Back 

State Laws Related to Internet Privacy

State Laws Related to Internet Privacy

1/23/2014

Overview

State lawmakers have dealt with an array of privacy issues related to online activities, such as requiring websites to post privacy policies, barring online book sellers and libraries from disclosing readers’ orders or browsing information, securing personal information held by Internet service providers, regulating online marketing of certain products directed to minors, and requiring employers to give notice before monitoring email.

Children's Online Privacy

Globe with keyboardCalifornia
Calif. Bus. & Prof. Code §§ 22580-22582 (2013 S.B. 568, Chapter 336) (Effective 1/1/2015.)
California's Privacy Rights for California Minors in the Digital World Act, also called the "eraser" bill, will permit minors to remove, or to request and obtain removal of, content or information posted on an Internet Web site, online service, online application, or mobile application. It also prohibits an operator of a Web site or online service directed to minors from marketing or advertising to minors specified products or services that minors are legally prohibited from buying. The law also will prohibit marketing or advertising certain  products based on personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so.

e-Reader Privacy

Arizona
Ariz. Rev. Stat. § 41-151.22
Provides that a library or library system supported by public monies shall not allow disclosure of any record or other information which, including e-books, that identifies a user of library services as requesting or obtaining specific materials or services or as otherwise using the library.

California
Cal. Govt. Code § 6267
Protects a library patron's use records, such as written records or electronic transaction that identifies a patron's borrowing information or use of library information resources, including, but not limited to, database search records, borrowing records, class records, and any other personally identifiable uses of library resources information requests, or inquiries.

Cal. Civil Code § 1798.90
The California Reader Privacy Act protects information about the books Californians browse, read or purchase from electronic services and online booksellers, who may have access to detailed information about readers, such as specific pages browsed. Requires a search warrant, court order, or the user's affirmative consent before such a business can disclose the personal information of its users related to their use of a book, with specified exceptions, including an imminent danger of death or serious injury.

 Privacy Policies for Websites or Online Services

California
Calif. Bus. & Prof. Code § 22575 (2013 A.B. 370)
Requires the operator of a commercial web site or online service to disclose in its privacy policy how it responds to a web browser 'Do Not Track' signal or similar mechanisms providing consumers with the ability to exercise choice about online tracking of their personal information across sites or services and over time. It also requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service.

Calif. Bus. & Prof. Code §§ 22575-22578
California's Online Privacy Protection Act requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to post a conspicuous privacy policy on its Web site or online service (which may include mobile apps) and to comply with that policy. The law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator may share the information.

California Ed. Code § 99122
Requires private nonprofit or for-profit postsecondary educational institutions to post a social media privacy policy on the institution's Internet Web site.

Connecticut
Conn. Gen. Stat. § 42-471
Requires any person who collects Social Security numbers in the course of business to create a privacy protection policy.  The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.  

Privacy of Personal Information Held by Internet Service Providers

Two states, Nevada and Minnesota, require Internet Service Providers to keep private certain information concerning their customers, unless the customer gives permission to disclose the information. Both states prohibit disclosure of personally identifying information, but Minnesota also requires ISPs to get permission from subscribers before disclosing information about the subscribers' online surfing habits and Internet sites visited.

In addition, California and Utah laws, although not specifically targeted to on-line businesses, require all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost.

False and Misleading Statements in Website Privacy Policies

Nebraska
Nebraska Stat. § 87-302(14)
Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.

Pennsylvania
18 Pa. C.S.A. § 4107(a)(10)
Pennsylvania includes false and misleading statements in privacy policies published on Web sites or otherwise distributed in its deceptive or fraudulent business practices statute.

Notice of Monitoring of Employee E-mail Communications and Internet Access

Connecticut and Delaware require employers to give notice to employees prior to monitoring e-mail communications or Internet access. 

Colorado and Tennessee require states and other public entities to adopt a policy related to monitoring of public employees' e-mail.

Connecticut Gen. Stat.§ 31-48d

  • Employers who engage in any type of electronic monitoring must give prior written notice to all employees, informing them of the types of monitoring which may occur.
  • If an employer has reasonable grounds to believe that employees are engaged in illegal conduct and electronic monitoring may produce evidence of this misconduct, the employer may conduct monitoring without giving prior written notice.
  • Provides for civil penalties of $500 for the first offense, $1,000 for the second offense and $3,000 for the third and each subsequent offense.
Delaware Del. Code § 19-7-705
  • Prohibits employers from monitoring or intercepting electronic mail or Internet access or usage of an employee unless the employer has first given a one-time written or electronic notice to the employee.
  • Provides exceptions for processes that are performed solely for the purpose of computer system maintenance and/or protection, and for court ordered actions.
  • Provides for a civil penalty of $100 for each violation.

Colorado Colo. Rev. Stat. § 24-72-204.5 

  • Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
  • The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.  

Tennessee Tenn. Code § 10-7-512

  • Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
  • The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.  

Privacy Policies: Government Websites

At least 17 states require government Web sites or state portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their Web sites.

State Statute
Arizona Ariz. Rev. Stat. Ann. § 41-4151, 41-4152
Arkansas Ark. Code § 25-1-114
California Cal. Govt. Code § 11019.9
Colorado Colo. Rev. Stat. § 24-72-501, 24-72-502
Delaware Del. Code tit. 29 § 9017C et seq.
Iowa Iowa Code § 22.11
Illinois Ill. Rev. Stat. ch. 5 § 177/15
Maine Me. Rev. Stat. tit. 1 § 14-A § 541- 542
Maryland Md. State Govt. Code § 10-624 (4)
Michigan 2003 Mich Pub. Acts, Act 161 (sec. 572 (7))
Minnesota Minn. Stat. § 13.15
Montana Mont. Code Ann. § 2-17-550 to - 553
New York N.Y. State Tech. Law § 201 to 207
South Carolina S.C. Code Ann. § 30-2-40
Texas Tex. Govt. Code Ann. § 10-2054.126
Utah Utah Code Ann. § 63D-2-101, -102, -103, -104
Virginia Va. Code § 2.2-3800, - 3801, -3802, -3803

Additional Resources

Share this: 
We are the nation's most respected bipartisan organization providing states support, ideas, connections and a strong voice on Capitol Hill.

NCSL Member Toolbox

Denver

7700 East First Place
Denver, CO 80230
Tel: 303-364-7700 | Fax: 303-364-7800

Washington

444 North Capitol Street, N.W., Suite 515
Washington, D.C. 20001
Tel: 202-624-5400 | Fax: 202-737-1069

Copyright 2014 by National Conference of State Legislatures