U.S. State Privacy Laws
America faces a data privacy crisis. For more than two decades, without any meaningful restrictions on their business practices, powerful technology companies have built systems that invade our private lives, spy on our families, and gather the most intimate details about us for profit. Through a vast, opaque system of databases and algorithms, we are profiled and sorted into winners and losers based on data about our health, finances, location, gender, race, and other personal characteristics and habits.
Despite wide recognition of these harmful practices, Congress has failed to pass a comprehensive federal privacy law. To fill this void, an increasing number of states have passed laws that aim to protect people’s privacy and security. However, these laws largely fail to adequately protect consumers. A report by EPIC and U.S. PIRG Education found that of the 14 states that have passed comprehensive consumer privacy legislation, nearly half received failing grades, and none received an A.
Weak, industry-friendly laws allow companies to continue collecting consumers’ personal data without meaningful limits. Consumers are granted rights that are difficult to exercise, and they cannot hold companies that violate their rights accountable in court.
Big Tech has played a big role in the passage of weak state privacy bills. Of the 14 laws states have passed so far, the vast majority closely follow a model that was initially drafted by industry giants such as Amazon. In an analysis of lobbying records in 31 states that heard privacy bills in 2021 and 2022, the Markup identified 445 active lobbyists and firms representing Amazon, Meta, Microsoft, Google, Apple, and industry front groups. This number is likely an undercount.
Laws should not be written by the companies they regulate. Allowing Big Tech to shape our privacy rules enables them to consolidate their already outsized power in the economy and in our lives. Privacy rules should balance the scale in favor of the billions of people who rely on the internet in their day-to-day lives.
A strong comprehensive consumer privacy law would:
- impose meaningful data minimization obligations on companies that collect and use personal information – taking the burden off of individuals to manage their privacy online and instead requiring entities to limit their data collection to better match consumer expectations;
- strictly regulate all uses of sensitive data, including health data, biometrics, and location data;
- establish strong civil rights safeguards online and rein in harmful profiling of consumers;
- provide strong enforcement and regulatory powers to ensure the rules are followed; and
- enable consumers to hold companies accountable for violations in court.
A better future is possible, and the tide is beginning to turn. Lawmakers are not satisfied with weak bills that protect Big Tech’s harmful business practices more than their constituents’ privacy. And after watching another failed congressional attempt to pass a national privacy law, state legislators realize this urgent issue is up to them to solve.
In 2024, states including Illinois, Maine, Massachusetts, and Vermont considered strong legislation that would force changes to the abusive data practices driving commercial surveillance and online discrimination while allowing businesses to continue to innovate. Maryland passed a landmark state privacy law with strong data minimization provisions and a ban on the sale of sensitive data. We can have a strong technology sector while also protecting personal privacy. And EPIC is happy to work with state legislators who want to advance this vision.
A Model: The State Data Privacy Act
With many states now having enacted similar privacy laws, we have heard from many lawmakers that they would prefer to strengthen existing state laws rather than enact an entirely new legislative framework. With this feedback in mind, EPIC and Consumer Reports crafted a model privacy bill, the State Data Privacy Act, that builds upon several existing state laws. The model bill takes the base text of the Connecticut Data Privacy Act (CTDPA), often cited by industry as a model for other states to adopt and incorporates additional privacy protections.
CTDPA is far too weak, but it is an established bill that many state lawmakers are already familiar with. Strengthening the CTDPA provides consistency for businesses while giving consumers meaningful privacy protections.
We were pleased to work with our colleagues at Consumer Reports on this model legislation. The goals of the State Data Privacy Act are to:
- Limit ubiquitous online tracking;
- Encourage more privacy-protective methods of online advertising;
- Protect the most sensitive data, including data about kids and teens;
- Use language from existing state laws; and
- Allow for meaningful enforcement of the law to ensure compliance.
The State Data Privacy Act borrows existing language from strong state laws and federal bills wherever possible. Borrowing existing language reduces the chances of conflicts of law and, in many cases, also represents years of deliberation and stakeholder discussions. Because our organizations have been involved in privacy advocacy at the state level for many years, we are familiar with recurring patterns of contention and compromise between businesses and consumer privacy advocates. While this draft does not represent the ideal privacy bill for any of the signatory organizations, it is a compromise that would meaningfully protect consumers.
The State Data Privacy Act has been endorsed by the Center for Democracy and Technology, the U.S. Public Interest Research Group, and Public Knowledge.
Learn more about the State Data Privacy Act here.
Sectoral State Privacy Laws
States also have a long history of passing privacy law focused on narrow topics of concern to their citizens. All 50 states have enacted data break notification laws. A number of states have regulated biometric data, genetic data, and health data privacy. Many states have enacted laws prohibiting the sharing on non-consensual intimate images. And states are increasingly regulating the development and use of artificial intelligence.
EPIC has expertise on these and many more privacy-related topics and are happy to be a resource to policymakers considering legislation on these topics.
Issue Areas
-
State Artificial Intelligence Policy
States and municipalities are increasingly taking interest in Artificial Intelligence and filling the gaps left by federal inaction on algorithmic transparency. States and cities have taken different routes, from notification and task forces to minimum privacy standards.
-
State Auto Black Boxes Policy
Automobile Event Data Recorders (a.k.a. “black boxes” or EDRs) are built into more than 90% of new cars. EPIC, joined privacy and civil rights organizations, has urged the National Highway Traffic Safety Administration (NHTSA) to protect driver privacy.
-
California Consumer Privacy Act (CCPA)
Information for California residents on how to exercise your rights under the CCPA.
-
State Consumer Data Security Policy
The lack of a federal Consumer Privacy Bill of Rights means states must pass their own policies to protect their residents from data breaches and mishandling of personal information.
-
State Data Breach Notification Policy
Florida’s Information Protection Act is one of the most comprehensive data breach notification laws in the United States.
-
State Drone and UAV Policy
Aerial surveillance of drones within the United States raises significant privacy issues. These vehicles can gather detailed information on individuals.
-
State Expungement Policy
Some states permit individuals who are arrested, but not convicted, to expunge their arrest records. Others permit some convicts to apply for expungements after time has passed from the completion of their sentences.
-
State Facial Recognition Policy
Many local municipalities have enacted restrictions on facial recognition technology and face surveillance.
-
State Genetic Privacy Policy
Many states have passed laws governing the use of genetic data, but most of these laws do not provide meaningful safeguards or limit the use of genetic information.
-
State Location Privacy Policy
Many laws still authorize law enforcement agents to gather sensitive location information without probable cause or adequate judicial oversight. Some states have already taken steps to remedy that issue.
-
State Law Enforcement Body Camera Policies
EPIC has stressed that if body cameras are deployed, police departments must comply with all privacy and open government laws.
-
State Revenge Porn Policy
Currently, federal law does not provide a remedy to victims of nonconsensual pornography (commonly referred to as “revenge porn”), but some states have enacted laws prohibiting it.
Preemption
About Preemption
In the context of legislation, preemption refers to whether a law restricts the authority of states, counties, or cities to enact or enforce their own policies. Preemption is an issue of legislative power–if the federal government preempts the states on a field of law, that action effectively expands the jurisdiction of Congress to the detriment of states and local governments. Congress’ power to preempt state and local laws stems from the Supremacy Clause of the U.S. Constitution.
Federal preemption can take two forms–federal floor and federal ceiling preemption. In most consumer and civil rights legislation, federal law serves as a floor of protections. This “federal floor preemption” only supersedes weaker state laws, and it allows states, counties, and local governments to pass stronger laws. Under federal floor preemption, federal law only supersedes state and local law that conflicts with or is contrary to federal law.
Historically Privacy Law Allows States to Provide Greater Protections
In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver’s Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.
Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle communications to privacy), and medical records.
The National Association of Attorneys General Privacy Subcommittee has also argued that the states have a traditional role in regulating privacy:
Consumer protection has traditionally been an area where the states’ power to ensure fair competition and informed consumer choice has been preserved, not eliminated. This structure has worked well for many years and no need to alter it in the area of privacy has been demonstrated. Preemption of state law will only undermine consumer confidence in their dealings with the financial institutions, e-tailers and other on and offline businesses. This conclusion is especially powerful with respect to financial information, where Congress has already recognized the utility of privacy protections enacted at the state level.
There is a presumption in American law that state and local governments are primarily responsible for matters of health and safety. Hillsborough County v. Automated Medical Laboratories, 471 U.S. 707 (1985) (there is a “presumption that state or local regulation of matters related to health and safety is not invalidated under the Supremacy Clause”). Privacy is included in the category of health and safety issues as an area of regulation historically left to the states. For instance, in Hill v. Colorado, the Supreme Court upheld a law protecting the privacy and autonomy of individuals seeking medical care, as the law was intended to serve the “traditional exercise of the States’ ‘police power to protect the health and safety of their citizens.'” 530 U.S. 703 (2000).
Recent Documents on U.S. State Privacy Laws
-
Publications
The State Data Privacy Act
In our State Data Privacy Act, we set forth a compromise bill built on existing state laws that meaningfully protects privacy while encouraging innovation.
-
Publications
AI Legislation Scorecard
-
Amicus Brief
Vita v. New England Baptist
Massachusetts Supreme Judicial Court
Whether patients reasonably expect that when seeking information from the website about specific symptoms, conditions, and medical procedures that their inquiries about such medical issues would be automatically shared with tech companies and advertisers.
Top Updates
California Rolls Out New Privacy Resource
December 23, 2024