Does Your Address Impact Your Online Privacy?

Where you live has a huge impact on several important aspects of your life, including your access to healthcare, quality of education, and your exposure to toxic pollutants. Many Americans are aware of how their state, city, and neighborhood of residence impact these facets of society, but few are equally aware of the extent to which one’s address affects less visible dimensions - like whether or not you have the right to know who is tracking you online and profiting off of your browsing data.

Within the United States, we often forget how many of the laws that govern our reality are at the state and local level and not the national level. Laws that govern to what extent companies are required to inform consumers about how their information is used, as well as laws that govern whether or not consumers have the right to deny companies the ability to log and sell their data, differ drastically by location. A state line, in many cases, is the difference between being able to withhold, delete, or even access personal data collected by websites and having no rights over your private information whatsoever.

While there are multiple categories of privacy laws that exist at the state level, we will take a look at the two largest categories to compare how privacy rights differ across states: policies about businesses and consumer privacy laws.

Privacy Laws for Businesses

California, Connecticut, Delaware, Nevada, Oregon, and Utah have some sort of legislation requiring businesses to accurately inform their customers of the business’s practices of collecting personal information over the Internet and for what purposes that information is used, including whether it may be shared with or sold to third parties. Even though only six states have such legislation, this is the most prevalent type of privacy law at the state level. However, these laws range from extremely limited in scope (such as Oregon’s) to fairly broad and extensive (such as California’s four laws addressing the subject.)

Oregon and Connecticut

Oregon’s business privacy law, (ORS § 646.607) is the most basic of these laws because it does not set a minimum standard requiring businesses to inform customers of how their information is used; it only outlaws inaccurate or misleading privacy statements. While this hardly even constitutes a business privacy policy, misleading privacy statements are not explicitly illegal in most states, and therefore Oregon deserves at least a mention for this piece of legislation. Connecticut General Statute § 42-471 does set a minimum standard, but only for businesses that collect Social Security Numbers; it requires these businesses to create a policy that protects the confidentiality of SSNs and to prominently display notice of the practice and policy on their website.

Delaware and Nevada

Delaware’s law (Delaware Code Title 6 § 205C) holds businesses to a significantly higher standard than Oregon or Connecticut, requiring all commercial websites and apps to prominently display their privacy policies on the site and setting requirements for what those policies must include. Nevada’s policy (NRS § 603A.340) is similar to Delaware’s but goes slightly further, instructing businesses to also provide consumers with the information needed to review and edit their information if they desire.

California and Utah

California establishes the highest standard for online platforms of any state by far. Instead of a single law addressing standards for businesses or requiring public notice of privacy policies, California has passed three laws (Business and Professional Code § 22575-22578; Civil Code §§ 1798.130(5) and 1798.135(a)(2)(A); Education Code § 99122) detailing online privacy requirements for businesses, as well as one law that addresses business privacy policy on- and offline. The most notable feature of these policies is the requirement for businesses to prominently display and conform to a privacy policy that includes the following:

  • The types of personally identifiable information collected by the business,
  • Third parties with which the business may be sharing that information,
  • A description of California’s Consumer Rights and a “Do Not Sell My Information” button. (We will explore consumer rights laws, including California’s, in the following section.)

Two states, California and Utah, not only establish privacy policy requirements for online data collection by businesses, but also for any personal information collected from consumers. California’s "Shine the Light Law" (California Civil Code §§ 1798.83 to .84) requires all nonfinancial businesses, regardless of whether they are collecting that information through their website(s), to inform customers of what information is being shared with or sold to any third parties and provides customers with the right to opt-out of sharing that information. Utah has a similar but less extensive version of the same law (Utah Code §§ 13-37-201 to -203) which likewise requires all businesses to inform customers of what information is being shared or sold in any capacity, but does not allow consumers to choose not to share their information.

Consumer Privacy Laws

Only three states -- California, Nevada, and Vermont -- have laws that reserve individual consumers' rights over their data, meaning that residents of all other 47 states have no control over who can track, log, and sell their personally-identifying information. While the aforementioned business privacy laws create requirements for website operators to meet a privacy standard and inform consumers of their policy, consumer privacy laws go further by establishing explicit rights for the consumer, including the right to deny websites and data brokers the right to collect their information.

Vermont

Vermont’s consumer privacy law (9 V.S.A § 2446-2447) is the most narrow in scope of the three states, as it specifically applies to data brokers. Data brokers are defined by the National Conference of State Legislatures as “businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship.” Vermont’s law employs several mechanisms to protect consumers from data brokers. Data brokers must register annually with the Vermont Secretary of State and disclose publicly what types of information collection consumers may opt-out of as well as the method by which they can do so. Data brokers must also meet a standard for comprehensive data security and inform consumers of that policy. Consumers must be informed if their data is being collected and data brokers must provide their name, email, and address to consumers. The law likewise expressly forbids data brokers from acquiring personal information through fraudulent means or for the purpose of harassment, as well as prohibiting businesses from charging fees for credit freezes. Because this law exists to create privacy requirements for data brokers, it kind of straddles the line between a business and consumer privacy law - but what sets apart this policy from the previously mentioned business privacy laws is that it reserves rights over personal information to the consumer in addition to requiring transparency on the behalf of businesses.

California

California also has a privacy law that applies to data brokers (California Civil Code §§ 1798.99.80 et seq), and it is similar to Vermont’s in that it requires data brokers to register with the California Attorney General and publicly provide information about their practices. While California’s data broker policy is less extensive than Vermont’s, the state has several additional privacy laws that add up to far more comprehensive protections for consumers overall. The first of these policies is California Business & Professional Code § 22948.20, which protects consumers from the collection of recordings of their voice using voice recognition features without consent as well as forbidding businesses from selling voice recordings, using them for advertising purposes, and from creating voice recognition features specifically for law enforcement to monitor communications. As epitomized by the discourse surrounding Amazon Ring, consumer rights are being violated nationwide as voice and video footage is collected by businesses, used for marketing, and shared with police departments without a warrant (which is legal through the PATRIOT Act). This California law seeks to restore some degree of control to the consumer over recordings made of their voice.

California’s Consumer Privacy Act of 2018 (CCPA) provides the most privacy rights to consumers of any law in the country. The CCPA is the first broad consumer privacy legislation that provides consumers the ability to deny any website the right to sell their personal information at the click of a button, as well as the right to know what information is being collected and request that information be changed or deleted.

Nevada

Nevada’s consumer privacy law (NRS § 603A.300) is built upon the state’s previous business privacy laws to provide consumers with many of the same rights as in California. Like in California, Nevada consumers can request that their data not be sold to third parties. However, the law also excludes several protections included in the CCPA, making it weaker protection for consumers overall. Most notably, the Nevada consumer privacy act:

  • More narrowly defines who a “consumer” is to be someone who seeks to acquire a good or service, rather than any state resident,
  • More narrowly defines “selling data” to mean exchanging information for monetary gain, while California’s definition includes any sharing of personally identifiable information,
  • Allows anyone of any age to opt-out of the sale of their data, as opposed to California’s law which requires those under 17 to opt-in,
  • Requires websites to provide a “designated request address” to which consumers may submit a request to opt-out from the sale of their data, which is much more effort on the consumer’s behalf than California’s mandated one-click “Do Not Sell My Information” button.

There have been several “CCPA copycat bills” introduced in state legislatures across the United States, but all have failed before reaching the floor except for one - North Dakota’s 2019 H.B. 1485. While ND H.B. 1485 was originally a less extensive version of the CCPA - allowing consumers the right to opt-out of having their data sold but not the ability to delete their information after consent was given - it was whittled down even more on the legislative floor to the point where it doesn’t even qualify as a consumer rights law. The law signed by Governor Burgum in April 2019 provided for a study of “protections, enforcement, and remedies regarding the disclosure of consumers' personal data” and that “the legislative management shall report its findings and recommendations, together with any legislation required to implement the recommendations, to the sixty-seventh legislative assembly” (North Dakota House Journal, 2019). Hopefully, the results of the ongoing study will lead to significant consumer privacy legislation in North Dakota in the future, and other states will also follow in California’s footsteps to protect their residents’ privacy.

Looking Ahead

Business standards can and do exist without actual consumer rights. Only two states - California and Nevada - have passed privacy legislation that establishes standards for businesses and separate legislation that reserves rights for consumers. Without the ability to opt-out of practices that one perceives as a privacy violation, such as selling personal information to third parties, being informed of a platform’s privacy policy has no actual impact on what is done with your information. For that reason, consumer rights are crucial for actual online privacy - and 285 million Americans have none.

The Electronic Frontier Foundation correctly points out that Congress must not pass legislation negating or softening state consumer privacy laws like those in California, Nevada, and Vermont. Currently, legislation in Congress such as the EARN IT Act of 2020 threatens to harm individual privacy rather than help it. Passing a national law that ensures consumer privacy rights is necessary and needs to be on Congress’s legislative agenda, but any such legislation must not foreclose state privacy laws and should provide real - not illusory - protections for consumers.


Support a free and open Internet. Get FreePN, a completely free, unlimited-bandwidth VPN.
success
We'll notify you when you get access to FreePN. Welcome to a free and open Internet!
Invite your friends to join the network!