New Study Shows Which States Lead in Privacy Protection Laws

General counsel who navigate the mishmash of state privacy laws may relate to a new study showing that individual U.S. states' privacy statutes are spread across a broad spectrum.

The study, conducted by Comparitech, a technology research firm and publisher based in the U.K., evaluated the states on how well they protected people's privacy through 20 basic laws. How each state stands on each of those laws is shown on the website graphic.

As might be expected, California, which has passed what is probably the toughest privacy law in the country, ranked by far as the top protector with a score of 75%, followed by Delaware with 55%. The rest of the top five states in the rankings include Utah at 45%, Illinois at 40% and Arkansas at 35%.

Paul Bischoff, the Comparitech editor who authored the report, says that this is the third year for the study, and California and Delaware have always been on or near the top. "Now California has pulled ahead even further," he says, with its California Consumer Privacy Act of 2018.

Bischoff, who is based in Indiana, also cites California's comprehensive digital privacy law, and the fact that it is the only state with a law to specifically protect data gathered from the Internet of Things. It is also the only state to mention an inalienable right to privacy in its state constitution, according to the report.

David Shonka, a partner in the Washington, DC, office of Redgrave, says the study is potentially helpful to in-house and corporate lawyers, but noted it is an area of law where the statutes are constantly changing. Shonka served three terms as the acting general counsel at the Federal Trade Commission, the federal protector of privacy, and 10 years as the agency's principal deputy general counsel before going into private practice last year.

He agrees with the study that "California is the best and most out-front state" on privacy rights.

Shonka cautions, however, that privacy laws are only as good as the state agencies implementing and enforcing them. He notes the depth and intricacies of the new California privacy act, which goes into effect in January, and says, "There could be potential practical problems in all those requirements."

Shonka says the result will depend on "how close attention the attorney general pays to what can only be described as a very difficult task."

He expressed surprise that Utah and Arkansas scored so highly in the study, but added "just having a law on the books doesn't mean a whole lot by itself."

The study scored the states based on which ones had enacted any of 20 privacy protection laws. The laws range from one that requires companies to delete personal data on demand to one requiring employers to inform employees if they're monitoring emails or Internet access.

Bischoff says one thing the study did not take into account is court precedent.

"Just because there is no law on the books for a particular protection doesn't necessarily mean that a state doesn't have the protection," he explains. "There might be case law."

Other findings in the study include:

• Wyoming, which has passed only one of the 20 privacy laws examined in the study, scored as the worst U.S. state for privacy protection.
• Maine is the only state that prohibits tracking a person's location using GPS.
• Illinois is the only one with a law specifically to protect biometric data.
• Utah is one of two states that bar internet service providers from sharing customer data with third parties without consent.
• New Hampshire's Kilton Public Library, in the town of West Lebanon, offers users access to Tor, a web browser that enables the user to operate online anonymously, despite the U.S. Department of Homeland Security urging the state to stop it.

*****

Sue Reisinger is a Senior Reporter at ALM. Based in Florida, she covers general counsel and white collar crime. She can be reached at [email protected].