National Conference of State Legislatures - The Forum for America's Ideas
Issues & Research » Telecommunications & Information Technology » State Laws Related to Internet Privacy
 Go 13463

Selected State Laws Related to Internet Privacy

Last update: October 19, 2009

Americans express great concerns about privacy on the Internet, and state legislatures have responded in several ways to this complex issue. Some of the state actions directly relating to Internet privacy include the following types of laws:

 

 

Privacy of Personal Information
Employee E-mail Communications and Internet Access
Privacy Policies: Commercial Web Sites
Privacy Policies: Government Web Sites

 

Privacy of Personal Information

 

Two states, Nevada and Minnesota require Internet Service Providers to keep private certain information concerning their customers, unless the customer gives permission to disclose the information. Both states prohibit disclosure of personally identifying information, but Minnesota also requires ISPs to get permission from subscribers before disclosing information about the subscribers' online surfing habits and Internet sites visited.

Minnesota Statutes §§ 325M.01 to .09

  • Prohibits Internet service providers from disclosing personally identifiable information, including a consumer's physical or electronic address or telephone number; Internet or online sites visited; or any of the contents of a consumer's data storage devices.
  • Provides for certain circumstances under which information must be disclosed, such as to a grand jury; to a state or federal law enforcement officer acting as authorized by law; pursuant to a court order or court action.
  • Provides for civil damages of $500 or actual damages and attorney fees for violation of the law.

 

Nevada Revised Statutes § 205.498

In addition, California and Utah laws, although not specifically targeted to on-line businesses, require all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost.

 

California Civil Code §§ 1798.83 to .84 (Effective January 1, 2005)

 

Utah Code §§ 13-37-101, -102, -201, -202, -203

Employee E-mail Communications and Internet Access

Two states, Connecticut and Delaware, require employers to give notice to employees prior to monitoring e-mail communications or Internet access.  Colorado and Tennessee require states and other public entities to adopt a policy related to monitoring of public employees' e-mail.

Delaware Code § 19-7-705

  • Prohibits employers from monitoring or intercepting electronic mail or Internet access or usage of an employee unless the employer has first given a one-time written or electronic notice to the employee.
  • Provides exceptions for processes that are performed solely for the purpose of computer system maintenance and/or protection, and for court ordered actions.
  • Provides for a civil penalty of $100 for each violation.

General Statutes of Connecticut §

  • Employers who engage in any type of electronic monitoring must give prior written notice to all employees, informing them of the types of monitoring which may occur.
  • If an employer has reasonable grounds to believe that employees are engaged in illegal conduct and electronic monitoring may produce evidence of this misconduct, the employer may conduct monitoring without giving prior written notice.
  • Provides for civil penalties of $500 for the first offense, $1,000 for the second offense and $3,000 for the third and each subsequent offense.
Public Employers

Colorado Rev. Stat. § 24-72-204.5 and Tennesee Code § 10-7-512

  • Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
  • The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.

 

 

 

California (Calif. Bus. & Prof. Code §§ 22575-22578)
California's Online Privacy Protection Act requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to post conspicuously its privacy policy on its Web site or online service and to comply with that policy. The bill, among other things, would require that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator may share the information.

Connecticut (Conn. Gen Stat. § 42-471)
Requires any person who collects Social Security numbers in the course of business to create a privacy protection policy.  The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Nebraska (Nebraska Stat. § 87-302(14))
Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.

Pennsylvania (18 Pa. C.S.A. § 4107(a)(10))
Pennsylvania includes false and misleading statements in privacy policies published on Web sites or otherwise distributed in its deceptive or fraudulent business practices statute.

Privacy Policies: Government Web Sites

 

At least sixteen states require, by statute, government Web sites or state portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their Web sites.

State Statute
Arizona Ariz. Rev. Stat. Ann. § 41-4151, 41-4152
Arkansas Ark. Code § 25-1-114
California Cal. Govt. Code § 11019.9
Colorado Colo. Rev. Stat. § 24-72-501, 24-72-502
Delaware Del. Code tit. 29 § 9017C et seq.
Iowa Iowa Code § 22.11
Illinois Ill. Rev. Stat. ch. 5 § 177/15
Maine Me. Rev. Stat. Ann. tit. 1 § 14-A § 541- 542
Maryland Md. State Govt. Code Ann. § 10-624 (4)
Michigan 2003 Mich Pub. Acts, Act 161 (sec. 572 (7))
Minnesota Minn. Stat. § 13.15
Montana Mont. Code Ann. § 2-17-550 to - 553
New York N.Y. State Tech. Law § 201 to 207
South Carolina S.C. Code Ann. § 30-2-10 to 30-2-50
Texas Tex. Govt. Code Ann. § 10-2054.126
Utah Utah Code Ann. § 63D-2-101, -102, -103, -104
Virginia Va. Code § 2.2-3800, - 3801, -3802, -3803

 

 

31-48d

 

 

  • Internet service providers must keep confidential all information about subscribers, other than e-mail address, unless the subscriber gives permission to disclose the information.
  • If requested by subscribers, in writing or by e-mail, Internet service providers must also keep subscriber e-mail addresses confidential.
  • Internet service providers must provide notice of the above requirements to each of its subscribers, including a "conspicuous statement" that subscribers may request to have their e-mail addresses kept confidential.
  • Violations of the law are punishable by a fine of $50 to $500 per violation.

 
 NCSLFeedback Maximize
  

Denver Office
Tel: 303-364-7700 | Fax: 303-364-7800 | 7700 East First Place | Denver, CO 80230

 

Washington Office
Tel: 202-624-5400 | Fax: 202-737-1069 | 444 North Capitol Street, N.W., Suite 515 | Washington, D.C. 20001

©2009 National Conference of State Legislatures.  All Rights Reserved.