Which states have the toughest privacy laws?

Introduction

Despite its high-tech advances, the United States lags behind other developed countries in protecting consumer privacy. Unlike most other developed countries, the United States only has a patchwork of federal privacy laws, primarily aimed at specific sectors like healthcare and financial. Even China, with all its government surveillance, is making better headway in restricting how companies handle its citizens’ private data.

The U.S. Congress has made attempts as recently as 2012 to enact a baseline federal consumer privacy law (known as the Consumer Privacy Bill of Rights). Currently, on the heels of European Union’s General Data Protection Regulation (GDPR), new discussions indicate renewed interest from U.S. lawmakers in this topic.

Congress, however, is not known for acting fast, and it could still be years before anything close to GDPR is enacted. In the meantime, the U.S. states have been carrying the flag for their own residents: Every state has at least one law that protects some aspect of online or data privacy.

Different types of state privacy and security laws

The state legislation related to data breaches and consumer privacy is not homogenous, and even definitions such as personally identifiable information (PII) vary from state to state. But generally speaking, the laws fall into similar categories.

At a high level, there are three major categories of state laws:

Sponsorships Available

Sponsorships Available

Sponsorships Available

Data disposal

These laws regulate how either government or private entities need to dispose of PII, whether by destroying it or making it unreadable in other ways. As of January 1st, 2019, at least 35 states had data disposal legislation, according to the National Conference of State Legislatures (NCSL).

Among those 35, some were more limited in scope. For example, Arizona’s applies to paper records only, Delaware’s is limited to employers and Wisconsin’s only covers specific industries (Read more...)