | NY |
| Requires the state, and any subdivision thereof, that operates or maintains electronic mail communications systems to adopt a written policy on monitoring and when/why they conduct monitoring | Employees | CO, TN |
| Requires employers to make a statement available that any form of electronic mail may be public record under the Public Record Law, and that makes it subject to public inspection | Employees | CO, TN |
| Protect K-12 grade students’ personal information | Children | NJ |
| Other Notable Online Privacy Laws | |
|---|---|
| Summation | Adopted In |
| Has biometric data protection legislation in place | NY, IL, CA, TX, WA |
| Data disposal laws are applied to government and business entities | AL, AK, HI, IL, MA, AZ, AR, KS, MD, MA, MI, NJ, OR, SC, WA |
| Data disposal laws are applied to government entities only | VA, MN, TX |
| Data disposal laws are applied to business entities only | CA, CO, CT, DE, FL, GA, IN, KY, LA, MT, NE, TN, VT, NV, NM, NY, NC, RI, UT, WI |
| Require consent from both parties when recording calls of any kind | CA, CT, FL, IL, MD, MA, MT, NH PA, WA |
| Have laws/legislation surrounding the use of artificial intelligence (AI) | AL, CO, IL, MS, NYC |
States With A Cybersecurity Task Force
As a response to the increase in cybercrime, some states have developed special task forces to deal with cyber threats. Currently, about 30 states have a task force or similar group in place. Only 8 of these took the initiative to develop one on their own and create the legislation, the rest were issued by executive order.
| US States with Specialized Cybercrime Task Forces | |||
|---|---|---|---|
| Arizona | Idaho | Minnesota | |
| Arkansas | Illinois | Mississippi | |
| California | Indiana | Missouri | |
| Colorado | Iowa | Montana | |
| Connecticut | Kansas | New Hampshire | |
| Delaware | Louisiana | New York | |
| Florida | Maine | North Carolina | |
| Georgia | Maryland | North Dakota | |
| Texas | Vermont | Oregon | |
| Utah | Virginia | Rhode Island | |
Let’s now look at how the states compare when it comes to online privacy laws.
Our Ranking Criteria
We used five major criteria to determine which states had the best and worst online privacy protections in place. For each criterion, a specific set of questions was answered and the results were tallied for each state. Our criteria are as follows:
General Strength of Privacy Laws
✅ Does the consumer have a right to access, delete, or modify personal data?
✅ Can consumers opt-out of data collection and use?
✅ Are companies required to disclose data collection, source, and use information?
✅ Are ISPs required to protect online privacy under current legislation?
General Strength of Data Security Laws
✅ How do companies in each state safeguard consumer data?
✅ What methods are used to create and enforce privacy policies?
✅ How many forms of personal data are protected under law?
Presence of Data Broker Laws
✅ Do laws exist to monitor/regulate what type of information is collected?
✅ Do laws exist that prevent them from selling certain forms of information?
✅ What, if any, rights do consumers have in regard to data brokers?
Laws in Place to Protect Children’s Privacy
✅ Are laws in place to protect children aged K-9 while using the internet?
✅ Do parents/minors have the ability to remove data on request?
✅ Can third parties knowingly use, disclose, or collect a minor’s information?
Strength of Companies’ Data Collection Policies
✅ Are companies required to disclose what employee data they collect/store?
✅ Do employees have the right to delete personal data on request?
✅ Do employees have the right to opt out of third party sharing?
✅ Are companies required to inform employees of internet traffic and email monitoring?
Best & Worst US States for Online Privacy
The only state that met all five criteria was California, making it #1 in the US when it comes to online privacy. Not surprising since it’s the home of Silicon Valley, and some of the largest tech companies in the world (including Apple, Meta, and Google). The data collection policies that protect both employees and companies in California are more impressive here than anywhere else in the US.
While companies can monitor internet use and email communications, they’re required to notify employees of their monitoring and data collection policies upon hiring.
Consumers and children are equally protected under California law. Consumers have the ability to access, delete, and modify any personal information businesses collect. Minors also have the right to remove personal information from online sites, services, and mobile apps. All consumers also have the right to opt-out of the collection and use of personal data, as well as request a business, disclose what types of data they collect and how it’s used. Now let’s take a look at where the rest of the states ranked.
The California Age-Appropriate Design Code Act
In late August 2022, Congress took a huge step for minors’ online privacy when it passed a new law called The California Age-Appropriate Design Code Act (CA-ADCA).
California Governor Gavin Newsom signed the bill into law on September 15. This law restricts data collection on anyone 18 or younger and requires apps to maintain the set upon privacy standards for youths. The CA-ADCA also holds tech companies accountable, requiring them to incorporate age verification technology that will confirm a user’s age prior to them downloading an app or accessing their platforms.
While technology firms and consumer rights advocates acknowledge that the law means well, they fear it’s another violation of constitutional rights. The primary issues are it requires adults to go through the process of age verification, and it restricts access to critical sexual health information and LBGTQ+ lifelines for teenagers.
Additionally, as tech companies will be forced to implement verification software in California, online privacy advocates are concerned they will standardize the software nationwide to make the transition easier to manage.
The CA-ADCA becomes effective in June of 2024.
Runners Up
Runners up had to meet at least four of our criteria. Colorado, Connecticut, Utah, Nevada, New York, and Illinois fell short of data security laws. Here’s how the data security laws failed in these states:
- Colorado’s Privacy Act doesn’t extend to employee data.
- New York doesn’t have specific online privacy regulations for children’s data.
- Connecticut needs better laws regarding consumers’ online data.
- Utah’s online privacy regulations are less strict for businesses.
- Nevada doesn’t prevent the collection and use of biometric data in gambling establishments.
- In Illinois, employers can legally monitor email, phone, or computer use if they ‘believe’ there is a legitimate reason to.
States that Need Work
The majority of US states (30) fell in the mid-range category, meeting at least three of our criteria. Generally speaking, most of them had child protection, data security, and companies’ data collection policy laws.
- Minnesota and Tennessee fell short on child protection and data security laws.
- Missouri, Idaho, Arizona, North Dakota, South Dakota, Massachusetts, Rhode Island, Kentucky, Maine, North Carolina, South Carolina, West Virginia, Arkansas, Georgia, Alabama, Louisiana, Montana, Delaware, New Hampshire, Vermont, Oklahoma, Iowa, Wisconsin, Michigan, Pennsylvania, Louisiana, Ohio, Wyoming, Indiana, Maryland, & New Mexico fell short on data broker laws and the general strength of their privacy laws.
Worst US States for Online Privacy
At most, the states in this category met only two of our privacy ranking criteria. Oregon, Kansas, New Jersey, Texas, Hawaii, Washington, Florida, and Mississippi have inadequate laws to protect consumers, children, and businesses. Where these states need work:
- Florida, Mississippi & Hawaii, don’t require websites to post privacy notices or policies.
- Texas doesn’t have online privacy laws for privately owned companies.
- Washington doesn’t have any special online privacy laws to protect children.
- Kansas sites don’t have to notify you of a breach if they ‘believe’ your data wasn’t misused or won’t be misused… as a result of the breach.
- New Jersey has no comprehensive online privacy laws.
- Washington doesn’t cover video and audio recordings or physical/digital photos under its biometric data protection.
While federal laws offer some protection to consumers in these states, they aren’t all-encompassing. Most of these states don’t even require online companies to make clear how user information is obtained or used.
The absolute worst state in the US for online privacy is Alaska. It currently applies data disposal laws only to businesses and government entities and excludes basically every other form of online privacy protection in our criteria. While the state introduced the Consumer Data Privacy Act in 2021, even if it adopts the law it won’t be enacted until 2023.
For a more detailed view by state, you can find a bit more information on specific state laws in the table above.
Use PIA to Protect Your Digital Privacy in the US
Online privacy laws in the US are evolving but not nearly fast enough to keep up with the ever-increasing threat of cybercrime. US citizens need to stay vigilant and take steps to protect our online privacy until the laws catch up with the times.
Private Internet Access is a great way to protect your online data and devices. We provide military-grade encryption and tough security protocols to protect your data as it travels between your device and our servers. You also get MACE, an all-in-one ad, malware, and tracker blocker that stops threats at the DNS level — before they reach your device.
A VPN creates an encrypted data path between your computer/device and the VPN provider. This means that your ISP cannot see what is being communicated between those two points. It cannot determine what websites you are visiting. What you view and download is also hidden from your ISP. In addition, the websites you visit cannot determine your IP address and thus your geographic location. VPNs can also offer the ability to mask other data like the OS you are using.
Ani Chaudhuri, Co-Founder & CEO of Dasera
Check out the latest on our 50 Servers in 50 States campaign to see how you can get a secure IP address no matter where you are in the US. That way, you can maintain your digital privacy and security while the US develops adequate policies at the state and federal levels.
FAQ
What does data privacy mean?
Data privacy is the amount of online privacy you have regarding your personal information, browsing habits, and online activities. While many of the US states have online privacy laws in place to protect data privacy on some level, no national standard exists. It’s important for citizens to not only advocate for but take control of their online privacy.
Is data privacy important?
Absolutely. Imagine people were allowed to follow you around tracking your day-to-day activities without you being able to do anything about it. No one would tolerate that in real life, so why accept it in the virtual world?
Unfortunately, restraining orders don’t exist for online trackers, other malicious software, or shady data brokers. Not yet anyway. That’s why defending your right to online privacy and security is crucial. PIA provides the strong security tools you need to keep your online activity and data private.
What’s the difference between data privacy and security?
Data security focuses more on how your data is protected from malicious threats, e.g., ensuring only authorized parties have access to it. Data privacy focuses on the responsible collection, storage, and use of your information, e.g., your right to delete or modify collected data.
Basically, data security aims to protect you from external threats while data privacy is focused on protecting your personal information.
PIA offers both data privacy (256-bit AES encryption) and security (through IP cloaking), so you can protect both no matter where you connect in the US.
Are there data privacy laws?
Data privacy laws are in place at the federal and state levels in the US, though individual state laws vary significantly from one state to the next. Currently, no federal or state law provides a singular set of regulations for data privacy.
A new federal law, the ADPPA, was proposed in June of 2022 that offers stronger federal privacy protections.
Until then and even afterward, your best bet is to safeguard your personal information using a VPN. That way, you’ll take back control of your personal information regardless of where you are in the US.
How does PIA ensure my data is private?
PIA uses military-grade encryption to scramble your data during transit between your device and our VPN servers, providing unhackable data protection.
With Private Internet Access, you can get an IP from 84+ countries worldwide, including in any state in the US. That means you won’t need to worry about activity-based throttling from your ISP or anyone tracking your online activities. You’re even protected if your VPN is turned off, thanks to our advanced Kill Switch.
For even more protection, check out our dedicated IP VPN, with IP addresses in the US.
Recent Comments