Where you live has a huge impact on several important aspects of your life, including your access to healthcare, quality of education, and your exposure to toxic pollutants. Many Americans are aware of how their state, city, and neighborhood of residence impact these facets of society, but few are equally aware of the extent to which one’s address affects less visible dimensions - like whether or not you have the right to know who is tracking you online and profiting off of your browsing data.
Within the United States, we often forget how many of the laws that govern our reality are at the state and local level and not the national level. Laws that govern to what extent companies are required to inform consumers about how their information is used, as well as laws that govern whether or not consumers have the right to deny companies the ability to log and sell their data, differ drastically by location. A state line, in many cases, is the difference between being able to withhold, delete, or even access personal data collected by websites and having no rights over your private information whatsoever.
While there are multiple categories of privacy laws that exist at the state level, we will take a look at the two largest categories to compare how privacy rights differ across states: policies about businesses and consumer privacy laws.
California, Connecticut, Delaware, Nevada, Oregon, and Utah have some sort of legislation requiring businesses to accurately inform their customers of the business’s practices of collecting personal information over the Internet and for what purposes that information is used, including whether it may be shared with or sold to third parties. Even though only six states have such legislation, this is the most prevalent type of privacy law at the state level. However, these laws range from extremely limited in scope (such as Oregon’s) to fairly broad and extensive (such as California’s four laws addressing the subject.)
Delaware’s law (Delaware Code Title 6 § 205C) holds businesses to a significantly higher standard than Oregon or Connecticut, requiring all commercial websites and apps to prominently display their privacy policies on the site and setting requirements for what those policies must include. Nevada’s policy (NRS § 603A.340) is similar to Delaware’s but goes slightly further, instructing businesses to also provide consumers with the information needed to review and edit their information if they desire.
Only three states -- California, Nevada, and Vermont -- have laws that reserve individual consumers' rights over their data, meaning that residents of all other 47 states have no control over who can track, log, and sell their personally-identifying information. While the aforementioned business privacy laws create requirements for website operators to meet a privacy standard and inform consumers of their policy, consumer privacy laws go further by establishing explicit rights for the consumer, including the right to deny websites and data brokers the right to collect their information.
Vermont’s consumer privacy law (9 V.S.A § 2446-2447) is the most narrow in scope of the three states, as it specifically applies to data brokers. Data brokers are defined by the National Conference of State Legislatures as “businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship.” Vermont’s law employs several mechanisms to protect consumers from data brokers. Data brokers must register annually with the Vermont Secretary of State and disclose publicly what types of information collection consumers may opt-out of as well as the method by which they can do so. Data brokers must also meet a standard for comprehensive data security and inform consumers of that policy. Consumers must be informed if their data is being collected and data brokers must provide their name, email, and address to consumers. The law likewise expressly forbids data brokers from acquiring personal information through fraudulent means or for the purpose of harassment, as well as prohibiting businesses from charging fees for credit freezes. Because this law exists to create privacy requirements for data brokers, it kind of straddles the line between a business and consumer privacy law - but what sets apart this policy from the previously mentioned business privacy laws is that it reserves rights over personal information to the consumer in addition to requiring transparency on the behalf of businesses.
California also has a privacy law that applies to data brokers (California Civil Code §§ 1798.99.80 et seq), and it is similar to Vermont’s in that it requires data brokers to register with the California Attorney General and publicly provide information about their practices. While California’s data broker policy is less extensive than Vermont’s, the state has several additional privacy laws that add up to far more comprehensive protections for consumers overall. The first of these policies is California Business & Professional Code § 22948.20, which protects consumers from the collection of recordings of their voice using voice recognition features without consent as well as forbidding businesses from selling voice recordings, using them for advertising purposes, and from creating voice recognition features specifically for law enforcement to monitor communications. As epitomized by the discourse surrounding Amazon Ring, consumer rights are being violated nationwide as voice and video footage is collected by businesses, used for marketing, and shared with police departments without a warrant (which is legal through the PATRIOT Act). This California law seeks to restore some degree of control to the consumer over recordings made of their voice.
California’s Consumer Privacy Act of 2018 (CCPA) provides the most privacy rights to consumers of any law in the country. The CCPA is the first broad consumer privacy legislation that provides consumers the ability to deny any website the right to sell their personal information at the click of a button, as well as the right to know what information is being collected and request that information be changed or deleted.
Nevada’s consumer privacy law (NRS § 603A.300) is built upon the state’s previous business privacy laws to provide consumers with many of the same rights as in California. Like in California, Nevada consumers can request that their data not be sold to third parties. However, the law also excludes several protections included in the CCPA, making it weaker protection for consumers overall. Most notably, the Nevada consumer privacy act:
There have been several “CCPA copycat bills” introduced in state legislatures across the United States, but all have failed before reaching the floor except for one - North Dakota’s 2019 H.B. 1485. While ND H.B. 1485 was originally a less extensive version of the CCPA - allowing consumers the right to opt-out of having their data sold but not the ability to delete their information after consent was given - it was whittled down even more on the legislative floor to the point where it doesn’t even qualify as a consumer rights law. The law signed by Governor Burgum in April 2019 provided for a study of “protections, enforcement, and remedies regarding the disclosure of consumers' personal data” and that “the legislative management shall report its findings and recommendations, together with any legislation required to implement the recommendations, to the sixty-seventh legislative assembly” (North Dakota House Journal, 2019). Hopefully, the results of the ongoing study will lead to significant consumer privacy legislation in North Dakota in the future, and other states will also follow in California’s footsteps to protect their residents’ privacy.
The Electronic Frontier Foundation correctly points out that Congress must not pass legislation negating or softening state consumer privacy laws like those in California, Nevada, and Vermont. Currently, legislation in Congress such as the EARN IT Act of 2020 threatens to harm individual privacy rather than help it. Passing a national law that ensures consumer privacy rights is necessary and needs to be on Congress’s legislative agenda, but any such legislation must not foreclose state privacy laws and should provide real - not illusory - protections for consumers.