State Laws Related to Internet Privacy

8/13/2019

Overview

The Internet and new technologies continually raise new policy questions about privacy, and state lawmakers are continuing to address the array of privacy issues arising from online activities.

This web page documents state laws in a limited number of areas: website privacy policies, privacy of online book downloads and reader browsing information, personal information held by Internet service providers, online marketing of certain products directed to minors, and employee email monitoring. Additional digital privacy resources also are available from NCSL. In addition, other types of state laws address privacy and can also apply to online activities. 

PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice. 

Consumer Data Privacy

California


Cal. Civ. Code § 1798.100-§ 1798.198, The California Consumer Privacy Act of 2018 (CCPA)
Allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers as well as the source of that information and business purpose for collecting the information. Provides that consumers may request that a business delete personal information that the business collected from the consumers. Provides that consumers have the right to opt out of a business’s sale of their personal information, and a business may not discriminate against consumers who opt out. Applies to California residents. Effective Jan. 1, 2020. Sept. 23, 2018: Amended by S.B. 1121. 

Related CCPA Information: 

 

2019 A.B. 1202, Chap. 2019-753 (Data Brokers)
Requires data brokers to register with, and provide certain information to, the Attorney General. Defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Requires the Attorney General to make the information provided by data brokers accessible on its internet website. Data brokers that fail to register are subject to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in the Consumer Privacy Fund, as specified. The bill would make statements of legislative findings and declarations and legislative intent.

Cal. Bus. & Prof. Code § 22948.20  (Connected Televisions)
Prohibits a person or entity from providing the operation of a voice recognition feature in California without prominently informing, during the initial setup or installation of a connected television, either the user or the person designated by the user to perform the initial setup or installation of the connected television. Prohibits any actual recordings of spoken word collected through the operation of a voice recognition feature by the manufacturer of a connected television, or a 3rd party contracting with a manufacturer of a connected television, for the purpose of improving the voice recognition feature from being sold or used for any advertising purpose. Prohibits a person or entity from compelling a manufacturer or other entity providing the operation of a voice recognition feature to build specific features for the purpose of allowing an investigative or law enforcement officer to monitor communications through that feature.

Nevada

2019 S.B. 220
Current law requires an operator of an Internet website or online service which collects certain items of personally identifiable information about consumers in Nevada to make available a notice containing certain information relating to the privacy of covered information collected by the operator. (NRS 603A.340) This new law revises the definition of the term “operator” to exclude certain financial institutions and entities that are subject to certain federal laws concerning privacy and certain persons who manufacture, service or repair motor vehicles. The law also requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer.The term “sale” is defined to mean the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. The law also prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer. The Attorney General may seek an injunction or a civil penalty for violations. 

Vermont

9 V.S.A § 2446-2447 (2018 H.B. 764) (Protection of Personal Information: Data Brokers)
Requires data brokers--businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship—to register annually with the Secretary of State. Data brokers also must provide consumers with specified information, including the name, e-mail, and Internet addresses of the data broker; whether the data broker permits a consumer to opt out of personal information collection or data sales; the method for requesting an opt-out; activities or sales the opt-out applies to; and whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf. A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out and a statement as to whether the data broker implements a purchaser credentialing process must also be disclosed, among other disclosures.Data brokers also must implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.

Children's Online Privacy

children around a computerCalifornia
Calif. Bus. & Prof. Code §§ 22580-22582
California's Privacy Rights for California Minors in the Digital World Act, also called the "eraser" bill, permits minors to remove, or to request and obtain removal of, content or information posted on an Internet Web site, online service, online application, or mobile application. It also prohibits an operator of a Web site or online service directed to minors from marketing or advertising to minors specified products or services that minors are legally prohibited from buying. The law also prohibits marketing or advertising certain  products based on personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so.

Delaware
Del. Code § 1204C 
Prohibits operators of websites, online or cloud computing services, online applications, or mobile applications directed at children from marketing or advertising on its Internet service specified products or services inappropriate for children’s viewing, such as alcohol, tobacco, firearms, or pornography. When the marketing or advertising on an Internet service directed to children is provided by an advertising service, the operator of the Internet service is required to provide notice to the advertising service, after which time the prohibition on marketing and advertising the specified products or services applies to the advertising service directly. The law also prohibits an operator of an Internet service who has actual knowledge that a child is using the Internet service from using the child’s personally identifiable information to market or advertise the products or services to the child, and also prohibits disclosing a child’s personally identifiable information if it is known that the child’s personally identifiable information will be used for the purpose of marketing or advertising those products or services to the child.

e-Reader Privacy


Arizona
Ariz. Rev. Stat. § 41-151.22
Provides that a library or library system supported by public monies shall not allow disclosure of any record or other information which, including e-books, that identifies a user of library services as requesting or obtaining specific materials or services or as otherwise using the library.

California
Cal. Govt. Code § 6267
Protects a library patron's use records, such as written records or electronic transaction that identifies a patron's borrowing information or use of library information resources, including, but not limited to, database search records, borrowing records, class records, and any other personally identifiable uses of library resources information requests, or inquiries.

Cal. Civil Code § 1798.90
The California Reader Privacy Act protects information about the books Californians browse, read or purchase from electronic services and online booksellers, who may have access to detailed information about readers, such as specific pages browsed. Requires a search warrant, court order, or the user's affirmative consent before such a business can disclose the personal information of its users related to their use of a book, with specified exceptions, including an imminent danger of death or serious injury.

Delaware
2015 SS 1 FOR SB 68
Del. Code tit. 6, § 1206C
Protects the personal information of users of digital book services and technologies by prohibiting a commercial entity which provides a book service to the public from disclosing personal information regarding users of the book service to law enforcement entities, governmental entities, or other persons, except under specified circumstances. Allows immediate disclosure of a user’s book service information to law enforcement entities when there is an imminent danger of death or serious physical injury requiring disclosure of the book service information, and requires a book service provider to preserve a user’s book service information for a specified period of time when requested to do so by a law enforcement entity. Requires a book service provider to prepare and post online an annual report on its disclosures of personal information, unless exempted from doing so. The Consumer Protection Unit of the Department of Justice has the authority to investigate and prosecute violations of the acts.

Missouri
Mo. Rev. Stat. § 182.815, 182.817
Defines "E-book" and "digital resource or material" and adds them to the items specified in the definition of "library material" that a library patron may use, borrow, or request. Provides that any third party contracted by a library that receives, transmits, maintains, or stores a library record may not release or disclose all or a portion of a library record to anyone except the person identified in the record or by a court order. 

 Privacy Policies and Practices for Websites or Online Services

California
Calif. Bus. & Prof. Code § 22575 
Requires the operator of a commercial web site or online service to disclose in its privacy policy how it responds to a web browser 'Do Not Track' signal or similar mechanisms providing consumers with the ability to exercise choice about online tracking of their personal information across sites or services and over time. It also requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service.

Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)
California's Online Privacy Protection Act requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to post a conspicuous privacy policy on its Web site or online service (which may include mobile apps) and to comply with that policy. The law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator may share the information.

California Ed. Code § 99122
Requires private nonprofit or for-profit postsecondary educational institutions to post a social media privacy policy on the institution's Internet Web site.

Connecticut
Conn. Gen. Stat. § 42-471
Requires any person who collects Social Security numbers in the course of business to create a privacy protection policy.  The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.  

Delaware
Del. Code Tit. 6 § 205C
Requires an operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator's commercial internet website, online or cloud computing service, online application, or mobile application to make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application. An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance. Specifies requirements for the policy.

Nevada
NRS § 603A.340
Requires operators of Internet websites or online services that collect personally identifiable information to identify the categories of information collected through its Internet website or online service about consumers who use or visit the site or service and the categories of third parties with whom the operator may share such information. Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her information that is collected through the Internet website or online service.

Oregon
ORS § 646.607
Makes it an unlawful trade practice if a person p
ublishes on a website related to the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the person’s statement or representation.

 

Other Laws Related to Disclosure or Sharing of Personal Information

In addition, California and Utah laws, although not specifically targeted to on-line businesses, require all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost.

 

Privacy of Personal Information Held by Internet Service Providers (ISPs)

See also 2017-2019 Privacy Legislation Related to Internet Service Providers

Nevada and Minnesota require internet service providers specificaly to keep private certain information concerning their customers, unless the customer gives permission to disclose the information. Minnesota also requires ISPs to get permission from subscribers before disclosing information about the subscribers' online surfing habits and Internet sites visited. Maine prohibits using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such. Maine also prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount. 

False and Misleading Statements in Privacy Policies

Covers laws that expressly refer to false or misleading statements in online privacy policies. All 50 states also have Unfair and Deceptive Acts and Practices (UDAP) laws that can also apply to information posted online. 

Nebraska
Nebraska Stat. § 87-302(14)
Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.

Oregon
ORS § 646.607
Oregon's law classifies the following as an unlawful trade practice if, a person, in the course of their business, vocation or occupation:
"…(12) Publishes on a website related to the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the person’s statement or representation."

Pennsylvania
18 Pa. C.S.A. § 4107(a)(10)
Pennsylvania includes false and misleading statements in privacy policies published on Web sites or otherwise distributed in its deceptive or fraudulent business practices statute.

Notice of Monitoring of Employee E-mail Communications and Internet Access

Connecticut and Delaware require employers to give notice to employees prior to monitoring e-mail communications or Internet access. 

Colorado and Tennessee require states and other public entities to adopt a policy related to monitoring of public employees' e-mail.

Connecticut Gen. Stat. § 31-48d

  • Employers who engage in any type of electronic monitoring must give prior written notice to all employees, informing them of the types of monitoring which may occur.
  • If an employer has reasonable grounds to believe that employees are engaged in illegal conduct and electronic monitoring may produce evidence of this misconduct, the employer may conduct monitoring without giving prior written notice.
  • Provides for civil penalties of $500 for the first offense, $1,000 for the second offense and $3,000 for the third and each subsequent offense.
Delaware Del. Code § 19-7-705
  • Prohibits employers from monitoring or intercepting electronic mail or Internet access or usage of an employee unless the employer has first given a one-time written or electronic notice to the employee.
  • Provides exceptions for processes that are performed solely for the purpose of computer system maintenance and/or protection, and for court ordered actions.
  • Provides for a civil penalty of $100 for each violation.

Colorado Colo. Rev. Stat. § 24-72-204.5 

  • Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
  • The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.  

Tennessee Tenn. Code § 10-7-512

  • Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
  • The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.  

Privacy Policies: Government Websites

At least 17 states require government Web sites or state portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their Web sites.

State Statute
Arizona Ariz. Rev. Stat. Ann. § 41-4151, 41-4152
Arkansas Ark. Code § 25-1-114
California Cal. Govt. Code § 11019.9
Colorado Colo. Rev. Stat. § 24-72-501, 24-72-502
Delaware Del. Code tit. 29 § 9017C et seq.
Iowa Iowa Code § 22.11
Illinois Ill. Rev. Stat. ch. 5 § 177/15
Maine Me. Rev. Stat. tit. 1 § 14-A § 541- 542
Maryland Md. State Govt. Code § 10-624 (4)
Michigan 2003 Mich Pub. Acts, Act 161 (sec. 572 (7))
Minnesota Minn. Stat. § 13.15
Montana Mont. Code Ann. § 2-17-550 to - 553
New York N.Y. State Tech. Law § 201 to 207
South Carolina S.C. Code Ann. § 30-2-40
Texas Tex. Govt. Code Ann. § 10-2054.126
Utah Utah Code Ann. § 63D-2-101, -102, -103, -104
Virginia Va. Code § 2.2-3800, - 3801, -3802, -3803

Additional Resources