Table of Contents
- Consumer Data Privacy Laws
- Comprehensive Privacy Laws
- Consumer Data Privacy Legislation
- Private Use of Location Tracking Devices
- Privacy of Personal Information Held by ISPs
- Children's Online Privacy
- e-Reader Privacy
- Privacy Policies for Websites or Online Services that Collect Personal Information
- False and Misleading Statements in Website Privacy Policie
- Notice of Monitoring of Employee Email Communications and Internet Access
- Privacy Policies: Government Web Sites
- Privacy Protections in State Constitutions
- Additional Resources
Contact
- Pam Greenberg
Overview
The Internet and new technologies continually raise new policy questions about privacy, and state lawmakers are continuing to address the array of privacy issues arising from online activities.
This web page documents state privacy laws in alimited number of areas: comprehensive consumer data privacy, website privacy policies, privacy of online book downloads and reader browsing information, personal information held by Internet service providers, online marketing of certain products directed to minors, and employee email monitoring. Other types of state laws address privacy and can also apply to online activities.
PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice. In addition, NCSL does not take advocate for or take a position on state legislation, laws or policies. Any external resources provided below are for information purposes only.
Consumer Data Privacy Legislation
- 2022 Consumer Data Privacy Legislation
- 2021 Consumer Data Privacy Legislation
- 2020 Consumer Data Privacy Legislation
- 2019 Consumer Data Privacy Legislation
Comprehensive Consumer Data Privacy Laws
Five states—California, Colorado, Connecticut, Utah and Virginia—have enacted comprehensive consumer data privacy laws. The laws have several provisions in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others. Other provisions require commercial websites or online services to post a privacy policy that describes the types of personal information collected, what information is shared with third parties, and how consumers can request changes to certain information.
California
Cal. Civ. Code §§ 1798.100 et seq. (California Consumer Privacy Act of 2018 (CCPA))
Allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers as well as the source of that information and business purpose for
collecting the information. Provides that consumers may request that a business delete personal information that the business collected from the consumers. Provides that consumers have the right to opt-out of a business’s sale of their personal information, and a business may not discriminate against consumers who opt-out. Applies to California residents. (A.B. 375, Effective Jan. 1,
2020. Amended by 2018 S.B. 1121.)
Related CCPA Information:
- CCPA Regulations, California Office of the Attorney General
- California Attorney General, Background on the CCPA and the Rulemaking Process
- Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations, prepared for California Attorney General's Office, Aug. 2019
California Consumer Privacy Rights Act (CPRA)
Proposition 24, approved Nov. 2020, effective January 1, 2023
Expands the consumer data privacy laws. Permits consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit businesses’ use of “sensitive personal information”—including precise
geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information. Establishes the California Privacy Protection Agency to additionally enforce and implement consumer privacy laws and impose fines. Changes criteria for which businesses must comply with laws. Prohibits businesses’ retention of personal information for longer than reasonably necessary.
Triples maximum penalties for violations concerning consumers under age 16. Authorizes civil penalties for theft of consumer login information, as specified. (Amended by 2021 A.B. 1490)
Colorado
Colo. Rev. Stat. § 6-1-1301 et seq. (2021 S.B.
190)
Creates the Colorado Privacy Act within the Colorado Consumer Protection Act. Addresses consumers’ rights to privacy, companies’ responsibility to protect personal data, and authorizes the Attorney General and district attorneys to take enforcement action for violations. Defines various terms related to covered businesses, consumers, and data, including defining the term “controller” as the person or group of people who determine how data is used and processed. The
effective date is July 1, 2023.
Connecticut
2022 S.B. 6 (Personal Data Privacy and Online Monitoring)
The Connecticut act establishes a framework for controlling and processing personal data; provides responsibilities and privacy protection standards for data controllers and processors; and grants consumers the right to access, correct,
delete and obtain a copy of personal data, and opt out of the processing of personal data. The effective date is July 1 2023.
Utah
2022 S.B. 227 (Utah Consumer Privacy Act)
Utah’s Consumer Privacy Act provides consumers the right to know what personal data a business collects, how the business uses the personal data, and whether the business sells the personal data. It also
provides that consumers may access and delete personal data maintained by businesses and opt out of the collection and use of personal data. It also requires specified businesses to safeguard personal data, provide clear information about how consumers’ personal data are used, and accept and comply with consumer requests to access, delete or stop selling personal data. The law authorizes the attorney general to take enforcement action and impose penalties. The effective date is Dec. 31, 2023.
Virginia
2021 H.B. 2307/2021 S.B. 1392 (Consumer Data Protection Act)
Establishes a framework for controlling and processing personal data in the Commonwealth. The law applies to all persons that conduct business in the Commonwealth and either (i) control or process
personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The law outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The law grants consumer rights to access,
correct, delete, obtain a copy of personal data, and to opt-out of the processing of personal data for the purposes of targeted advertising. The law provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The law directs the Joint Commission on Technology and Science to establish a workgroup to review the provisions of this act and issues related to its implementation and to report on
its findings by November 1, 2021. The effective date is January 1, 2023.
Other Key Consumer Data Privacy Laws
California
Cal. Civ. Code §§ 1798.99.80 et seq. (Data Broker Registration)
Requires data brokers to register with, and provide certain information to, the Attorney General. Defines a data broker as a business
that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Requires the Attorney General to make the information provided by data brokers accessible on its internet website. Data brokers that fail to register are subject to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in
the Consumer Privacy Fund, as specified. The bill would make statements of legislative findings and declarations and legislative intent.
Nevada
NRS § 603A.300 (Requires websites in Nevada to allow users to opt-out of having their personal data sold to third parties.)
Requires an operator (e.g., a person who owns or operates an Internet website or online
service for commercial purposes or collects and maintains specified information from Nevada residents) to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer. The term “sale” is defined to mean the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional
persons. The law also prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer. The Attorney General may seek an injunction or a civil penalty for violations.
Nevada 2021 S.B. 260, Chap. 292
Relates to Internet privacy; exempts certain persons and information collected about a consumer in this state from
requirements imposed on operators, data brokers and covered information; prohibits a data broker from making any sale of certain information collected about a consumer in the state if so directed by the consumer; revises provisions relating to the sale of certain information collected about a consumer in the state.
Vermont
9 V.S.A § 2446-2447 (Protection of
Personal Information: Data Brokers)
Requires data brokers--businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship—to register annually with the Secretary of State. Data brokers also must provide consumers with specified information, including the name, e-mail, and Internet addresses of the data broker; whether the data broker permits a consumer to opt-out of personal information collection or data
sales; the method for requesting an opt-out; activities or sales the opt-out applies to; and whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf. A statement specifying the data collection, databases, or sales activities from which a consumer may not opt-out and a statement as to whether the data broker implements a purchaser credentialing process must also be disclosed, among other disclosures. Data brokers also must implement
and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.
Privacy of Personal Information Held by Internet Service Providers (ISPs)
See also 2017-2020 Privacy Legislation Related to Internet Service Providers
Nevada and Minnesota require internet service providers specifically to keep private certain information concerning their customers unless the customer gives permission to disclose the information. Minnesota also requires ISPs to get permission from subscribers before disclosing information about the subscribers' online surfing habits and Internet sites visited. Maine prohibits using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such. Maine also prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount.
- Maine - 35-A MRSA § 9301 (effective 7-1-20)
- Minnesota - Minn. Stat. §§ 325M.01 to .09
- Nevada - NRS § 205.498
Children's Online Privacy
Calif. Bus. & Prof. Code §§ 22580-22582
California's Privacy Rights for California Minors in the Digital World Act, also called the "eraser" bill, permits minors to remove, or to request and obtain removal of, content or information posted on an Internet Web site, online service, online application, or mobile application. It also prohibits an operator of a Web site or online service directed to minors from marketing or advertising to minors specified products or services that minors are legally prohibited from buying. The law also prohibits marketing or advertising certain products based on personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so.
Delaware
Del. Code § 1204C
Prohibits operators of websites, online or cloud computing services, online applications, or mobile applications directed at
children from marketing or advertising on its Internet service specified products or services inappropriate for children’s viewing, such as alcohol, tobacco, firearms, or pornography. When the marketing or advertising on an Internet service directed to children is provided by an advertising service, the operator of the Internet service is required to provide notice to the advertising service, after which time the prohibition on marketing and advertising the specified products or services applies
to the advertising service directly. The law also prohibits an operator of an Internet service who has actual knowledge that a child is using the Internet service from using the child’s personally identifiable information to market or advertise the products or services to the child, and also prohibits disclosing a child’s personally identifiable information if it is known that the child’s personally identifiable information will be used for the purpose of marketing or advertising those products
or services to the child.
e-Reader Privacy
Arizona
Ariz. Rev. Stat. § 41-151.22
Provides that a library or library system supported by public monies shall not allow disclosure of any record or other information, including e-books, that identifies a user of library services as requesting or
obtaining specific materials or services or as otherwise using the library.
California
Cal. Govt. Code §§ 6254, 6267 and 6276.28
Protects a library patron's use records, such as written records or electronic transaction that identifies a patron's borrowing information or use of library information resources, including, but not limited to, database search records, borrowing records, class records, and any other personally identifiable uses of library resources information
requests, or inquiries.
Cal. Civil Code § 1798.90
The California Reader Privacy Act protects information about the books Californians browse, read or purchase from electronic services and online booksellers, who may have access to detailed information about readers, such as specific pages browsed. Requires a search warrant, court order, or the user's
affirmative consent before such a business can disclose the personal information of its users related to their use of a book, with specified exceptions, including an imminent danger of death or serious injury.
Delaware
Del. Code tit. 6, § 1206C
Protects the personal information of users of digital book services and technologies by prohibiting a commercial
entity that provides a book service to the public from disclosing personal information regarding users of the book service to law enforcement entities, governmental entities, or other persons, except under specified circumstances. Allows immediate disclosure of a user’s book service information to law enforcement entities when there is an imminent danger of death or serious physical injury requiring disclosure of the book service information, and requires a book service provider to preserve a
user’s book service information for a specified period of time when requested to do so by a law enforcement entity. Requires a book service provider to prepare and post online an annual report on its disclosures of personal information unless exempted from doing so. The Consumer Protection Unit of the Department of Justice has the authority to investigate and prosecute violations of the acts.
Missouri
Mo. Rev. Stat. §§ 182.815, 182.817
Defines "E-book" and "digital resource or material" and adds them to the items specified in the definition of "library material" that a library patron may use, borrow, or request. Provides that any third party contracted by a library that receives, transmits, maintains, or
stores a library record may not release or disclose all or a portion of a library record to anyone except the person identified in the record or by a court order.
Privacy Policies and Practices for Websites or Online Services
California
Calif. Bus. & Prof. Code §
22575
Requires the operator of a commercial web site or online service to disclose in its privacy policy how it responds to a web browser 'Do Not Track' signal or similar mechanisms providing consumers with the ability to exercise choice about online tracking of their personal information across sites or services and over time. It also requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service.
Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)
California's Online Privacy Protection Act requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to post a conspicuous privacy policy on its
Web site or online service (which may include mobile apps) and to comply with that policy. The law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the
operator may share the information.
Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A)
Requires certain companies to disclose specified information in an online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights,
or if the business does not maintain those policies, on its internet website and update that information at least once every 12 months. Requires certain companies to include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in online privacy policies.
Cal. Ed. Code § 99122
Requires private nonprofit or for-profit postsecondary educational institutions to post a social media privacy policy on the institution's Internet Web site.
Connecticut
Conn. Gen. Stat. § 42-471
Requires any person who
collects Social Security numbers in the course of business to create a privacy protection policy. The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
Delaware
Del. Code Tit. 6 § 205C
Requires an operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator's commercial internet website, online or cloud computing service, online application, or mobile
application to make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application. An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance. Specifies requirements for the policy.
Nevada
NRS § 603A.340
Requires operators of Internet websites or online services that collect personally identifiable information to identify the categories of information collected through its Internet website or online service about consumers who use or visit the site or service and the categories of third parties with whom the operator may share such information. Provides a description of
the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her information that is collected through the Internet website or online service.
Oregon
ORS § 646.607
Makes it an unlawful trade practice if a person publishes on a website related to
the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the
person’s statement or representation.
Other Laws Related to Disclosure or Sharing of Personal Information
In addition, California and Utah laws, although not specifically targeted to on-line businesses, require all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Under California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost.
- California Civil Code §§ 1798.83 to .84 ("Shine the Light Law")
- Utah Code §§ 13-37-201 to -203
False and Misleading Statements in Privacy Policies
Covers laws that expressly refer to false or misleading statements in online privacy policies. All 50 states also have Unfair and Deceptive Acts and Practices (UDAP) laws that can also apply to information posted online.
Nebraska
Neb. Stat. §
87-302(15)
Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.
Oregon
ORS § 646.607
Oregon's
law classifies the following as an unlawful trade practice if, a person, in the course of their business, vocation or occupation:
"…(12) Publishes on a website related to the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires
or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the person’s statement or representation."
Pennsylvania
18 Pa. C.S.A. § 4107(a)(10)
Pennsylvania includes false and misleading statements in privacy policies published on Web sites or otherwise distributed in its deceptive or fraudulent business practices statute.
Notice of Monitoring of Employee E-mail Communications, Internet Access or Location Information
Connecticut, Delaware and New York require employers to give notice to employees prior to monitoring e-mail communications or Internet access. Colorado and Tennessee require states and other public entities to adopt a policy related to the monitoring of public employees' e-mail. Hawaii prohibits employers from requiring employees to download a mobile application to the employee's personal communication device that enables the employee's location to be tracked or the employee's personal information to be revealed.
Connecticut Gen. Stat. § 31-48d
- Employers who engage in any type of electronic monitoring must give prior written notice to all employees, informing them of the types of monitoring which may occur.
- If an employer has reasonable grounds to believe that employees are engaged in illegal conduct and electronic monitoring may produce evidence of this misconduct, the employer may conduct monitoring without giving prior written notice.
- Provides for civil penalties of $500 for the first offense, $1,000 for the second offense and $3,000 for the third and each subsequent offense.
Delaware Del. Code § 19-7-705
- Prohibits employers from monitoring or intercepting electronic mail or Internet access or usage of an employee unless the employer has first given a one-time written or electronic notice to the employee.
- Provides exceptions for processes that are performed solely for the purpose of computer system maintenance and/or protection, and for court-ordered actions.
- Provides for a civil penalty of $100 for each violation.
Hawaii 2021 H.B. 1253
Prohibits an employer, with certain exemptions, from:
- (1) Requiring an employee or prospective employee to download a mobile application to the employee's personal communication device that enables the employee's location to be tracked or the employee's personal information to be revealed as a condition of employment or continued employment; or
- (2) Terminating, discharging, or otherwise discriminating against an employee for: (A) Refusing to download or refusing to consent to download to the employee's personal communication device, a mobile application that enables the employee's location to be tracked or the employee's personal information to be revealed; or (B) Opposing any practice forbidden by this Act or filing a complaint, testifying, or assisting in any proceeding concerning an unlawful practice prohibited under this Act.
New York Civ. Rts Code § 52-C*2 (effective May 7, 2022)
Requires private sector employers who monitor or intercept telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, to give prior written notice upon hiring to all employees who are subject to electronic monitoring.
Provides for enforcement by the attorney general. Employers found to be in violation is subject to a maximum civil penalty of $500 for the first offense, $1,000 for the second offense and $3,000 for the third and each subsequent offense.
Colorado Colo. Rev. Stat. § 24-72-204.5
- Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
- The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.
Tennessee Tenn. Code § 10-7-512
- Requires the state or any agency, institution, or political subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.
- The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part.
Privacy Policies: Government Websites
At least 16 states require government Web sites or state portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their Web sites.
| Arizona | Ariz. Rev. Stat. Ann. § 41-4151, 41-4152 |
| Arkansas | Ark. Code § 25-1-114 |
| California | Cal. Govt. Code § 11019.9 |
| Colorado | Colo. Rev. Stat. § 24-72-501, 24-72-502 |
| Delaware | Del. Code tit. 29 § 9017C et seq. |
| Iowa | Iowa Code § 22.11 |
| Illinois | Ill. Rev. Stat. ch. 5 § 177/15 |
| Maine | Me. Rev. Stat. tit. 1 § 14-A § 541- 542 |
| Maryland | Md. Gen. Prov. Code § 4-501 |
| Minnesota | Minn. Stat. § 13.15 |
| Montana | Mont. Code Ann. § 2-17-550 to - 553 |
| New York | N.Y. State Tech. Law § 201 to 207 |
| South Carolina | S.C. Code Ann. § 30-2-40 |
| Texas | Tex. Govt. Code Ann. § 10-2054.126 |
| Utah | Utah Code Ann. § 63D-2-101, -102, -103, -104 |
| Virginia | Va. Code § 2.2-3800, - 3801, -3802, -3803 |
Additional Resources
- NCSL Privacy, Cybersecurity and Data Security Overview
- NCSL Privacy Work Group
US State Comprehensive Privacy Law Comparison, IAPP