Which US states best protect privacy online?
Published by on March 7, 2017 in VPN & Privacy

Laws governing online privacy in the US vary widely from state to state. To find out how each US state ranks from least to most private, we evaluated each and every one of them based on 14 key criteria. The results reveal a wide range of varying privacy protections, which we’ve visualized in the map below. Scores are displayed as percentages, with a score of 14 out of 14 being 100 percent.

privacy by state map

Our criteria range from laws that govern how companies can use and disclose customer data to those that protect journalists, children, and employees. The results of our research are compiled into the table below, with a simple “yes” or “no” answer as to whether an applicable law exists in each state.

The best US states for online privacy

Delaware

Score: 85.7%

Delaware scored highest in our evaluation. Laws that require the government to dispose of customer data after a set period of time, protect the privacy of e-reader and library data, and protect employee privacy helped the state to stand out.

The state’s most recently passed privacy law addresses advertising to children, inconspicuous privacy policies, and enhancing privacy protections for ebook readers. If those sound familiar to you, it’s because they are similar in many ways to privacy laws passed in California, which is next on our list.

California

Score: 85.7%

California has enacted many laws for specific privacy issues that other states ignore. What’s more, the state has also created what the ACLU called the most comprehensive digital privacy law in the nation. California is the only state to mention an inalienable right to privacy in its state constitution. It’s also the only state to enact a law that specifically protects data gathered from the internet-of-things.

The Electronic Communications Privacy Act prevents any law enforcement or investigative entity from forcing a company to give up electronic data or communications without a warrant. This includes cloud data, metadata, emails, text messages, location data and device searches. Although other states have similar laws protecting some of these forms of data, California has so far been the only state to protect it all.

Utah

Score: 71.4%

Utah is just one of two states in the entire country that bars internet service providers from sharing customer data with third parties without consent. Utah requires all non-financial businesses to tell customers the types of personal information the business shares with or sells to a third party for the purpose of direct marketing or compensation. The state also requires companies to dispose of customer data after a set period of time.

A 2013 law prohibits employers from asking employees and applicants from divulging their passwords or usernames for social media accounts.

Arkansas

Score: 71.4%

Arkansas requires both the government and companies to dispose of customer data after a set period of time. The 2005 Personal Information Protection Act states that all businesses in the state, no matter their size, must safeguard customers’ personal information.

Arkansas passed two new data privacy laws in 2015. One governs how online service providers can collect and use student data for commercial or other purposes, while the other requires parental consent for students’ personal information to be shared with other government agencies.

Honorable mentions

New Hampshire

Score: 50%

New Hampshire joined the ranks of privacy pioneering states like California when it passed a law modeled after California’s Student Online Personal Information Protection Act. The law imposes strict obligations on companies collecting and storing data on students from kindergarten to high school age.

The Kilton Library, located in the town of Lebanon, New Hampshire offers users unprecedented access to Tor, a web browser that enables them to browse the web completely anonymously. When the Department of Homeland Security alerted New Hampshire authorities about the Kilton Library’s Tor access, state officials and the community stood in support of this act of privacy.

Unfortunately, New Hampshire lacks laws that protect journalists and employees, and the state does little to regulate how companies and the government use data.

Vermont

Score: 35.7%

Vermont threw the financial services industry for a loop with its stringent “opt-in” privacy law. This law, imposed on financial institutions, requires explicit consent from consumers before their data can be shared. That means these companies must treat data from Vermont residents more carefully than data from residents of any other state.

A Vermont law that prohibited the sale of data identifying doctors who prescribed certain medications was struck down by the Supreme Court in 2011. The ruling shows that states are not always in control of their own privacy laws, even if they want to be.

Worst US states for online privacy

Wyoming

Score: 28.6%

While not all states have shield laws to protect journalists from exposing their sources, Wyoming is the only state that doesn’t even have a court precedent for doing so. It also doesn’t require companies to disclose when a breach of customer data occurs, among many other omissions.

South Dakota

Score: 28.6

South Dakota doesn’t require companies to dislcose if a company’s customer data has been breached. It also doesn’t protect employees from overreaching employers who request access to private communications and social media accounts.

Alabama

Score: 28.6

Alabama doesn’t have any laws on the books that protect the privacy of K-12 students, and doesn’t require companies to inform customers when their private data has been breached by hackers.

Federal privacy laws

Some aspects of online privacy are governed by the federal US government rather than state governments. Partial regulations exist, but there is no all-encompassing law regulating the collection, storage, or use of personal data in the U.S.

The US Constitution never mentions privacy specifically and only protects against state actors, not individuals. However, the First, Fourth, Ninth, and Fourteenth Amendments limit government intrusion on individuals’ right to privacy.

The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable info about individuals stored by federal agencies. Again, this restricts how the government can access and use records and does not apply to individuals or businesses.

HIPAA was enacted in 1996 to protect medical records.

The Fair Credit Reporting Act (FCRA) allows individuals to opt out of unwanted credit offers and obtain one free credit report from each of the major credit reporting agencies every year.

The Electronic Communications Privacy Act can be used to impose criminal sanctions on anyone who intercepts electronic communications without consent, but a number of loopholes have rendered the law mostly useless, experts say.

The 1998 Children’s Online Privacy Protection Act requires that websites directed at children under the age of 13 must get parental consent among other compliance standards. The law has widely been discredited as ineffective and even counterproductive when it comes to protecting kids online.

Other federal laws relating to computer security and privacy law include (source: Wikipedia):

  • 1970 U.S. Fair Credit Reporting Act
  • 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
  • 1974 U.S. Privacy Act
  • 1980 Organization for Economic Cooperation and Development (OECD) Guidelines
  • 1984 U.S. Medical Computer Crime Act
  • 1984 U.S. Federal Computer Crime Act (strengthened in 1986 and 1994)
  • 1986 U.S. Computer Fraud and Abuse Act (amended in 1986, 1994, 1996 and 2001)
  • 1986 U.S. Electronic Communications Privacy Act (ECPA)
  • 1987 U.S. Computer Security Act (Repealed by the Federal Information Security Management Act of 2002)
  • 1988 U.S. Video Privacy Protection Act
  • 1990 United Kingdom Computer Misuse Act
  • 1991 U.S. Federal Sentencing Guidelines
  • 1992 OECD Guidelines to Serve as a Total Security Framework
  • 1994 Communications Assistance for Law Enforcement Act
  • 1995 Council Directive on Data Protection for the European Union (EU)
  • 1996 U.S. Economic and Protection of Proprietary Information Act
  • 1996 Health Insurance Portability and Accountability Act (HIPAA) (requirement added in December 2000)
  • 1998 U.S. Digital Millennium Copyright Act (DMCA)
  • 1999 U.S. Uniform Computer Information Transactions Act (UCITA)
  • 2000 U.S. Congress Electronic Signatures in Global National Commerce Act (“ESIGN”)
  • 2001 U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act
  • 2002 Homeland Security Act (HSA)
  • 2002 Federal Information Security Management Act of 2002

Take your privacy into your own hands

US citizens, nor citizens of any country, should expect their government to protect their privacy from all threats. It’s up to all of us as individuals to be proactive in guarding our privacy.

No state is perfect, but at least all levels of the US government allow citizens to fortify their online security at will. A few key steps include encrypting your files and communications, accessing the internet through a secure VPN, and managing permissions on you and your family’s online accounts.

Updated on March 9, 2017 to add California’s IoT data privacy law and correct its score accordingly.

2 thoughts on “Which US states best protect privacy online?

  • Paul, very interesting article, but I think you’ve missed some CA privacy laws. You can find all of them on the AG website, here: http://www.oag.ca.gov/privacy/privacy-laws

    See these, for example:

    CA IoT Privacy Laws
    1. Car tech
    Vehicle Code § 9951: Limits on manufacturer’s use of EDR data
    Civil Code § 1936: Limits onrental company’s access and use of GPS data from rental car
    Vehicle Code § 26708: Notice on possible audio recording by video event records; data is owned by vehicle owner.

    2. Smart grid
    Public Utilities Code §§ 8380-8381: Gas and electric utilities required to contractually prohibit 3rd-party service provider from using customer smart meter data without prior consent of customer
    Civil Code §§ 1798.98-1798.99: Limits on se and sharing of customer smart meter data by 3rd-party service providers to gas and electric utilities

    3. Connected TVs
    Business & Professions Code §§ 22948.20-22948.25: Notification of consumer of voice-recognition feature and prohibition of use or sale for advertising purposes of audio recordings capture by TV

    CA Employee Privacy Laws
    1. Employer background checks
    Investigative Consumer Reporting Agencies Act (Civil Code § 1786 et seq.): Like federal law (Fair Credit Reporting Act) provides consumers with rights in employers’ use of background checking agencies; goes beyond federal law to apply same rights to background checks conducted in-house

    2. Credit checks by employers
    Civil Code § 1785.20.5 and Labor Code § 1024.5 et seq.: Prohibits use of consumer credit reports for employment purposes, with certain exceptions.

    3 SSNs on pay stubs
    Labor Code § 226: Requires employers to print no more than last 4 digis of employee’s SSN on pay stubs or itemized statements.

    • Thanks Joanne. We mainly tried to focus on *online* privacy in this article, so some of the laws you mentioned don’t directly fall under that umbrella. #3 is actually what we are referring to for the IoT data privacy variable found in the table, which only California has to our knowledge.
      That being said, we are looking to expand and improve on this assessment at regular intervals. The smart grid/smart meter and car tech laws are interesting ones I’d definitely like to look into at some point in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *