New study ranks US states by online data privacy protection

New study ranks US states by online data privacy protection

Internet of Business says

A report by Comparitech has ranked the USA’s 50 states by the online privacy protections provided by local law, highlighting huge disparities across the country.

The study evaluates each state based on 20 key criteria, covering customer data, social media, protection for journalists, employee communications, law enforcement agencies’ access to data, and more.

California emerges as the clear winner, complying with 15 (75 percent) of the 20 criteria. It is the only state to mention an inalienable right to privacy in its constitution. Delaware and Utah follow on 60 percent.

Silicon Valley effect

Crucially for the tech giants that call California home, the state’s Electronic Communications Privacy Act prevents any law enforcement agency or investigative entity from forcing a company to give up electronic or communications data without a warrant. This includes cloud data, metadata, emails, text messages, location data, and device searches.

As of 2020, the state will further protect customers through the Consumer Privacy Act of 2018, which was passed at the end of June. The new legislation grants consumers the right to know what data any company holds about them and with whom it has been shared. Furthermore, consumers can demand that a company delete their personal data.

The legislation has been called ‘GDPR for the USA’ and could lead to de facto protections being adopted across the country, given the difficulties of maintaining different privacy policies on a state-by-state basis.

However, opponents of the regulations – which include Google, Amazon, and a number of telecoms players – are likely to try to water down the Act before it comes into force.

US online data privacy
Data privacy protection by state, in percent (credit: Comparitech)

Bottom of the class

Wyoming and Mississippi are most lacking in online privacy protection, found the survey, with scores of just 20 percent apiece. While not all states have shield laws to protect journalists from exposing their sources, Wyoming is the only state that doesn’t even have a court precedent for doing so.

Companies in Wyoming are not required to dispose of users’ personal data after a set period of time, and employers are not forbidden from forcing their employees to hand over the passwords to their social media accounts.

But Wyoming is far from alone in this regard: only half of US states prevent employers from demanding access to employees’ social media accounts.

The big picture

The US government protects some aspects of online privacy, but there is no all-encompassing law that regulates the collection, storage, or use of personal data.

At state level, Comparitech notes recent trends in privacy law. Every state now requires companies to publicly disclose data breaches, and many states have expanded the definition of ‘personally identifiable information’ to encompass more data types.

Interestingly, only Maine requires law enforcement agencies to obtain a warrant to track people through geo-location, while only Illinois and Maryland have introduced laws protecting biometric data, including fingerprints, face recognition scans, and retina scans. However, that law is under threat of repeal in Illinois.

Of the 50 states, only California has laws protecting IoT data and requiring companies to delete personal data on demand.

We suspect that, while many states have been tardy in keeping up with the changing digital landscape, others will follow California’s example (and that of the EU) and better protect online data privacy. Not least because global companies wishing to operate in the EU are having to comply with more stringent regulations anyway.

IoT devices, both in the home and the workplace, are creating new types of data in enormous quantities. The internet is no longer simply the domain of personal computers and smartphones. California has recognised this fact, and the 49 other states must do so quickly.