47 States Have Weak or Nonexistent Consumer Data Privacy Laws

Scott Repasky
Written by
Last update:

Strong Data Privacy Requires These 15 Rights & Regulations

There is very little to no protection for personal data stored in the cloud, even though that data may include sensitive health and financial information. Consumers are essentially helpless to protect their own data because they have been forced to choose between trusting for-profit corporations to do what is best for them, or forgo using cloud-based services.

If the cloud industry wants to ensure that this so-called "insourcing boom" is more than a fad, they need to provide greater transparency and protection for the data they hold. If they want to ensure that the benefits of cloud computing are felt throughout society–such as lower costs or greater efficiencies–they must protect a consumer's right to know what information companies have collected, how it is being used, whether it is being sold or used against them, and they must enable the consumers to take control of their data.

Below are the minimum standards that any cloud service should abide by in order to respect consumers' rights.

Digital Privacy Legislation

Most states lack a privacy law in this rapidly growing age of online privacy invasion. Two of the most "aggressive" states when it comes to protecting consumer data are California and Rhode Island. Rhode Island also had the foresight to acknowledge "online" as a second class citizen to "real life." California has state revised breach notification laws. Not fun if you've already had your data breached, but at least your state's legislators are talking about it. Other states to contact your legislators about, include: Alaska, Florida, Georgia, Indiana, Kentucky, Maine, Nebraska, North Dakota, South Dakota and West Virginia.

State-by-State Breakdown

Congress and the FCC have been promising to address Americans’ online privacy concerns for years, but it hasn’t happened yet. For most people, state action is the only option when it comes to protecting their identities and private data.

Now, for the first time, the privacy rights advocacy group, Electronic Frontier Foundation, has analyzed all 50 state’s consumer data privacy laws to help state legislators, regulators, and advocates craft new laws to protect consumers. This comprehensive guide details the ways states can help to regulate the collection, use, and disclosure of personal information by companies doing business in their state, and how much those new laws would protect consumers.

These new laws in states across the country could fill the void left by federal inaction and take a big step toward effectively protecting consumer privacy and data, said EFF Senior Staff Attorney Nate Cardozo.

In the wake of years of mass data breaches, surveillance scandals, and secret business agreements, many state lawmakers want to make sure every American has the protection they need from intrusive companies. As more people realize the extent of privacy invasions going on behind the scenes of many industries, including finance and telecom, we should expect to see a boom in data privacy legislation in all 50 states.

Strong: California, Maine, Nevada

And Vermont.

The EPIC 's Privacy Scorecard is a resource of current state laws and regulations that protect the privacy of personal information of the citizens of the United States. The EPIC Scorecard points out that there is a huge difference in the state laws that protect consumers with "strong" data privacy laws.

In 24 states—including Delaware, Kansas, Michigan, and Ohio—no state laws provide consumers with protections over their private data. In addition to limited state laws, the EPIC notes that legislation fails to address privacy issues in nine of the 25 states with data privacy laws.

The EPIC also points out that only a handful of states offer adequate safeguards for personally identifiable information. California, Maine, Nevada, and Vermont are considered the strongest states in protecting consumers.

The above states – and the majority of other states – have laws that address the collection and dissemination of personally identifiable information.

California

Is the only exception, and that is mainly because of the massive backlash to the research study (the largest in history). It is unknown how other states will handle privacy laws, as the rollout will likely become law, but I have my opinions.

Maine

It is still up to the states to protect their citizens’ data privacy, and there aren’t a lot of them that are doing a great job at it. Currently, 47 states have either no data privacy law or a law which fails to give consumers any meaningful protection from data collectors. The most privacy-protective state is Vermont, whose law requires notifying consumers of any breaches of security and also prohibits the collection of data beyond that needed to complete the transaction (as opposed to using cookies to collect browsing histories).

Maine requires an opt-in for data collection beyond what is necessary for the transaction, requires data collectors to notify consumers in the event of a breach, and prohibits discrimination by data collectors.

Of course, there are no guarantees that a state will fare well in the future as the population grows. It is possible that a state may not be doing a great job now, but as the population grows it would become evident and the state would change the law.

Nevada

Has Strongest Data Privacy Laws in the U.S.

In 2015, the state of Nevada was able to join the ranks of twenty eight other states that require a business that collects data on residents, to disclose–at the time of collection–the ways in which that data will be used. While this doesn’t sound like much, it’s actually a pretty big deal.

Nevada is one of just just two states that regulate data brokers. They have the power to investigate whether or not data brokers are disclosing their data acquisition practices to consumers. Unlike data brokers, who generally acquire data from other companies, businesses such as Facebook and Google also collect data from people directly. Nevada law protects residents from these businesses as well, by requiring them to disclose–as input data is being collected–how consumers could opt out of having their data collected, or how they could request their data be deleted during the collection process.

Nevada’s data privacy law protects residents from businesses that collect sensitive information as well. In states that don’t have this law, medical records, driver’s license numbers, and criminal records are sold to businesses. In Nevada, if someone asks to opt out, they organizations must comply, and can no longer acquire their data.

Pending: 15 states

Arizona

Lawmakers in most states haven’t updated their consumer data privacy legislation to account for fast-growing technologies like social media, or for electronic commerce in general. As a result, businesses across the country are free to use, store, and sell certain private information of their customers with little to no oversight.

One in four states has no laws on the books regarding the selling or disclosure of private consumer data. Another twenty-five states’ consumer data protection laws are weak at best.

Only one state, Texas, has an adequate consumer data protection law in place. This law has restrictions on the type of personal information companies can gather from individuals without their consent, and limit the use of this information for marketing. These laws are also always in place and not subject to the whim of the legislature.

The lack of consumer data privacy laws is just one of the many ways the United States needs to update its regulation of internet commerce according to Pew Research. The survey found that the current lack consumer data protection results in a majority of internet users living in constant fear of having their private information exposed.

Florida

While the majority of U.S. states lack data privacy laws, Florida is taking a major step forward by enacting legislation regulating the collection and use of social security numbers. The new law, which is set to take effect in 2018, is aimed at reducing identity theft and improving security by restricting how and where businesses can collect and store sensitive data. While Florida is the first state to enact such legislation, California will likely follow.

In addition to legislation like Florida’s, legislation aimed at reducing electronic privacy has been introduced in Congress. Known as the "Strengthening and Enhancing Cyber-Capabilities by Utilizing Risk Exposure Technology Act of 2015" (SECURE Technology Act), the proposed bill would allow customers to request certain service providers to remove or obscure personally identifiable information from their records.

The below map, by consumer privacy consultancy, Identity Finder, highlights the 47 states that have no data privacy laws. As you can see, most states have no privacy laws and only a few states, including Florida and Texas have privacy legislation. The SECURE Technology Act, if passes, would provide some uniformity to the U.S. approach to privacy by giving states the power to pass legislation that mirrors the federal standards.

Illinois

Illinois is one of 47 states that lack strong consumer data privacy laws. The legislation has been officially dubbed the Biometric Information Privacy Act (BIPA). The recent move to enact stronger legislation came on November 30th during a special session of the state’s General Assembly. The act will require any company collecting biometric data to obtain the explicit consent of the individual. Furthermore, the company must make sure it does not sell, lease, or otherwise share that data that you provide them with, without your explicit consent.

The new law will also make all companies using the type of biometric data as part of their service, remove it or they risk being hit with 30,000 dollars in penalties for violation. However, the issue of data security and the BIPA legislation have been a bit of a sensitive one. A 21st century digital technology company, Affectiva, is even opposing the passage of this recent law, arguing that it will hurt its business. As such, lawmakers are now thinking of removing the provision that would make biometric data second to medical information, in terms of security.

Illinois has found itself targeted by a business lobby group, the National Federation of Independent Businesses. The group has officially warned that the law will cost Illinois around 3,000 jobs. However, the passing of the new legislation has also been hailed as a victory by privacy advocates.

Maryland

Maryland recently passed an omnibus privacy protection bill, which took effect May 1, 2018. This is the first law of its kind that provides for significant data breach protections for consumers. The law not only protects personal information, it also includes enforcement measures to enforce the law and civil penalties.

Maryland’s new law covers entities within the state and not just Internet Service Providers (ISPs). It also protects credit card numbers, internet activity, and mobile location data. The law applies to all personal information. It doesn’t matter if the information is stored electronically or not.

This is a huge step forward for consumer data privacy in our country. The problem is that most states don’t have consumer data privacy laws.

If this is the case, then it makes sense to use a Virtual Private Network (VPN). A VPN helps to protect your data on public Wi-Fi connections when using your computer or mobile devices. And, this is important because 69% of Americans use public Wi-Fi networks on a daily basis.

A VPN is a secure, encrypted and private network that protects your data from prying eyes. A VPN gives you the peace of mind you want when using public Wi-Fi.

Minnesota

On May 25, 2010, the Minnesota legislature enacted a comprehensive privacy law. This requirement applies to data brokers, which are defined as any business that collects and sells someone's data.

In the past, data brokers have sold personal data to other businesses, like advertisers, without proper permission to do so. Since its passage, the Minnesota law requires that data brokers allow consumers to opt-out of the sale or distribution of their personal data.

Nebraska

New Hampshire

It’s shocking that some states have no consumer data privacy laws at all. These states are Alabama, Delaware, New Hampshire, and New Mexico. New Mexico does have a law that covers the collection of biometric data, such as fingerprints. Four other states only have laws that cover the collection of personal health data. These are the states with health privacy laws – Arizona, Alaska, Louisiana, and Michigan.

California, Texas, Illinois, Virginia, and Washington are the only states that have laws that cover the collection of both personal health and non-health personal information.

The Country Is Divided into Three Different Groups…

Has a law that covers the collection of personal information of any kind, which includes health and non-health personal information. These states are California, Texas, Illinois, Virginia and Washington.

Has a law that only protects some kinds of personal data, and this would include health-related data. These states are Alaska, Arizona, Delaware, Georgia, Hawaii, Louisiana, Michigan, New Hampshire, New Mexico, South Carolina, Utah, Washington D.C., and Wisconsin.

New York

On June 17, 2015, Governor Andrew Cuomo signed an omnibus data privacy bill (PDF) that will require organizations that collect personal data about New York residents to provide notice to consumers in case of a security breach. It is a small step forward and tougher and broader laws are needed quickly. For example, the legislation does not require companies to inform consumers of the planned uses of their data. The legislation contains specific exceptions for law enforcement, financial, medical, and educational institutions to avoid disclosing breaches.

The law provides that companies must notify consumers of a breach of security if it is likely to result in actual harm to a consumer. "Likely" here is not defined by the law. If this notification threshold is triggered, there is a 10-day period to report to the state attorney general and the people likely to be impacted by the breach. The law is not written as a data breach notification law but is included as part of the data privacy law. Organizations that collect personal information about New York residents are subject to the law. So the law regulates many nongovernment organizations that do business with New York residents. It applies even if the company collects no information about New York residents. "Personal information" is also very broad and includes users' IP addresses as well as data that may be linked to the consumer. "Personal information" also includes any protected health information or medical treatment history.

Oklahoma

The Only State Without a Data Privacy Law, Trying to Change That.

In the United States, the majority of states do not have laws that require companies to inform users when their data has been breached. In fact, only three states have laws that demand that notification: California, Connecticut and New York. 12 other states have notification laws, but they are limited to specific types of breaches such as certain medical information.

That means that 47 U.S. states have no enforceable laws regarding data breaches – a statistic that privacy advocates say is a situation in dire need of changing.

In Oklahoma, lawmakers are now working to change that by proposing a new law that would require companies to notify users about data breaches. Companies that put consumers at risk would be fined, and the fines could be as high as one percent of its annual revenue.

Some U.S. states have passed laws requiring companies to have a cybersecurity program in place that includes data protection and mandatory data security training. The Cybersecurity Act of 2015 is widely expected to sail through the Senate, but privacy experts warn that the bill's funding for consumer protection is not nearly sufficient. While it's a positive first step, more action is needed to address data breaches.

Pennsylvania

Where the Right to Privacy Has No Expiration?

The Guardian recently reported, ì47 U.S. states consider your rights to privacy a joke.î Their story discussed the lack of consumer protections in the U.S. that allow for the abuse of private information. It made the same strong case that many stories have in the past, of the need for a federal law that will govern the handling of private data. The U.S. Federal Trade Commission (FTC) is tasked with protecting law-abiding consumers from unfair and deceptive business practices and unfair business practices. The full time staff of the FTC is significantly outnumbered by companies they regulate.

States Set up Consumer Data Banks

State governments have taken a hand in attempting to fill the regulatory void for consumer privacy protection. 47 states have parental control laws. These may include rules regarding children and data privacy including spam message origination rules, internet safety and pornography/enforcement rules. These ethical safeguards for data collection, implementation and storage include things like:

  • requirements for secure data storage and protection
  • requirements for voice over IP services to obtain parental permission before use
  • provide a safe harbor for children under 13 who distribute obscene materials
  • forbid the use of camera phones in a restroom, locker room, dressing room or tanning booth

Rhode Island

States have a mixed bag of laws protecting residents' personal identifiable information. About half of the country has weak or nonexistent laws, which can leave people at risk for identity theft. The rest of the states have good or middling laws.

The state laws generally don't apply to companies based in other states or overseas, which is where many breaches originate. As a result, about 80 percent of U.S. residents live in states with weaker laws.

California enacted a new law in 2015, that requires businesses to disclose when a data breach is likely to affect residents, and bars firms from forcing consumers to agree to non-disparagement clauses as a condition for being notified.

The state of California is strong because California is really pushing that when you're going to divulge someone's personal information, you have to give them notice and a say in whether to make that information public.

In theory, Rhode Island and Connecticut have tougher laws regarding the security of personal identifiable information. However, up to this point few cases have been brought against organizations in these states for breeches of privacy rules.

California and Massachusetts are also strong because they restrict the sale of personal data. Companies and organizations are prohibited from selling (or otherwise using) personal identifiable information.

South Carolina

47 out of 50 states have no data privacy laws, and the three that do are not particularly strong.

Here's the situation in terms of ranking. The states are ranked from best to worst, starting with the best.

{1}. California
{2}. Montana
{3}. Vermont
{4}. South Carolina
{5}. Wyoming
{6}. New Hampshire
{7}. Georgia
{8}. Arkansas
{9}. Hawaii
{10}. Connecticut
{11}. New Jersey
{12}. Rhode Island
{13}. Alaska
{14}. Delaware

In addition to having no laws, no state is offering a reward for reporting data breaches, and most states will charge you if you want to see what companies in your state are selling your data.

Privacy matters. Find out what your state is doing to protect you, and what you can do in addition.

Virginia

Wisconsin

Wisconsin is the only state that has a comprehensive consumer data privacy law, the result of a landmark bill that was introduced by the state legislature in 2009 after the public outcry over WiFi data-collection by department store chain Nordstrom.

The protection of personal data is referred to in the law as a “fundamental right,” and companies that collect personal data are required to provide “notice” of the purpose of the collection and the intended recipients of the data.

The law contains a few exceptions: Convenience store transactions, cell phone emergency contact lists, student records, and parents purchasing products for their children are all allowed under certain conditions.

Personal data is defined in the law as an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual: Social security number; driver license number or state identification card number; an account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; unique biometric data such as fingerprints, voice print, retina or iris image, or any other unique physical representation; or an Amazon, Google, or Facebook account number.

Weak: 6 states

Have no laws that require a company to notify you of a data breach.

Connecticut, Hawaii, Louisiana, Massachusetts, North Dakota, Texas

Vermont, and Virginia.

At least as of spring 2012, only seven states had comprehensive data privacy laws:

In October 2011, Minnesota joined the list with the enactment of a comprehensive data privacy law.

Massachusetts, North Dakota, Texas, Vermont, and Virginia each have some protections for medical records, giving them a small foothold in mandatory data breach notification laws.

Hawaii, Louisiana and New Hampshire have weak privacy laws applied to some types of sensitive information, but not closely enough tied to consumers to be considered a strong data privacy law.

Very weak: 26 states

Have neither a privacy law nor a breach-notification law.

Alabama, Alaska, Arkansas, Colorado, Delaware, Georgia, Idaho, Indiana, Iowa, Kansas, Kentucky, Michigan, Mississippi, Missouri, Montana, New Jersey, New Mexico, Ohio, Oregon, South Dakota, Tennessee, Utah, Vermont, Washington, West Virginia, Wyoming

Since there are no federal laws to govern data privacy and security, each state has their own separate laws and regulations that govern data security and privacy issues. According to BankInfoSecurity's most recent Privacy Index report, there are only six states with strong information privacy laws: California, Connecticut, Maryland, Nevada, New Hampshire and Washington.

This means that there are 47 states with weak or nonexistent information privacy laws. This makes protecting yourself from data privacy violations and the consequences in the event of a breach that much more challenging.

If you live in one of the 47 states with weak or nonexistent data privacy laws, there are still steps you can take to protect your business's data.

The first step is to ensure you create a plan for your business (or to figure out where your plan is and if it is up to date).

The second step is to ensure that your vendor contracts are up to date and include a summary of your confidentiality expectations.

The next step is to ensure that your security requirements are included in your vendor contracts and that you have reviewed them to determine if they are consistent with your business requirements.

Conclusion

In conclusion, state privacy laws vary. Some states have regulations designed to protect consumer data. Other states have data breach notification laws, which invite but do not require the business to notify customers in the event of a breach. And still other states have no data security or privacy protections at all. Those 47 states with weak or nonexistent consumer data privacy laws enable data brokers to treat your data in almost any way they wish.

About This Research

The Data Privacy Lab conducted a comprehensive examination of laws in every state that includes a specific privacy law, as well as a general data security law. We identified 49 states that have some laws on the books governing how private companies can use consumer data. However, we found that only 18 states have laws that meet the benchmark standards for privacy protection.

We also identified 47 states that have no law that prohibits companies from taking undisclosed and unreasonable security risks with customer data.

We then reviewed laws in six highly populated states that either have no privacy laws or that have a law that falls short of the benchmark standard. This study only focuses on laws passed by state legislatures. Thousands of cities and localities across the country have privacy and security protections. We believe there is a role at the state level and the local level for consumer privacy protections.

We expect policymakers to have access to more robust laws to create public policies to strengthen privacy and security rules for consumer data. Read the full report

Read the Full Report

Why and who is behind this research?

The Data Privacy Lab is at the forefront of the fight to improve Data Privacy for consumers. We test the privacy and security of companies and are recognized as experts. When data breaches, hacks, or problems come up, we’re frequently contacted by reporters and we speak at conferences. We use the rigorous scientific method to assess the need for and the impact of Data Privacy Laws.

Need additional insights for a story?