Europe’s General Data Protection Regulation (GDPR) has already begun to change the data collection practices of ecommerce businesses across the western world. But what about the United States?
While there is federal data management legislation for specific economic sectors in the US (healthcare and finance, for instance), the US does not have any federal laws governing data privacy that can compare to the strict and comprehensive GDPR compliance requirements.
As a result, companies have been pressured to comply with a plethora of new United States privacy laws. Running a legally compliant business in the US has never been more challenging.
1. The 4 Main Areas of Data Oversight
There are four major categories of data oversight that US state governments have been addressing in recent legislation:
- breach notifications
- data security
- data disposal
- non-PII (personally identifiable information) privacy
Each of these categories pertains to the ways user information is maintained, used, and shared.
1. Breach Notifications
Breach notifications are the only privacy issue addressed in all 50 states. This is largely due to a widely publicized data mishap in 2005.
In February of that year, ChoicePoint (a financial data collector) disclosed it had erroneously sold the data of 145,000 people to a criminal organization. Californian consumers were the only ones notified of this breach, however, because California was the only state at the time with a mandatory breach notification law.
Since then, all 50 states plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have implemented rules requiring notification to individuals when their personal information (PI) has been compromised.
Differences Between State Legislation
Furthermore, some states specify which entities — individuals, businesses, and/or governments — must notify citizens that a breach has occurred.
A few states have also amended previously existing bills to further clarify or expand upon the type of potentially compromised data that necessitates a breach notification.
For instance, Massachusetts defines ‘personal information’ as the person’s name in combination with any of their driver’s license number, social security number, state identification card or financial account information.
New York, however, defines it as any information concerning a data subject that can identify that subject, including names, numbers, symbols, marks or other identifiers.
Other states have also defined what constitutes a ‘breach,’ how and when the notification must be issued, and whether there are exemptions from the rule.
The remaining three concerns are managed as each state sees fit within its jurisdiction:
2. Data Security
In general, these laws govern how a business collects, stores and keeps its confidential consumer data safe. In addition to safeguards that prevent or deter hacks or intrusions, most of these regulations also impose standards regarding access to, usage of, and disclosure of data. Some states are more rigorous than others when it comes to keeping their citizen’s data safe.
3. Data Disposal
Data disposal laws apply to information in both paper and digital form that is no longer relevant to the enterprise. After it achieves its purpose or the customer relationship ends and the PII isn’t needed, the entity must dispose of it using a method that renders the sensitive information unreadable or indecipherable.
Some businesses and government agencies handle this duty in-house, while others contract it out to a third-party. In most states, the collector of the information retains liability if the third-party contractor fails to properly dispose of the data.
4. Non-PII privacy
States with such regulations aim to closely monitor and restrict how businesses / organizations use non-PII data collected from their customers — data such as how many times a user visits a page, how long they stay, and what they look at while they’re there.
Many companies also share or sell this data to third parties who use the information for their own proprietary needs. Several states have passed bills that identify specific types of non-PII data that they believe are worth additional levels of protection.
2. Data Privacy Laws by State
For e-commerce sites, America’s data management matrix can be confusing since not every state addresses the four key areas of data oversight. Not to mention, no two rulesets are exactly alike.
If you are doing business online (and therefore likely in all 50 states), your company should become adept at managing its data according to the laws of states where the regulations are most stringent, regardless of your physical location.
Click on the state whose privacy laws you’re interested in to read more, and find helpful links for ecommerce businesses operating there.
Table of Contents (All 50 States)
Alabama was the final state to enact a breach notification law on March 28th, 2018 (going into effect June 1st of the same year). Titled “The Alabama Breach Notification Act”, this piece of legislation applies to both businesses and the third party services they employ.
There is also a provision in this bill that demands the “sensitive personal information” of users be destroyed after it is no longer being used, which runs consistent with other states that mandate data disposal.
Alaska’s “Personal Information Protection Act” became the law of the land on July 1st, 2009. Besides mandating the disposal of user data after it has been used for its intended purpose, it also requires businesses to notify users “expeditiously” of a breach, or face up to a $500 per-person fine.
While Arizona’s first breach notification law was passed in 2006, it was amended on April 11th, 2018 to clear up some vague language about notification timing. At this point, all people, government agencies, and companies who process the PII of others must inform those affected by a breach within 45 days of determining a breach has occurred or face severe fines.
Arizona law also includes provisions related to the disposal of data, which applies to both government and business entities.
The “Arkansas Personal Information Protection Act” requires businesses to notify consumers “in a timely manner” that their data has been compromised. While a consumer could argue a business didn’t do so and seek compensation through the courts, such vague legal language leans in favor of businesses rather than those whose information was affected.
In California, data security regulations apply to businesses that collect or maintain PII, as well as their third-party contractors. The rules governing notifications include informing the victim what happened, what information was involved, and what the entity is doing about it. Disposal methods include shredding and erasure.
California’s specified privacy laws are considered by many as the most stringent in the US, covering consumer data, children’s online privacy, e-reader privacy, do not track, and websites and online services. Additionally, California also requires non-financial businesses to disclose to customers the types of entities with which it shares their information.
California also has individual laws that govern specific types of data and usages. Consumer privacy rules require companies to inform consumers what they’ve collected about them, who they’ve shared it with and how it is used. Consumers can opt out if they choose.
Child online privacy rules limit the content and scope of advertising placed on sites that attract children and permit children to have information about them removed. E-Reader privacy protects the content of library records, including digital records, search records, and any other information that can identify the consumer.
The “Colorado Consumer Protection Act” went into effect in 2016, and it requires businesses to have a policy for the destruction of consumer personal information. It doesn’t have a specific deadline for breach notifications (using unclear, “as soon a reasonably possible” language).
However, in June 2018, the “Protections for Consumer Data Privacy” was passed into law. This bill demands breach notifications be made within 30 days, or a business (or government entity) could face penalties from the attorney general. In terms of timing, this makes it the strictest breach notification legislation active in the US today.
Connecticut aims its data security measures at two specific economic sectors:
- Health centers and insurers — such businesses and agencies must safeguard the PII of insureds and enrollees from whom they collect.
- Contractors — The data security law also specifies the structure needed for an adequate data security system of any contractor that receives PII from a state agency or contracted agents of the state.
Notifications are governed by General Statute 36a-701b, and the rules governing data disposal apply to businesses but not to the government. Connecticut does not have specific statutes regarding consumer or children’s data privacy, but its requirement for online businesses to create a ‘publicly displayed’ privacy protection policy for social security numbers is included in its data disposal statute.
Connecticut also requires employers within the state to notify their workers if they monitor their email accounts or internet access.
Delaware’s state government restricts the scope and content of information directed at children by websites, cloud-based technology, online service providers, and mobile or online apps.
They also limit the sharing of PII related to any library user (actual or online), but do allow the release of that information to law enforcement agencies if necessary. Further, eBook providers (i.e. Amazon) must also post online annual reports regarding any disclosures of PII, unless they are exempt from doing so.
Chapter 501 of Florida’s “Regulation of Trade, Commerce, Investments, and Solicitations” statute requires businesses to dispose of customer records when they are “no longer to be retained.”
It also includes a 30 day breach notification clause. However, there are two scenarios that this 30-day window can be expanded or potentially negated:
- If a breach notification is deemed by a federal, state, or local government entity to negatively impact a criminal investigation.
- The breach is deemed by government authorities to not cause financial harm or identity theft to those affected.
All breaches that occur, whether they fall into the previously stated categories or not, must be reported to the attorney general and kept on record for five years.
Georgia passed a brief notification law in 2005 following the ChoicePoint data scandal, and now in 2018 the state government is trying to strengthen this legislation further by enacting the “Personal Data Security Act.”
Although its status is currently pending, this bill would be a big step toward greater data breach transparency if it passed into law — requiring businesses to follow stricter data protection measures, and mandating breach notifications by both companies and third party service providers whenever a breach occurs.
Hawaii’s existing legislation pertaining to data breaches uses vague language — stating how entities that collect consumer information must notify affected parties of a data breach “without unreasonable delay”.
The Hawaiian state government also requires businesses to have a data disposal policy in place (which came into effect in 2011).
Similar to Hawaii, Idaho also implements less severe (or more pro-business) language in their statute regarding data breaches. Businesses most only “give notice as soon as possible to the affected Idaho resident,” and this process can be delayed if law enforcement agencies deem it necessary.
Idaho currently has no legislation enforcing the needs for data disposal, data security, or non-PII privacy.
The Illinois Personal Information Protection Act was just updated in 2017, and is considered to be one of the more stringent privacy laws enacted by any US state. It mandates breach notifications, as well as data disposal policies for businesses.
Also worth noting is their newly passed Biometric Information Privacy Act, which demands written consent for the collection of biometric data. Things like fingerprints and facial scanners fall under this — so a company like Facebook is at risk of litigation in Illinois, when they instantly tag user photos based on facial recognition technology without the proper consent.
Since 2006, Indiana has had laws in place to:
- Ensure businesses notify customers in the event of a breach, and
- Make sure companies and other entities have a strategy in place for destroying personal information after it’s been used
The state government also advises businesses on what to do in the event of a breach, and encourages tighter security measures to mitigate breaches in the future.
Iowa officially made breach notifications the law of the land on July 1st, 2014. Any entity (government, business, or otherwise) who encounters a security breach that affects at least 500 Iowa residents must not only notify those residents, but also submit a written notification to the Attorney General’s Consumer Protection Division within five business days after informing them.
In 2012 Kansas passed a statute regarding brief notifications, and how any entity collecting consumer information must do so in the event of a breach.
Furthermore, if the aforementioned breach affects 1,000 consumers or more, it is necessary to contact all consumer reporting agencies across the US of “the timing, distribution, and content” of the notifications.
Data breach notifications are mandatory for public agencies… and non-affiliated third parties according to Kentucky data privacy law. Destruction/disposal of data is also acknowledged in their privacy statutes.
Also worth mentioning is that KRS 365.734 (which went into effect in July 2014) restricts the use of student PII by cloud computing service providers — barring them from collecting email addresses, phone numbers, photos, and other such data that helps identify students. Similar statutes will likely pop up more across the US as we head into a more privacy-conscious future.
Louisiana passed its own Database Security Breach Notification Law in 2015, likely due to the fact that breaches are becoming a more common (and serious) problem across the world (43% of American companies having been found affected by a breach the previous year).
This law was further modified in July, 2018 to include a data disposal statute, a breach notification timeline (60 days from discovery to notify), as well as data security measures companies must take to ensure the protection of their users.
Maine has a well-hashed-out breach notification statute, that requires both businesses and third party vendors to notify affected parties of a breach (unless law enforcement postpones the process to aid in a criminal investigation).
Consumer reporting agencies and state regulators must also be notified in event of a breach. The state website also provides tips for preventing breaches from happening in the first place that are worth investigating.
Maryland’s Personal Information Protection Act was just amended in 2017 to include a 45-day window for breach notification, making it one of the more severe data breach laws enacted by any US state.
This amendment widens the range of data that must be disposed of by companies. Originally, only customer records needed to be purged following their use. Now, records of employee and former employee PII must be destroyed as well.
Massachusetts’s newest data protection law (boisterously titled the “Standards for the Protection of Personal Information of Residents of the Commonwealth”), demands businesses take measures to protect the security of their customer’s data, as well as mitigate breaches.
This law was signed with proactive rather than reactive data security in mind, making it more in line with the GDPR than legislation found in other states. It mandates data encryption, pushes for monitoring and reinforcement of security systems, and encourages the education of employees to reduce human error as much as possible.
Michigan has had legislation addressing data breaches since 2004, but does not give a specific timeframe for breach notifications. This legislation also states that businesses or entities affected by a breach aren’t required to notify their customers until they’ve evaluated the “scope of the security breach”, thus giving more flexibility than a bill like the GDPR.
Data disposal is also required (and has been since 2004 as well). Not adhering to this statute could result in fines (levied by the state government), and/or civil action.
Minnesota’s government regulates how Internet Services Providers (ISPs) manage the PII and other information they receive from users. They also require ISPs to get permission from their subscribers before disclosing non-PII data to third-parties, including online ‘surfing’ habits and the identities of the sites their subscribers visit.
Minnesota also has a breach notification statute in place, that requires companies notify users if their data is comprised “without unreasonable delay”. If the breach affected over 1,000 users, consumer reporting agencies must be contacted immediately (48 hours maximum to comply).
“House Bill No. 583” was enacted in 2010, and requires businesses that collect user data to have a means for notifying affected individuals in the event of a data breach. This bill also lists out the various methods of acceptable notification, which includes
a.) written notices
b.) telephone notices
c.) electronic notices
Substitute notification methods are also acceptable if the previously listed ones will cost a business in excess of $5,000 to perform — an example being to notify members of the stateside media (newspapers, tv, etc.).
Missouri’s state government revised a statute in 2011 to ensure “any person that owns or licenses [PII] of residents of Missouri” must be ready to notify such residents if their data ever falls into the wrong hands.
Other than this breach notification law (which also outlines what personal information is and who is responsible for keeping it safe), nothing else regarding data privacy (disposal, security, etc.) is mentioned in their legislation.
In 2015, Montana expanded their breach notification law to ensure medical entities / businesses that collect medical information inform their consumers in the event of their information being compromised. The attorney general must be told of every breach scenario as well.
Montana also requires businesses have a data disposal strategy in place. However, this same piece of legislation does not require government entities to do so.
On July 19th, 2018 Nebraska’s state legislature amended their primary data privacy bill — the “Nebraska Financial Data Protection and Notification of Data Security Breach Act”. Beyond simply mandating breach notifications, this legislation requires businesses to improve their data security practices and make sure third-party service providers have sufficient security in place as well.
It also encourages businesses to enact a data privacy and security assessment, to ensure they’re complying to the full extent of this newly amended law. Such an assessment is commonplace in Europe as a result of the GDPR, and should become more prevalent throughout the US over the next few years.
Nevada legislation covers all four aspects of data management. Its comprehensive “Security and Privacy of Personal Information” statute requires ‘data collectors’ and those with whom they share data to establish ‘reasonable security practices’ which are extensively described in the law.
The rule also includes notification procedures, as well as acceptable methods for destruction or deletion of information. Regarding the privacy of Nevada citizens, websites and online services providers must provide their visitors with some form of notice detailing:
- what information they collect
- who they share that data with
- how the data is used
- how they will notify visitors of changes to their privacy notices
- whether third-parties also access consumer data through that site
New Hampshire has data breach laws in place to protect its residents — requiring any entity or person that collects the personal information of consumers to not only notify the affected, but also contact:
- Consumer reporting agencies
- “Appropriate regulators” (the insurance commissioner, for instance)
- The Attorney General (if there’s no regulator that fits the bill)
Regulatory fines could reach $10,000 per violation, so failure to notify consumers (intentionally or not) can quickly become a costly mistake.
In July of 2017, New Jersey enacted the Personal Information Privacy and Protection Act, a bill that restricts the use of customer information by businesses and limits what third party services can do with such information. This legislation pairs with their already existing statute mandating breach notifications to help make New Jersey one of the tougher pro-privacy states in the US.
New Mexico addresses breaches, data disposal, and data security in their recently passed “Data Breach Notification Act”. This legislation made them the 48th state to tackle the issue of data breaches, and while they may seem a bit late to the party, their bill hits upon all the major areas of online privacy today.
Furthermore, this legislation gives businesses 45 days to notify affected consumers of breaches, whereas many state governments use less clear terminology. Note that this is still much more generous than the 72-hour window granted by Europe’s GDPR.
New York’s Stop Hacks and Improve Electronic Data Security Act (or the “SHIELD Act” for those in the know) is a big piece of privacy legislation still being ironed out by the state legislature that aims to protect NY residents’ sensitive personal information. It will replace existing legislation that mandates breach notifications.
Specifically, the SHIELD Act is intended to function as a preventive measure (kind of like a shield) — created for the main purpose of blocking data breaches before they occur (there was a 60% increase in data breaches between 2015 and 2016, so politicians are understandably on edge).
Unless you’re running a financial company or are the CEO of a bank (which is covered by a different set of data security laws established by the Department of Financial Services), SHIELD will be applicable to your business — even if you simply have NY-resident customers and you’re based in California (similar to the GDPR).
In 2005, North Carolina took a stance to protect its residents and their PII by enacting the Identity Theft Protection Act (ITPA). However, they are currently in the process of ironing out an act that would strengthen the ITPA, and make North Carolina one of the forerunners of data-privacy rights in the US.
Aptly named the Act to Strengthen Identity Theft Protections, this bill would allow consumers to request access to their information, reduce breach notification timing to 15 days, and place greater impetus on businesses to gain consent before gathering user data.
North Dakota has been requiring breach notifications since June of 2005, and their particular law demands companies notify affected persons without unreasonable delay once a breach has been discovered. Third party providers, on the other hand, must do so “immediately”.
Notices must be written or communicated electronically, unless the cost exceeds $250,000 or there are more than 500,000 residents affected.
Ohio’s data breach and encryption legislation went into effect in 2007, and gives businesses 45 days from the moment of discovery to inform affected parties of the breach. Failure to do so can result in increasingly severe monetary penalties ($1,000 per day after the 45-day period, $5,000 after the 60th day, and $10,000 per day after the 90th day).
As it stands, Oklahoma’s government only has legislation regarding breach notifications in place (titled the “Security Breach Notification Act”), and even this legislation is less severe than that of other states.
For example, the law only require businesses to notify the affected after the company has determined “the scope of the breach” and had time to restore the reasonable integrity of the system.
Oregon has legislation that addresses both data breaches and the disposal of data. The most recent amendment to their data breach notification law demands notifications occur within 45 days of the breach being discovered, but exempts “HIPAA covered entities” since they follow their own rule for notifying consumers.
Oregon’s Information Security Law was also updated in 2018, and emphasizes the importance of website security for businesses that collect customer data.
Pennsylvania has two major laws focused on online privacy:
The BPINA (2005) defines personal information, and requires businesses and third party providers to notify users when this personal information gets accessed or acquired by a hacker or other unwelcome party.
Pennsylvania residents are also encouraged to take legal action against businesses that neglect to notify them of a breach — deeming such negligence to be a form of deceptive trade.
The SSN Privacy Act, which came out the following year (2006), was enacted in an attempt to mitigate the damage caused by data breaches. Specifically, it was enacted to make sure consumers in Pennsylvania have the option to provide alternatives to their social security number in a variety of scenarios, so that their SSN can be better kept secret.
Although the state may be geographically small, Rhode Island’s “Identity Theft Protection Act” (passed in 2015) is a big piece of data security legislation.
Not only does it demand businesses have a means of disposing consumer data after its use has expired, but it also requires companies to implement security measures that match the size and scope of the organization — making it one of a growing number of state bills that demands more from businesses when it comes to protecting user data.
Also, breach notifications, when necessary, must be sent out no later than forty-five (45) calendar days unless deemed necessary by a law enforcement agency to complete a criminal investigation.
In addition to South Carolina’s 2012 breach notification law (which outlines acceptable types of notices and how they should be made in the “most expedient time possible”), the state government made a splash recently by passing another big bill titled the Insurance Data Security Act at the beginning of 2018.
Going into effect on January 1st of 2019, this act is the first state-level legislation passed anywhere in the US that demands insurance companies adopt stronger cybersecurity measures, and gives suggestions how to do so. Similar legislation that applies to businesses from all industries is likely to follow across the US in the near future.
South Dakota became the 49th state to enact a breach notification law, passing it just one week before the Alabama legislature enacted their own iteration.
South Dakota’s law grants businesses a 60-day window following the discovery of a breach to inform affected individuals, unless the attorney general finds the breach to “not likely result in harm of affected persons”. Failure to do so will result in a $10,000 per-day penalty until the situation is ameliorated.
In 2016, Tennessee amended their 2005 breach notification law — making it so that if any user data falls into the wrong hands, whether it’s unencrypted or encrypted, affected individuals must be informed.
Previously, only unencrypted information that had been stolen would demand a mandatory notification. Also worthy of mentioning is that Tennessee is the first state to make such an amendment.
There’s also a 45-day maximum period following the discovery of a breach that a company has to notify anyone affected by it.
Texans have seen a variety of cybersecurity and privacy laws implemented recently, making their government one of the more proactive ones (in terms of data protection) in the US at this point. They also take identity theft very seriously.
Bills like the Student Data Privacy Act and Cybersecurity Education Act operate as not only data protection laws, but also encourage the younger generation to engage in smart privacy practices from a young age — even mandating public schools to offer coding courses for language credits.
Breach notifications are also necessary, and penalties can get costly for non-compliance ($100 per user per day, although the penalty can’t exceed $250,000).
Utah’s Protection of Personal Information Act mandates breach notifications, and also lays the foundation for how businesses should protect the data they store.
They’ve also implemented multiple bills and amendments that target students and their privacy, such as the Utah Student Privacy Act and Public School Data Confidentiality Disclosure Rule. Such legislation makes them one of the state governments seemingly most concerned with protecting the data of underage residents.
Vermont’s legislation regarding data breaches requires businesses to notify consumers within 45 days from point of discovery, however the state attorney general must be contacted and informed within 14 days.
The Vermont state government also recently passed a bill that heavily scrutinizes data brokers (any entity in the business of collecting the data of others). This was enacted in large part due to the recent Equifax scandal, and aims to protect Vermont residents from being taken advantage of by a similarly negligent company in the future.
Although Virginia first enacted a breach notification during the 2008 legislative session, they amended it in 2017 to expand what types of scenarios necessitate widespread notifications.
If the court finds a company to be unreasonably delaying the process of notifying affected residents, civil penalties can reach up to $150,000. This doesn’t include individuals, however, who have the chance to sue on a case by case basis.
Washington’s breach notification law went into effect in 2015. Although there’s no specific timeline in which businesses must inform their users a breach occurred, the process seems more transparent than in other states — with the state attorney general listing recent breach notifications online and publishing annual reports of the breaches that transpired during that year.
Washington is also preparing a privacy checklist tool in response to recent political movement around the world regarding data privacy. The state’s Chief Privacy Officer believes that “our privacy is under attack”, and that “we [the government] need to do something about it”.
At this juncture, West Virginia acknowledges data breaches with legislation, but not other areas of consumer data privacy. Their bill also doesn’t allow civil action for breach negligence unless the offending company has “engaged in a course of repeated and willful violations” of the law.
However, West Virginia does takes the privacy of student data seriously, and has enacted bills like the Family Educational Rights & Privacy Act plus the Student DATA Act to further protect the information of young people, and make sure their data doesn’t get abused by commercial entities.
Wisconsin’s data breach legislation, signed into law in 2006, falls in line with many of the other iterations around the United States. Companies have 45 days maximum to notify affected individuals once the breach has been discovered.
However, certain companies/entities that fall under the purview of federal legislation, like health care providers and financial institutions, must adhere to their own set of rules regarding such situations (like HIPAA, for instance).
In 2015, Wyoming’s state legislature amended their data breach notification law to incorporate more types of information. For instance, compromised data covering the biometrics or medical details of residents and even stolen security tokens are significant enough to trigger a mandatory notification.
Also, according to section (g) of their 2013 statute — if a third party provider storing data for another business is gets breached at any point, it is up to the prior arrangement made between the provider and the business to determine who is responsible for notifying Wyoming residents.
3. Final Thoughts About Online Privacy in the US
As we head further into the 21st century, more laws will be enacted to protect the privacy rights of US citizens. Major companies have flaunted their ability to mishandle and straight up sell our information for too long, and people (plus the politicians that represent them) are finally starting to notice. Many are also starting to wonder how net neutrality affects small businesses as large ISPs work to undermine net neutrality protections at both the federal and state levels.
Whether the federal government decides to step up to the plate in a similar manner to the European Union is yet to be seen. For the time being, though, expect to keep seeing states taking matters into their own hands, and crafting bills tailored to their own constituents and needs.