Laws governing online privacy in the US vary widely from state to state. To find out how each US state ranks from least to most private, we evaluated each and every one of them based on 22 key criteria. The results reveal a wide range of varying privacy protections, which we’ve visualized in the map below. Scores are displayed as percentages, with a score of 22 out of 22 being 100 percent.
Our criteria range from laws that govern how companies can use and disclose customer data to those that protect journalists, children, and employees. The results of our research are compiled into the table below, with a simple “yes” or “no” answer as to whether an applicable law exists in each state.
2021 key updates and trends
During our 2021 update, several key updates provided insight into privacy law trends within the US:
- Oregon introduced a law to protect internet-of-things (IoT) data
- New York joined four other states with laws to protect biometric data
- Virginia introduced its Consumer Data Protection Act and Colorado introduced its Privacy Act
- Minnesota and Texas introduced data disposal laws for government entities (only Minnesota hasn’t already got the same requirement for companies)
- New Jersey and Vermont added laws to protect K-12 student information
- Indiana, Iowa (effective January 1, 2022), Louisiana, Maine (effective January 1, 2022), North Dakota (effective August 1, 2022), and Virginia added insurance data security laws, almost doubling the number of states that have implemented the Data Security Model Law, which was created by the National Association of Insurance Commissioners (NAIC). Nevada also added data brokers to its legislation which gives consumers the right to request their data isn’t sold
- Only a handful of states (6) govern the use of artificial intelligence within the state
- Only 25 percent of states require consent from both parties when recording calls
- Over 70 percent of states share DMV photos with federal agencies, such as the FBI
The best US states for online privacy
Our top-scorer for the third update running, California has enacted many laws for specific privacy issues that other states ignore. What’s more, the state has also created what the ACLU called the most comprehensive digital privacy law in the nation. California is the only state to mention an inalienable right to privacy in its state constitution. It’s also one of just two states to enact a law that specifically protects data gathered from the internet-of-things (Oregon is the other) and to protect privacy rights and enforce marketing restrictions for minors (Delaware is the other).
The Electronic Communications Privacy Act prevents any law enforcement or investigative entity from forcing a company to give up electronic data or communications without a warrant. This includes cloud data, metadata, emails, text messages, location data, and device searches. Although other states have similar laws protecting some of these forms of data, California has so far been the only state to protect it all.
On June 26, 2018, California passed one of the toughest privacy laws in the United States, the Consumer Privacy Act of 2018. Effective in 2020, this bill empowers consumers with the right to know what information any company has collected about them and with whom that information is shared. Furthermore, consumers can demand that a company delete their personal data, and companies must provide equal service to customers no matter what information they’ve collected.
Delaware scored highest in our evaluation in 2017 but slipped below California in 2018. However, it has remained in second place for the last two updates. Laws that require the government to dispose of customer data after a set period of time, protect the privacy of e-reader and library data, and protect employee privacy helped the state stand out.
There were no updates for Delaware this year but it is one of the states that requires consent from both parties before call recording can be carried out.
Illinois paved the way for legislation that specifically protects biometric data like fingerprints, face recognition scans, and retina scans, being the first state to enact this way back in 2008. It is only in recent years that several other states have followed suit with New York’s equivalent coming into effect at the time of writing (July 9, 2021).
Both companies and the government must dispose of personal data after a set period of time. Employers and schools cannot force employees and students to hand over social media account login information. The state also enforces strict regulations regarding the use of artificial intelligence for video interviews and requires consent from both parties when recording calls.
Virginia climbs up into our honorable mentions this year (tying in third place overall with Utah and Illinois) thanks to its introduction of an insurance data security law in July 2020 and its passing of the Consumer Data Protection Act. The latter ensures companies must delete personal data on demand, must enable customers to opt-out of third-party data sharing, and must disclose what data they’re collecting from customers.
Virginia’s DMV doesn’t use facial recognition technologies and doesn’t share its photo database with federal agencies.
Utah requires all non-financial businesses to tell customers the types of personal information the business shares with or sells to a third party for the purpose of direct marketing or compensation. The state also requires companies to dispose of customer data after a set period of time.
A 2013 law prohibits employers from asking employees and applicants from divulging their passwords or usernames for social media accounts.
Arkansas requires both the government and companies to dispose of customer data after a set period of time. The 2005 Personal Information Protection Act states that all businesses in the state, no matter their size, must safeguard customers’ personal information.
Arkansas passed two new data privacy laws in 2015. One governs how online service providers can collect and use student data for commercial or other purposes, while the other requires parental consent for students’ personal information to be shared with other government agencies.
New Hampshire joined the ranks of privacy pioneering states like California when it passed a law modeled after California’s Student Online Personal Information Protection Act. The law imposes strict obligations on companies collecting and storing data on students from kindergarten to high school age.
The Kilton Library, located in the town of Lebanon, New Hampshire offers users unprecedented access to Tor, a web browser that enables them to browse the web completely anonymously. When the Department of Homeland Security alerted New Hampshire authorities about the Kilton Library’s Tor access, state officials and the community stood in support of this act of privacy.
The state also requires consent from both parties before call recording can commence and the DMV is prohibited from using facial recognition technology when taking or retaining any photographic images.
Unfortunately, New Hampshire lacks laws that protect journalists and employees, and the state does little to regulate how companies and the government use data.
Vermont threw the financial services industry for a loop with its stringent “opt-in” privacy law. This law, imposed on financial institutions, requires explicit consent from consumers before their data can be shared. That means these companies must treat data from Vermont residents more carefully than data from residents of any other state.
A Vermont law that prohibited the sale of data identifying doctors who prescribed certain medications was struck down by the Supreme Court in 2011. The ruling shows that states are not always in control of their own privacy laws, even if they want to be.
Worst US states for online privacy
While not all states have shield laws to protect journalists from exposing their sources, Wyoming is the only state that doesn’t even have a court precedent for doing so. Companies are not required to dispose of users’ personal data after a set period of time, and employers are not barred from forcing employees to hand over passwords to social media accounts.
Wyoming does not, however, give the FBI access to its Department of Transportation (DOT) facial recognition database.
Mississippi lacks laws that protect employee personal accounts and communications from employers. Companies are not required to dispose of users’ personal data. K-12 student information has no explicit protection under law.
Idaho does not require companies nor the government to dispose of any data they’ve collected. It lacks a shield law to protect journalists and their sources. Social media privacy is not protected from employers or educational institutions.
District of Columbia, Iowa, Kentucky, Nebraska, Pennsylvania, and South Dakota
All six of these states are tied as the third-worst for data privacy. Aside from Iowa, which recently introduced an insurance data security law, none of these states have added any further privacy protections since our last update.
None of these states have legislation to govern companies’ data-sharing or collection policies, only Kentucky has a data disposal law for companies, and only Pennsylvania requires the consent of both parties for call recording.
2019 key updates and trends
While researching the 2019 update, a few key points stood out that exemplify new privacy law trends in the US:
- Maine introduced a new data protection act in 2019 that stipulates internet service providers cannot “use, disclose, sell, or permit access to customer personal information” without customer consent, save for certain exemptions such as complying with a court order
- Nevada passed an act on October 1, 2019, that allows customers to opt-out of online data sharing
- South Dakota passed a shield law to protect journalists in March
- Utah passed a bill in 2019 that prevents a wide range of providers from handing over user data to law enforcement without a warrant
- State scores moderately correlate (r = 0.4) with how they voted in the 2016 presidential election. Those that voted for Clinton tended to have higher privacy scores.
In our 2019 update, we added three new criteria and removed three others.
- Laws to protect privacy rights and enforce marketing restrictions for minors
- Data security laws that are specific to insurance companies and follow the Data Security Model Law, which was created by the National Association of Insurance Commissioners (NAIC). The goal is for all states to have adopted this within the next few years
- Data security laws that are specific to data brokers
- The District of Columbia due to this district not being governed at state level. DC has been praised for its student data privacy law and it does also have a broad shield law for journalists. It was also rumored to be considering adopting the NAIC data security model but this hasn’t happened as of yet
- ISPs require explicit consent to share customer data (federal laws) – as broadband privacy was repealed by the government in 2017, there is no federal protection available here
- Laws to protect children’s privacy – all states have specific laws relating to this, so we have introduced the new category regarding minors to see which states are being more proactive and forward-thinking in their approach to children’s online safety
We have also toughened up our employee communications category by only featuring the states who have clear laws in place that prohibit employers from monitoring employee communications without notifying them first
2018 key updates and trends
When conducting research on the 2018 update, we noted a few key trends in how privacy law is shaping up around the nation:
- Every state in the Union now has a law requiring companies to publicly disclose when a data breach occurs.
- Many states have expanded the definition of “personally identifiable information” to include more types of data and combinations of data.
- California passed the toughest privacy and data protection law in the nation, pushing it to the top of the rankings.
- Maine is the only state to pass a law prohibiting law enforcement from tracking a person’s location using GPS or other geo-location info built into smartphones and computers. Illinois and California have both put forth such bills in the past, but they were vetoed.
- Illinois is the only state to specifically protect biometric data, but that law (BIPA) is currently in jeopardy.
In our 2018 update, we added six new criteria to our state-by-state privacy assessment for a total of 20. These include:
- Companies must allow consumers to opt-out of third-party data sharing
- Companies must delete personal data on request of the person
- Companies must disclose what personal data they’ve collected about a person
- A warrant is required for law enforcement to access personal data on users held by service providers
- A warrant is necessary to track someone’s location via GPS or other geo-location technologies
- Laws to protect biometric data
Federal privacy laws
Some aspects of online privacy are governed by the federal US government rather than state governments. Partial regulations exist, but there is no all-encompassing law regulating the collection, storage, or use of personal data in the U.S.
The US Constitution never mentions privacy specifically and only protects against state actors, not individuals. However, the First, Fourth, Ninth, and Fourteenth Amendments limit government intrusion on individuals’ right to privacy.
In 2018, the Supreme Court ruled in Carpenter vs. United States that the Fourth Amendment protects cell phone location information. This means police now have to seek a warrant to obtain this data. While a success for privacy, there are still numerous questions over the government’s and law enforcement’s geolocation tracking abilities. Recently, it was found that law enforcement is purchasing commercially-available geolocation data so as to circumnavigate the warrant requirements.
The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable info about individuals stored by federal agencies. Again, this restricts how the government can access and use records and does not apply to individuals or businesses.
HIPAA was enacted in 1996 to protect medical records.
The Fair Credit Reporting Act (FCRA) allows individuals to opt-out of unwanted credit offers and obtain one free credit report from each of the major credit reporting agencies every year.
The Electronic Communications Privacy Act can be used to impose criminal sanctions on anyone who intercepts electronic communications without consent, but a number of loopholes have rendered the law mostly useless, experts say.
The 1998 Children’s Online Privacy Protection Act requires that websites directed at children under the age of 13 must get parental consent among other compliance standards. The law has widely been discredited as ineffective and even counterproductive when it comes to protecting kids online.
Other federal laws relating to computer security and privacy law include (source: Wikipedia):
- 1970 U.S. Fair Credit Reporting Act
- 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
- 1974 U.S. Privacy Act
- 1980 Organization for Economic Cooperation and Development (OECD) Guidelines
- 1984 U.S. Medical Computer Crime Act
- 1984 U.S. Federal Computer Crime Act (strengthened in 1986 and 1994)
- 1986 U.S. Computer Fraud and Abuse Act (amended in 1986, 1994, 1996 and 2001)
- 1986 U.S. Electronic Communications Privacy Act (ECPA)
- 1987 U.S. Computer Security Act (Repealed by the Federal Information Security Management Act of 2002)
- 1988 U.S. Video Privacy Protection Act
- 1990 United Kingdom Computer Misuse Act
- 1991 U.S. Federal Sentencing Guidelines
- 1992 OECD Guidelines to Serve as a Total Security Framework
- 1994 Communications Assistance for Law Enforcement Act
- 1995 Council Directive on Data Protection for the European Union (EU)
- 1996 U.S. Economic and Protection of Proprietary Information Act
- 1996 Health Insurance Portability and Accountability Act (HIPAA) (requirement added in December 2000)
- 1998 U.S. Digital Millennium Copyright Act (DMCA)
- 1999 U.S. Uniform Computer Information Transactions Act (UCITA)
- 2000 U.S. Congress Electronic Signatures in Global National Commerce Act (“ESIGN”)
- 2001 U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act
- 2002 Homeland Security Act (HSA)
- 2002 Federal Information Security Management Act of 2002
Take your privacy into your own hands
US citizens, nor citizens of any country, should expect their government to protect their privacy from all threats. It’s up to all of us as individuals to be proactive in guarding our privacy.
No state is perfect, but at least all levels of the US government allow citizens to fortify their online security at will. A few key steps include encrypting your files and communications, accessing the internet through a secure VPN, and managing permissions on you and your family’s online accounts.
Did we get something wrong? A law we missed? Let us know in the comments!
Data researchers: George Moody, Rebecca Moody