“It’s like the wild wild west,” Emily Mancini, communications director for New York State Sen. Kevin Thomas (D), says, “for businesses and consumers alike.”
A bold comparison, perhaps, but one that’s not altogether incorrect. No, we don’t travel by horseback anymore, but as more and more of our lives migrate online, competing regulations, laws, and legislative proposals make it clear that data privacy is, indeed, the new frontier.
But as new laws around the country give form to basic personal data privacy, it’s impossible not to notice just how many states and the federal government itself seem to be sitting out the game entirely.
Some lawmakers, like New York State’s Thomas, as well as lawmakers in California, Nevada, and Maine, have had success in crafting effective proposals and getting them through the legislative process, while just over half of all states do not currently have any meaningful proposals active in their lawmaking bodies.
Nearly nine in 10 Americans are internet users, but in only three states have lawmakers managed to approve legislation that guarantees residents some degree of control over their personal data online and/or requires the private companies collecting that data to behave by a particular set of rules regarding the sanctity of that information.
FYI: Why does data collection matter? In the event of a data breach, thieves can use people’s personally identifiable information, or PII, to steal identities. That’s why many people use top identity theft protection services.
And despite bipartisan calls for federal action, the U.S. is one of only a handful of countries that still lacks a blanket data protection law, though Sen. Kirsten Gillibrand (D-New York), a former 2020 presidential candidate, has proposed a bill that would establish a federal data protection agency.
But many states aren’t waiting for the federal government to act. The California Consumer Privacy Act, or CCPA, which went into effect January 1st this year, is by far the most sweeping law on the books in any state, but that’s not saying much. Only two other states (Nevada and Maine) have passed anything at all, and both of those measures are very narrow in scope.
So where does your state stand? Chances are you live in a state with no formal data protection outside of the laws that exist in each state requiring certain businesses to notify users in the event of a data breach. We’ve studied the bills that have been proposed and passed, if any, in each state, and where possible, have determined what the prospects are for pending legislation to become law in states where no protections currently exist.
What our research revealed is that no state has what we would deem truly comprehensive privacy legislation.
In this short video, journalist Aliza Vigderman gives a brief overview of local, state, and federal laws regarding how businesses protect their customer's data.
Strong Data Privacy Requires These 15 Rights & Regulations
There is no single consensus as to the definition of comprehensive digital privacy, but there are several areas where privacy advocates generally agree. Here’s a look at the 15 most common provisions, some of which provide rights to consumers and some of which apply only to business practices:
- Right of access & information: Consumers should be informed of what information businesses or data collectors are gathering about them, and they should be able to access the information or categories of information as well as accessing names or categories of third parties who received the shared information.
- Right of rectification: Consumers should be able to request corrections to outdated or incorrect personal information.
- Right of deletion: Consumers should be able to request that personal information be deleted in certain conditions.
- Right to restriction of processing: Consumers should be able to restrict a company’s ability to access their personal information.
- Right to data portability: Consumers should be able to request their information be disclosed in a common file format.
- Right to opt-out of sale of personal data: Consumers should be able to choose not to have their personal information sold by the collector to a third party.
- Right against automated decision-making: Businesses should not make decisions about consumers based on an entirely automated process that has no human input.
- Right of action: Consumers should be able to seek civil damages from a business that violates privacy statutes.
- Age-based opt-in: Businesses must default to strict opt-in for sale of personal information for consumers under a certain age.
- Transparency requirements: Businesses must provide notice to consumers about their data practices and privacy programs.
- Data breach notification: Businesses must notify consumers or enforcement authorities in the event of privacy or security breach where people's identities may be stolen.
- Risk assessment: Businesses must conduct formal risk assessments of their established security and privacy practices.
- Non-discrimination: Businesses are prohibited from treating a consumer differently if they exercise data privacy rights.
- Purpose & processing limitation: Businesses must collect and process consumer data only for a specific purpose.
- Fiduciary duty: Businesses must act in the best interest of the consumer.
Learn More: Read more about data breach awareness among the general public.
It’s important to note that all states now have some form of data breach notifications in place, but the specific provisions of the laws vary, including exempting some businesses from the requirements as well as variations in enforcement.
Digital Privacy Legislation
Not only do no states have laws on the books that cover all 15 of the critical areas, but to date, no state has even seen a law proposed that would include everything, though a bill pending in the New York State Legislature comes closest, though even it lacks three of the 15.
Bills are pending in 16 states, and the majority were authored by Democratic lawmakers, though Republicans have introduced measures in two states (Florida and South Carolina), and in states where bills have passed, there generally is wide bipartisan support.
More than half of the states (27 if you include the District of Columbia) do not have any active legislation, though a few of those have seen bills proposed in previous legislative sessions. Six states have launched study committees or task forces, and only three states have formally adopted any modern data privacy regulations.
State-by-State Breakdown
To compare each of the states’ efforts to ensure consumer digital privacy, we analyzed the measures that have become law so far, those that are still pending (and the ones that failed) to classify states by how strong their data privacy rules are. It’s worth noting that the legislative process in each state is on a different time table, and these rankings may change as events warrant.
Our analysis slotted the states into five buckets:
- Very strong: Including all 15 data privacy protections and requirements — zero states
- Strong: At least 1 of the 15 protections and requirements have been signed into law — three states
- Pending: Active legislation includes at least one of the 15 protections and requirements but nothing formally adopted yet — 15 states
- Weak: No active legislation but recent measures have included at least one protection or requirement and task force launched or study order issued — seven states
- Very weak: No active or recent legislation including at least one protection or requirement — 26 states
Strong: California, Maine, Nevada
California
Protections: CCPA went into effect Jan. 1, 2020, including eight of 15 protections and requirements.
Because it’s the most robust of the three laws that have gone into effect, California’s CCPA is, by default, the most far-reaching digital privacy law in the U.S., but even it falls short in several areas, and it covers just more than half of the crucial protections the modern world requires.
While the law does provide important protections, not every aspect of it is positive, and many in the business community are reasonably concerned about the added burden the requirements will place on some commercial entities; the state estimates initial compliance costs could near $60 billion.
Aside from the impact on businesses, the bill also omits several provisions, as well as leaving enforcement up to the attorney general’s office, meaning that unless poor security measures within a business exposed your information, private individuals cannot sue businesses over breaches.
What the law includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action (security only)
Age-based opt-in (age 16)
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Maine
Protections: An Act to Protect the Privacy of Online Consumer Information, scheduled to effect July 1, 2020, pending lawsuit from internet service providers, including four of 15 protections and requirements, applies only to ISPs.
Maine’s law had broad bipartisan support during the legislative process, and it was approved by the state senate unanimously. But it applies only to internet service providers and not other types of companies that collect consumer data.
As of March 2020, the new regulations are in limbo, as four ISP lobbying organizations (ACA Connects, America’s Communication Association; CTIA, the Wireless Association; NCTA, the Internet & Television Association; and USTELECOM, the Broadband Association) have sued to stop the law from going into effect.
What the law includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data (law requires strict opt-in)
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Nevada
Protections: SB220, which went into effect in October 2019, including three of 15 protections and requirements, applies only to website operators
Nevada’s relatively modest slate of consumer protections are quite narrow in scope and are more or less limited to a right to opt-out of having data sold. The law also applies only to website operators, so businesses that collect data offline are not impacted.
California’s law is broad in terms of what comprises “sale,” while Nevada’s rule is more focused and excludes things that aren’t literally the exchange of money for information, but critics contend that while the attorney general’s office will formally handle enforcement, the agency will rely on consumers to report noncompliance.
What the law includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Pending: 15 states
Arizona
Protections: None adopted, but active bill includes four of 15 protections and requirements
A bill currently winding its way through the Arizona State Legislature would be a modest first step toward comprehensive protections in that state, and the chief author of the legislation had a career in computer and aerospace science before becoming a lawmaker, perhaps giving this bill some added credibility both in the privacy advocacy space as well as business.
Rep. Domingo DeGrazia (D) worked on various aspects of HB2729 for about a year, according to the Arizona Mirror, before introducing it in February of this year.
“I wanted to write the best bill I could that would be the most protective for citizens without burdening businesses,” DeGrazia said. Action on the bill is ongoing, and it’s currently assigned to the House Technology committee.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion (excluding employment data)
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action (security only)
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Florida
Protections: None adopted, but active bill includes two of 15 protections and requirements
A bill in the Florida House of Representatives would provide limited but crucial protections, including the right to know what information is being gathered and to opt-out of having your information sold.
However, the measure as it currently stands carves out a very big exception — it applies only to data collectors not based in Florida. The bill was proposed by Rep. David Santiago (R) and is currently in the House Oversight, Transparency & Public Management Subcommittee.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Illinois
Protections: None adopted, multiple bills active, including one that covers 10 of 15 protections and requirements
A sweeping Senate bill in Illinois would include more protections than the CCPA, though it also is missing important provisions. The measure, SB 2330, was sponsored by Sen. Thomas Cullerton (D) and is currently in the senate’s judiciary committee.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action (security only)
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Maryland
Protections: None adopted, but active bill includes six of 15 protections and requirements
A proposed law in Maryland, the Online Consumer Protection Act, would include many of the same protections as the new California law, though the details of the bill may change through the legislative process.
Sponsored by Sen. Susan C. Lee, a Democrat from Montgomery County, the measure was most recently before the senate finance committee.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Minnesota
Protections: None adopted, but active bill includes nine of 15 protections and requirements
A pair of identical bills have been introduced in the Minnesota legislature, though neither has gotten past the committee stage. Still, if enacted, they would provide more robust protections than the CCPA, though they do fall short in several areas.
It was not immediately clear what the prospects for passage of either measure, but the legislative session is ongoing.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Nebraska
Protections: None adopted, active bill includes six of 15 protections and restrictions
Nebraska’s bill, LB746, is not expected to be debated on the floor of the state’s unicameral assembly during this session, and because bills that don’t pass by the time the session expires are basically dead, the prospects of the protections outlined in the bill becoming law for Nebraskans this year is slim.
However, Oliver VanDervoort, a spokesman from the office of Sen. Carol Blood, the sponsor of the legislation, said that Blood partially based her bill on the model of other states, though she was careful to loosen some of the restrictions in hopes that the measure would pass. Still, VanDervoort said Blood is committed to the measure and would likely reintroduce it or something similar if the bill fails to advance during this term.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in (age 16)
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
New Hampshire
Protections: None adopted, but active bill includes seven of 15 protections and requirements
A house bill in New Hampshire would provide a large number of crucial privacy protections, but it doesn’t go as far as some other measures in the region. It was not immediately clear what the prospects were for passage of the bill introduced by Democrat Garrett Muscatel (Hanover).
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action (security only)
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
New York
Protections: None adopted, but one bill currently includes 12 of 15 protections and requirements
A bill currently in the New York State Assembly would offer even more privacy provisions than California’s law, though discussions and negotiations about what specifics it will include are ongoing, and amendments are likely to be added to the bill before it’s reintroduced in the next couple of months.
That bill, the New York Privacy Act (NYPA), overlaps with a second bill that’s also been introduced, the Right to Know Act, and it was not immediately clear which measure had the best chances of proceeding through the legislative process, but given that the NYPA would be the most aggressive raft of protections in the U.S., New York seems to be in the best position of states that have yet to sign anything into law.
What the bills include:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability (both)
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements (both)
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation (NYPA does not currently include purpose limitation)
Fiduciary duty
Sen. Thomas is the primary sponsor of the NYPA, the more robust of the two proposals, and his spokesperson Mancini indicated that Thomas is determined to build on the strong protections introduced in California and Europe and that enacting new privacy laws will only become more challenging as time goes on.
“Right now is the time because it’s only going to get more difficult as we scale up the technology, so this legislation is coming at a crucial time,” Mancini said.
Thomas and other lawmakers are currently discussing the wording of amendments to the bill that will help ensure that it’s easy for consumers to take advantage of the protections and that businesses are able to comply, Mancini said: “It’s like the wild wild west, a new frontier for consumers and industry alike.”
Oklahoma
Protections: None adopted, but active bill includes one of 15 protections and restrictions but applies only to email providers
A limited-scope measure is currently alive in the Oklahoma legislature that would limit the ability of email providers like Microsoft or Google from obtaining users’ information via their emails. The bill was authored by Democrat Collin Walke (Oklahoma City) and is among the most focused active bills in the country.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Pennsylvania
Protections: None adopted, but active bill includes seven of 15 protections and restrictions
Pennsylvania bill HB1049 is still working its way through the legislative process, and the measure’s sponsor, Rep. Ed Neilson (D-Philadelphia), is optimistic about the prospects of his legislation, though he acknowledges that the bill is most likely not in its final form.
“We have been working with multiple stakeholders attempting to get them on board so that we can move the issue forward. As a legislator, you realize that a good bill is negotiated not dictated, for it should never be my way or the highway.”
Still, Neilson said that even if the clock runs out on this session before the measure is passed and signed into law, he intends to reintroduce it during the next legislative session.
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action (security only)
Age-based opt-in (age 16)
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Rhode Island
Protections: None adopted, but active bill includes eight of 15 protections and requirements
A Rhode Island Senate bill would extend several key privacy provisions, though the bill likely will be held for further study. Sen. William J. Conley Jr. introduced the bill, and it’s currently with the judiciary committee.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in (age 16)
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
South Carolina
Protections: None adopted, but active bill includes nine of 15 protections and requirements but applies only to biometric information
A measure in the South Carolina House of Representatives provides broad protections but is narrow in its scope, including nine protections or requirements — but applying only to biometric information, such as fingerprints, iris scans, and DNA. Though it is limited in scope, the bill, proposed by Republican Bruce Bryant (Lake Wylie), among biometric privacy laws, it goes quite far.
The bill is pending in the house judiciary committee.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in (age 16)
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Virginia
Protections: None adopted, but bill continued to 2021 session includes nine of 15 protections and requirements
A bill that originated in the current session of the Virginia legislature will be held until the next session, according to a representative from the office of Democrat Mark D. Sickles (Fairfax), who introduced the measure.
While it isn’t exactly comprehensive, the Virginia Privacy Act, as it’s currently written, would be among the most expansive in the South.
What the bill includes:
Right of access & information
Right of rectification
Right of deletion
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Wisconsin
Protections: None adopted, trio of bills include four of 15 protections and requirements
A trio of bills comprises the Wisconsin Data Privacy Act, each covering a different area of privacy protections. Taken as a whole, the measures would provide some basic protections for consumers, though the measures still fall short in many ways.
It’s unclear what the prospects are for passage of any of the three separate measures.
What the bills include:
Right of access & information
Right of rectification
Right of deletion (excluding employment data)
Right to restriction of processing
Right to data portability
Right to opt-out of sale of personal data
Right against automated decision-making
Right of action (security only)
Age-based opt-in
Transparency requirements
Data breach notification
Risk assessment
Non-discrimination
Purpose & processing limitation
Fiduciary duty
Weak: 6 states
Connecticut, Hawaii, Louisiana, Massachusetts, North Dakota, Texas
Protections: None adopted and no active bills; task force substituted or study order issued in place of a comprehensive bill
A total of six states have launched data privacy task forces or issued orders for lawmakers and state officials to study the matter in detail. In all six cases, the study/task force orders were implemented in place of legislation.
Very weak: 26 states
Alabama, Alaska, Arkansas, Colorado, Delaware, Georgia, Idaho, Indiana, Iowa, Kansas, Kentucky, Michigan, Mississippi, Missouri, Montana, New Jersey, New Mexico, Ohio, Oregon, South Dakota, Tennessee, Utah, Vermont, Washington, West Virginia, Wyoming
Protections: Nothing adopted, no active bills, no formal task force or study
In more than half of the states, there is no active legislation and no task force or study order proclamations. Some of these states, like Mississippi and Washington, have seen bills be introduced in recent sessions but not survive the legislative process, while others, like Indiana, haven’t seen any relevant bills be proposed.
Conclusion
The need for consumer data protection should be more than evident — almost every American uses the internet in some capacity, and some of us live our lives almost entirely online, from entertainment to work to shopping to social media and more. While states (and the federal government) may be a little late to the game when it comes to codifying various protections, their actions should be welcomed.
About This Research
Legislative research for this article covered the most recent session of each state’s legislature, which in some cases stretches back one or more years. As referenced, several states have had previous pending legislation that for one reason or another did not survive the legislative process. Every state allows the public to search for proposed legislation, read the text of it and track where it is in the process, and people who are concerned about their data privacy, even in states like California, would be well-advised to conduct their own research about the situation in their state.
We consulted several other sources to help formulate the basics of what should be considered comprehensive data privacy protections, the political and economic ramifications of these discussions, and other areas related to digital privacy. This includes the International Association of Privacy Professionals’ Westin Research Center, the National Council of State Legislatures, Recode, Varonis, Wired, and TechCrunch.
