State privacy laws of the United States

Last updated

Privacy laws vary from state to state within the United States of America. Several states have recently passed new legislation that adapt to changes in cyber security laws, medical privacy laws, and other privacy related laws. State laws are typically extensions of existing United States federal laws, expanding them or changing the implementation of the law.

Contents

History

Historically, state laws on privacy date back before the founding of the United States and most authorities left protection of personal information to the individual. However, after the creation of a national economy as a result of the Civil War, governmental agencies were created to recommend stronger privacy protections. This led to the creation of de facto privacy commissioners, such as the Federal Trade Commission (FTC) and the State Attorney General. [1]

The FTC was created in 1914 to protect individuals from harmful trade practices, and in 1995 the FTC began to study and analyze privacy issues in electronic commerce and began to place and enforce regulations. [1]

Most state legislation on privacy are expansions of federal laws.

The Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”), which “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.” [2]

Types of privacy legislation

There are several different types of privacy legislation currently in place. State laws vary between these niche privacy spheres. Each type of legislation tries to protect a certain area of privacy. Types of legislation include:

Medical privacy

Laws on biobanks

One major aspect of medical privacy is laws placed on biobanks. A biobank is a collection source that stores and manages human specimens. Major federal laws that apply to biobanks are regulations by the Food and Drug Administration and Common Rule. The Common Rule is a guideline for in the United States on research involving human subjects. Other major federals laws that govern biobanks include: The Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Nondiscrimination Act (GINA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and Newborn Screening Saves Lives Reauthorization Act of 2014.

State legislation on privacy tends to follow the same patterns and orders as federal laws in these matters. But in some cases state laws can be more detailed and stringent, while being in ordinance to the federal laws in place. [3] With focus to biobanks, state laws can restrict a laboratory's ability to reject a customer and can regulate what happened with data after a test. [3] Certain states have privacy laws that deal with genetic-specific information. Genetic-specific information relates to information what information like DNA that can be used to find details about individuals. Information that can be collected includes race and gender. [3] State can place legislation that let individuals have control over the tests conducted on their genes and regulate how long data is stored in biobanks. State laws can also control who has control, the individual from whom they were collected or the pharmaceutical companies.

Digital privacy laws

Corporate data security laws

An important aspect of digital privacy laws is cyber security, which encompasses corporate data security. At the national level, the Federal Trade Commission (FTC) is in charge of data security regulation. [4] With relation to cyber security, the FTC makes sure that companies have security application in place and that companies are not misrepresenting their level of digital security. Several aspects of the FTC regulations are outdated and are loosely connected to data security though section 5. Section 5 of the FTC fines companies for having substandard security measures, neglecting the security of consumer data, and failing to train employees on data security. [4] Additional federal laws on this topic include: the Cybersecurity Act of 2015, the Electronics Communications Privacy Act, Computer Fraud and Abuse Act and the Economic Espionage Act. [4]

Financial privacy laws

Financial Privacy laws regulate how companies, specifically those with a focus in finance, handle financial consumer information. Federal laws that regulate this include, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Credit and Debit Card Receipt Clarification Act, Bank Secrecy Act, Fair Debt Collection Practices Act, Electronic Funds Transfer Act, and the Dodd-Frank Wall Street Reform and Consumer Protection Act. All of these acts make changes at the national level.

States

Alabama

Name of ArticlePurposeType of Privacy ProtectedLaw on
Ala. Admin. Code r. 420-5-7-.05 (4) Privacy and safety.

(a) The patient has the right to personal privacy.

(b) The patient has the right to receive care in a safe setting.

(c) The patient has the right to be free from all forms of abuse or harassment.

(5) Confidentiality of Patient Records.

(a) The patient has the right to the confidentiality of his or her clinical records.

(b) The patient has the right to access information contained in his or her clinical records within a reasonable time frame. The hospital shall not frustrate the legitimate efforts of individuals to gain access to their own medical records and shall

Medical PrivacyConfidentiality of information
Ala. Admin. Code r. 420-5-7-.13 (3) Form and retention of record. The hospital shall maintain a medical record for each inpatient and outpatient. Medical records shall be accurately written, promptly completed, properly filed and retained, and accessible. The hospital shall use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.

(c) The hospital shall have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital shall ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records shall be released by the hospital only in accordance with federal or state laws, court orders, or subpoenas.

(4) Content of record. The medical record shall contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient's progress and response to medications and services.

Medical PrivacyMedical record services
Ala. Admin. Code r. 545-X-4-.08 (1) Physicians should maintain legible well documented records reflecting the history, findings, diagnosis and course of treatment in the care of a patient. Medical records should be maintained by the treating physician for such period as may be necessary to treat the patient and for such additional time as may be required for medical legal purposes.

(2) Access. On the request of a patient, and with the authorization of the patient, a physician should provide a copy or a summary of the medical record to the patient or to another physician, attorney or other person designated by the patient. By state law, a physician is allowed to condition the release of copies of medical records on the payment by the requesting party of the reasonable costs of reproducing the record. Reasonable cost as defined by law may not exceed onedollar ($1.00) per page for the first twenty-five (25) pages, fifty cents ($.50) per page for each page in excess of twenty-five (25) pages, plus the actual cost of mailing the record. In addition, the actual costs of reproducing x-rays or other special records may be included. For medical records provided in an electronic file, a flat fee that would not exceed the cost of providing the records in paper form may be charged. Records subpoenaed by the State Board of Medical Examiners are exempt from this law. Physicians charging for the cost of reproduction of medical records should give primary consideration to the ethical and professional duties owed to other physicians and to their patients, and waive copying charges when appropriate.

Medical PrivacyMedical Records
Ala. Code § 25-5-339 (b) Employers, laboratories, medical review officers, employee assistance programs, drug or alcohol rehabilitation programs, and their agents who receive or have access to information concerning test results shall keep all information confidential. Release of such information under any other circumstance shall be solely pursuant to a written consent form signed voluntarily by the person tested, unless the release is compelled by an agency of the state or a court of competent jurisdiction or unless deemed appropriate by a professional or occupational licensing board in a related disciplinary proceeding. The consent form shall contain at a minimum all of the following:

(1) The name of the person who is authorized to obtain the information.

(2) The purpose of the disclosure.

(3) The precise information to be disclosed.

(4) The duration of the consent.

(5) The signature of the person authorizing release of the information

Medical PrivacyConfidentiality of information
Alabama Data Breach Notification Act In case of hacking, notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following:

(1) The date, estimated date, or estimated date range of the breach.

(2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach.

(3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach.

(4) A general description of steps an affected individual can take to protect himself or herself from identity theft.

(5) Information that the individual can use to contact the covered entity to inquire about the breach.

Data PrivacyBreach notification
Alabama Insurance Regulation Chapter 482-1-122 A. Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to both of the following:

(1) Customer. An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in Subsection E of this section.

(2) Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by Sections 15 and 16.

B. When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under Subsection A(2) of this section if either of the following are true:

(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Sections 15 and 16, and the licensee does not have a customer relationship with the consumer.

(2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.

Financial PrivacyThird Parties

Alaska

Name of ArticlePurposeType of Privacy ProtectedLaw on
AS §18.13.010 et seqThis Alaska legislation provides privacy regulations for genetic information and states that genetic information belongs to the individual it originated from. [5] Medical PrivacyGenetics
AS 45.48.100 - .290 (section in the Alaska Personal Information Privacy Act)This article allows for consumers to place security holds on their credit report. This will prevent any third party from gaining access to that individual's credit report. The hold can also be removed by the consumer, by submitting a similar request as the one needed to place the hold. [6] Financial PrivacyCredit Reports
Section 45.48.400 (section in the Alaska Personal Information Privacy Act)These sections say that it is illegal to make Social Security numbers available to the public. It is also illegal to request and collect Social Security numbers. Additionally, it is illegal to sell, trade, lease or loan SSN and disclosures of SSN are only valid if it is authorized by law if they are requested by a government agency, to a person subject to the Gramm-Leach-Bliley Act or Fair Credit Reporting Act, an individual part of a consumer reporting agency, or someone requesting for a background check. [6] Data SecuritySocial Security

Arizona

Name of ArticlePurposeType of Privacy ProtectedLaw on
Ariz. Rev. Stat. Ann. § 12–2803This Arizona state legislation states that must written consent must be provided for genetic testing, unless the data is collected for research purposes. [3] Medical PrivacyConsent for information collection
Arizona 2010 SB 1309This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns. [5] Medical PrivacyGenetic information belonging to minors
ARS §1-602This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns. [5] Medical PrivacyGenetic information belonging to minors
ARS §12-2801 et seq:This Arizona state legislation states that written parental consent and health care provider consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns. [5] Medical PrivacyGenetic information belonging to minors
Arizona 2016 HB 2144This Arizona state legislation states that genetic testing can only be conducted with consent with the person being tested. [5] Medical PrivacyGenetics
Arizona 2019 SB 1297This Arizona state legislation removes self-conducted genetics-tests from the definition of genetics testing and it adds details on providing medical-care provider the results of genetics tests. [5] Medical PrivacyGenetics
ARS §20-448.02This Arizona state legislation states that a genetics test cannot be conducted without the knowledge of the individual being tested. [5] Medical PrivacyGenetics
ARS § 41–151.22Libraries are not allowed to disclose any information that identifies a user from the materials that they requested digitally or physically. [7] Digital PrivacyE-readers

Arkansas

Name of ArticlePurposeType of Privacy ProtectedLaw on
Ark. Code § 20-35-103This Arkansas state legislation states genetic testing is allowed if the information is anonymized. [3] Medical PrivacyNotifications and treatment of patients
Arkansas 2015 HB 1827This Arkansas state legislation states that written parent content must be acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights. [5] Medical PrivacyGenetic information belonging to minors
Ark. Code §20-35-101 et seq.This Arkansas state legislation states that individual records cannot be released without court permission or a consent form. [5] Medical PrivacyGenetics
Arkansas. Code Ann. §4-110-104 (b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.Digital PrivacyCorporate data security
Ark. Code § 11-2-124 (b) (1) An employer shall not require, request, suggest, or cause a current or prospective employee to:

(A) Disclose his or her username and password to the current or prospective employee's social media account;

(B) Add an employee, supervisor, or administrator to the list or contacts associated with his or her social media account; or

(C) Change the privacy settings associated with his or her social media account.

(2) If an employer inadvertently receives an employee's username, password, or other login information to the employee's social media account through the use of an electronic device provided to the employee by the employer or a program that monitors an employer's network, the employer is not liable for having the information but may not use the information to gain access to an employee's social media account.

Digital PrivacySocial media privacy
Ark. Code § 6-60-104 (b) An institution of higher education shall not require, request, suggest, or cause:

(1) A current or prospective employee or student to disclose his or her username and password to the current or prospective employee's or student's social media account; or

(2) A current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to:

(A) Add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with his or her social media account; or

(B) Change the privacy settings associated with his or her social media account.

(c) An institution of higher education shall not:

(1) Take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising his or her rights under subsection (b) of this section; or

(2) Fail or refuse to admit or hire a prospective employee or student for exercising his or her rights under subsection (b) of this section.

Digital PrivacyEducational institutions

California

Name of ArticlePurposeType of Privacy ProtectedLaw on
Cal. Health & Safety Code § 24175This California state legislation states that Common Rule applies to all human subject. [3] Medical PrivacyNotifications and treatment of patients
California 2017 AB 375This California state legislation states individuals control their biometric information and can sell that data to businesses. [5] Medical PrivacyGenetics
Cal. Civil Code §56.17This California state legislation state that any person with revealed genetic results without consent can be fine. [5] Medical PrivacyGenetics
SB-1121 California Consumer Privacy Act of 2018 (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.

(c) A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.

(d) A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to:

(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

(3) Debug to identify and repair errors that impair existing intended functionality.

(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

Medical PrivacyGenetics
California Civ. Code §1798.81.5 (b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Digital PrivacyCorporate data security
Calif. Lab. Code § 980 (b) An employer shall not require or request an employee or applicant for employment to do any of the following:

(1) Disclose a username or password for the purpose of accessing personal social media.

(2) Access personal social media in the presence of the employer.

(3) Divulge any personal social media, except as provided in subdivision (c).

(c) Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.

(d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.

(e) An employer shall not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant for not complying with a request or demand by the employer that violates this section. However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.

Digital PrivacySocial media privacy
Calif. Ed. Code § 99121 (a) Public and private postsecondary educational institutions, and their employees and representatives, shall not require or request a student, prospective student, or student group to do any of the following:

(1) Disclose a user name or password for accessing personal social media.

(2) Access personal social media in the presence of the institution's employee or representative.

(3) Divulge any personal social media information.

(b) A public or private postsecondary educational institution shall not suspend, expel, discipline, threaten to take any of those actions, or otherwise penalize a student, prospective student, or student group in any way for refusing to comply with a request or demand that violates this section.

(c) This section shall not do either of the following:

(1) Affect a public or private postsecondary educational institution's existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations.

(2) Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason.

Digital PrivacyEducational institutions
Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018”)This legislation states that businesses must disclose to customers that type of information that they collect on them. And if the customers refuse to provide that information the business may not use that as a ground to refuse service to the customer. [7] Digital PrivacyConsumer data privacy
Cal. Bus. & Prof. Code § 22948.20This legislation states that if a device has a voice recognition feature, the user must be aware that the feature exists on that device. Additionally, it prohibits the use of voice recognition for advertising, espionage, or law enforcement purpose. [7] Digital PrivacyConsumer data privacy
Calif. Bus. & Prof. Code §§ 22580-22582This legislation states that minors must be able to delete information posted on a website or application. And it prohibits that use of known usage of a minor's information for advertisement purposes. [7] Digital PrivacyChildren's online privacy
Cal. Govt. Code § 6267The library cannot release any information about the patron that can be used to identify them or their reading patterns. [7] Digital PrivacyE-readers
Cal. Civil Code § 1798.90Digital books are treated like physical books and will need a warrant to be searched through. [7] Digital PrivacyE-readers
Calif. Bus. & Prof. Code § 22575Requires operators of websites to inform the user is third-parties are conducting background information tracking. Additionally, a website must make available information on how it responds to a 'Do Not Track' signal in its privacy policy. [7] Digital PrivacyWebsites or online services
Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)Any webpage collection information on users must make this clear on their privacy policy page. This includes mobile apps. Additionally, the website must make clear the type of information that they collect. [7] Digital PrivacyWebsites or online services
California Ed. Code § 99122Educational institutions must have a social media privacy policy on their internet website. [7] Digital PrivacyWebsites or online services
California Civil Code §§ 1798.83 to .84 ("Shine the Light Law")Businesses must put a privacy statement that allows (for free) the consumer to choose not to share their information. [7] Digital PrivacyDisclosure or sharing of personal information
California Consumer Privacy Act (CCPA)This act places regulations on the selling of consumer information including consumer financial information. [7] Digital PrivacyConsumer information
California Privacy ActThis act was a stricter version of the Gramm-Leach-Bliley Act. This regulation provides that an individual must opt-in in situations with financial institutions in order for those institutions to gain their personal initial information. [7] Financial PrivacyOpt-in dispersal of personal information
California Consumer Credit Reporting Agencies ActThis act regulates consumer credit reporting agencies as well as any users of credit reports. [7] Financial PrivacyCredit report
California Privacy Rights Act (CPRA)This act expands the CCPA, gives consumers more rights to access, correct, and limit the usage and sharing of their personal information, and establishes the California Privacy Protection Agency. [8] Digital PrivacyConsumer Information
California's Senate Bill 41: The Genetic Information Privacy ActThe bill requires a direct-to-consumer genetic testing company to "provide a consumer with certain information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer's express consent for collection, use, or disclosure of the consumer's genetic data, as specified." It also requires DTCs "to implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified." [2] Medical PrivacyConsumer Information

Colorado

Name of ArticlePurposeType of Privacy ProtectedLaw on
Colo. Rev. Stat. Ann. § 10-3-1104.6This Colorado state legislation states that information belongs to the individual from whom it was collected. [3] Medical PrivacyBiobanks
Colo. Rev. Stat. §10-3-1104.6(4)This Colorado state legislation states genetic testing is allowed if the information is anonymized. [3] Medical PrivacyNotification and treatment of patients
Colorado 2015 SB 77This Colorado state legislation states that written parent content must be acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights. [5] Medical PrivacyGenetic information belonging to minors
Colorado 2009 HB 1338 (a) Genetic information is the unique property of the individual to whom the information pertains.

(b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains.

Medical PrivacyGenetics
CRS §10-3-1104.6 (a) Genetic information is the unique property of the individual to whom the information pertains;

(b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains;

(c) To protect individual privacy and to preserve individual autonomy with regard to the individual's genetic information, it is appropriate to limit the use and availability of genetic information;

Medical PrivacyGenetics
C.R.S. 8-2-127 (2) (a) An employer may not suggest, request, or require that an employee or applicant disclose, or cause an employee or applicant to disclose, any user name, password, or other means for accessing the employee's or applicant's personal account or service through the employee's or applicant's personal electronic communications device. An employer shall not compel an employee or applicant to add anyone, including the employer or his or her agent, to the employee's or applicant's list of contacts associated with a social media account or require, request, suggest, or cause an employee or applicant to change privacy settings associated with a social networking account. (b) Paragraph (a) of this subsection (2) does not prohibit an employer from requiring

an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer's internal computer or information systems.

Digital PrivacySocial media privacy
Colorado's Consumer Data Protection LawsIf the government or private entities have a PII, or a document which contains personal information, including Social Security, biometric data and financial account numbers, then they are required to have a written policy to make sure that the PII is destroyed when it is no longer needed.Financial PrivacyPII

Connecticut

Name of ArticlePurposeType of Privacy ProtectedLaw on
Conn. Gen. Stat. § 42-471Any business that collects a Social Security Number must have a privacy protection policy in place which should be posted on their website, not allow the unlawful disclosure of Social Security Numbers, and limit access to Social Security Number. [7] Digital PrivacyWebsites and online services.
Connecticut Data Privacy Law (Senate Bill 6) Businesses that hold data on more than 100,000 consumers or those who earn 25% of their annual revenue from the sale of data of more than 25,000 consumers. Exempts from its requirements (1) various entities, including state and local governments, nonprofits, and higher education institutions, and (2) specified information and data, including certain health records, identifiable private information for human research, certain credit-related information, and certain information collected under specified federal laws.Personal Data Privacy and Online MonitoringWebsites and companies managing PI

Delaware

Name of ArticlePurposeType of Privacy ProtectedLaw on
Del. Code § 1203This Delaware state legislation states that labs must dispose any samples from which genetic information has been collected. However, there are several loop holes, such as, anonymizing genetic information. [3] Medical PrivacyBiobanks
Delaware 2015 SB 151Medical PrivacyGenetics
Delaware 2015 SB 68Medical PrivacyGenetics
Delaware 2015 SB 79Medical PrivacyGenetics
Delaware 2017 HS 1 for HB 180Medical PrivacyGenetics
Del. Code 16 §1201 et seq.Medical PrivacyGenetics
19 Del. Code § 709A [9] Digital PrivacySocial Media
14 Del. Code § 8103 [9] Digital PrivacyEducational Institutions
Del. Code § 1204CThis legislation states that any digital programs that focus as children as a target group must ensure that their information is child appropriate. They are also not allowed to collect any information that can be used to identify the child.

This also prohibits the collection of information from the child which is able to identify the child. [7]

Digital PrivacyChildren's Online Privacy
2015 SS 1 FOR SB 68

Del. Code tit. 6, § 1206C

Personal information of the reader cannot be disclosed to law enforcement, governmental and commercial entities. [7] Digital PrivacyE-reader privacy
Del. Code Tit. 6 § 205CCommercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information of people in Delaware must make this collection of information known on their privacy page. [7] Digital PrivacyWebsite and Online Services

Florida

Name of ArticlePurposeType of Privacy ProtectedLaw on
Fla. Stat. Ann. § 760.40This Florida state legislation states that information belongs to the individual from whom it was collected and is subject to privacy laws. [3] Medical PrivacyBiobanks
FS §760.40Medical PrivacyGenetics
Florida Stat. § 501.171(2)Digital PrivacyCorporate Data Security

Georgia

Name of ArticlePurposeType of Privacy ProtectedLaw on
Ga. Rev. Code §§ 33-54-3This Georgia state legislation states genetic testing is allowed if the information is anonymized. [3] Medical PrivacyNotifications and Treatment of Patients
Ga. Rev. Code §§ 33-54-6This Georgia state legislation states genetic testing is allowed if the information is anonymized. [3] Medical PrivacyNotifications and Treatment of Patients
OCGA §§33-54-1 et seq.Medical PrivacyGenetics

Hawaii

Name of ArticlePurposeType of Privacy ProtectedLaw on
HRS §§431:10A-118Medical PrivacyGenetics
HRS §§431:10A-404.5Medical PrivacyGenetics
HRS §§432:1-607Medical PrivacyGenetics
HRS §§432:2-404.5Medical PrivacyGenetics
HRS §§432D-26Medical PrivacyGenetics

Idaho

Name of ArticlePurposeType of Privacy ProtectedLaw on
IC §39-8301 et seq.Medical PrivacyGenetics

Illinois

Name of ArticlePurposeType of Privacy ProtectedLaw on
Ill. Comp. Stat. § 50/3.1(a)This Illinois state legislation states hospital patient must be informed if they are taking part in research. [3] Medical PrivacyNotifications and Treatment of Patients
Illinois 2007 SB 941Medical PrivacyGenetics
Illinois 2008 SB 2399Medical PrivacyGenetics
Illinois 2017 SB 318Medical PrivacyGenetics
Illinois 2019 HB 2189Medical PrivacyGenetics
Illinois 2019 SB 1307Medical PrivacyGenetics
Illinois: 410 ILCS 513/1 et seq.Medical PrivacyGenetics
820 ILCS 55/10 [9] Digital PrivacySocial Media
105 ILCS 75/10, 105 ILCS 75/15 [9] Digital PrivacyEducational Institutions

Indiana

Name of ArticlePurposeType of Privacy ProtectedLaw on
Indiana Code Ann. § 24–4.9-3-3.5(b)Digital PrivacyCorporate Data Security

Iowa

Name of ArticlePurposeType of Privacy ProtectedLaw on
2010 SF 2215Medical PrivacyGenetics
2019 HSB 14Medical PrivacyGenetics
2019 SSB 1071Medical PrivacyGenetics
IC §§507B.4Medical PrivacyGenetics
IC §§507B.4Medical PrivacyGenetics
IC §§513B.9AMedical PrivacyGenetics
IC §§513B.10Medical PrivacyGenetics

Kansas

Name of ArticlePurposeType of Privacy ProtectedLaw on
Kansas 2014 SB 367This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent. [5] Medical PrivacyLaws for Minors
KSA §72-6214This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent. [5] Medical PrivacyLaws for Minors

Kentucky

Name of ArticlePurposeType of Privacy ProtectedLaw on
Kentucky 2019 SB 152This Kentucky state legislation states that school may not collect DNA or blood from students unless a court order or parental consent has been issued or provided. [5] Medical PrivacyLaws for Minors
Kentucky 2014 HB 5Medical PrivacyGenetics
Kentucky 2019 SB 152Medical PrivacyGenetics
KRS §304.12-085Medical PrivacyGenetics
KRS §61.931 et seq.Medical PrivacyGenetics

Louisiana

Name of ArticlePurposeType of Privacy ProtectedLaw on
2009 HB 406Medical PrivacyGenetics
LRS 40:2210Medical PrivacyGenetics
LRS 22:1023Medical PrivacyGenetics
LRS 22:1097Medical PrivacyGenetics
La. Rev. Stat. § 51:1951 to §§ 1953 and 1955 [9] Digital PrivacySocial Media
La. Rev. Stat. § 51:1951 to § 1952 and §§ 1954 to 1955 [9] Digital PrivacyEducational Institutions

Maine

Name of ArticlePurposeType of Privacy ProtectedLaw on
Me. Rev. Stat. Ann. tit. 22, § 1711-CThis Maine state legislation states all health data, including genetic information must be confidential. [3] Medical PrivacyEncryption of Collected Data
Me. Rev. Stat. Ann. tit. 22, § 1711-CThis Maine state legislation states genetic testing is allowed if the information is anonymized. [3] Medical PrivacyNotifications and Treatment of Patients
MRS 22 §1711CMedical PrivacyGenetics
MRS 24A §2204Medical PrivacyGenetics
26 M.R.S. § 616 to 619 [9] Digital PrivacySocial Media

Maryland

Name of ArticlePurposeType of Privacy ProtectedLaw on
Md. Code Ann., Health-Gen. § 13–2002This Maryland state legislation states that Common Rule applies to all human subject. [3] Medical PrivacyNotifications and Treatment of Patients
2017 HB 974Medical PrivacyGenetics
2019 HB 1127Medical PrivacyGenetics
2019 HB 716Medical PrivacyGenetics
2019 HB 901Medical PrivacyGenetics
2019 SB 613Medical PrivacyGenetics
2019 SB 786Medical PrivacyGenetics
2019 SB 871Medical PrivacyGenetics
Md. Commercial Code §14-3501 et seq.Medical PrivacyGenetics
Md. Insurance Code §27-909Medical PrivacyGenetics
Md. Health-General Code §19-706Medical PrivacyGenetics
Md. State Government Code §20-601 et seq.Medical PrivacyGenetics
Maryland Code Ann., Com. Law § 14-3503(a)Digital PrivacyCorporate Data Security
Md. Code, Labor and Emp. Law § 3-712 [9] Digital PrivacySocial Media
Md. Code, Ed. Law § 26-401Digital PrivacyEducational Institutions

Massachusetts

Name of ArticlePurposeType of Privacy ProtectedLaw on
Massachusetts 2013 H 1909Medical PrivacyGenetics
Massachusetts 2015 H 1900Medical PrivacyGenetics
Massachusetts 2017 H2814Medical PrivacyGenetics
Massachusetts: MGL Public Health 111 §70GMedical PrivacyGenetics
201 Massachusetts Code Regs. 17.03Companies must take specific steps to access security risks, train employees, and other security related tasks. [4] Digital PrivacyCorporate Data Security

Michigan

Name of ArticlePurposeType of Privacy ProtectedLaw on
Michigan 2013 SB 178Medical PrivacyGenetics
MCL § 500.2212cMedical PrivacyGenetics
MCL §500.3829aMedical PrivacyGenetics
MCL §§333.16221Medical PrivacyGenetics
MCL §§333.17020Medical PrivacyGenetics
MCL §§333.17520Medical PrivacyGenetics
MCL § 37.271-37.278 [9] Digital PrivacySocial Media
MCL § 37.271-37.278 [9] Digital PrivacyEducational Institutions

Minnesota

Name of ArticlePurposeType of Privacy ProtectedLaw on
Minnesota 2013 HF 5Medical PrivacyGenetics
Minnesota 2019 HF 112Medical PrivacyGenetics
MS §13.386Medical PrivacyGenetics
MS §144.192Medical PrivacyGenetics
MS §176.138Medical PrivacyGenetics
MS §62V.06Medical PrivacyGenetics
Minn. Stat. §§ 325M.01 to .09Any information that can be used to identify the user cannot be discloses. Additionally, Internet service providers must get permission to disclose information. [7] Digital PrivacyPersonal Information

Mississippi

Name of ArticlePurposeType of Privacy ProtectedLaw on
Miss. Code. Ann. § 41-119–13This Mississippi state legislation states that patient-specific information can only be released with compliance to HIPAA regulation. [3] Medical PrivacyBiobanks

Missouri

Name of ArticlePurposeType of Privacy ProtectedLaw on
MRS §§375.1300Medical PrivacyGenetics
MRS §§375.1309Medical PrivacyGenetics
Mo. Rev. Stat. § 182.815, 182.817States that an e-book is similar to a book, so a user must "borrow" it from a library and must return that material. In addition, a library may collect information on the readers of e-books. [7] Digital PrivacyE-Reader Privacy

Montana

Name of ArticlePurposeType of Privacy ProtectedLaw on
Mont. Code Ann. § 39-2-307 [9] Digital PrivacySocial Media
MT Code Sec. 30-14-1704 [10] Data PrivacyBreach notification
MT Code Sec. 33-19-321 [10] Data PrivacyInsurance companies
MT Code Sec. 30-14-1704 [10] Data PrivacyBreach notification

Nebraska

Name of ArticlePurposeType of Privacy ProtectedLaw on
Neb. Rev. Stat. 48-3501 et seq. [9] Digital PrivacySocial Media
NRS §71-551Medical PrivacyGenetics
Nebraska Stat. § 87-302(14)Posting incorrect information regarding identifiable information regarding people is illegal. [7] Digital PrivacyFalse and Misleading Statements in Privacy Policies

Nevada

Name of ArticlePurposeType of Privacy ProtectedLaw on
Nev. Rev. Stat. § 629.161This Nevada state legislation states that genetic information must be destroyed if an individual wants to pull out of the research or if the research has ended. [3] Medical PrivacyBiobanks
Nev. Rev. Stat. Ann. § 629.151This Nevada state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes. [3] Medical PrivacyConsent to Collect Information
Nevada 2009 SB 426Medical PrivacyGenetics
NRS §629.101 et seq.Medical PrivacyGenetics
Rev. Stat. § 603A.215It requires that companies use encryption to store certain type of data and to follow certain procedures when saving payment-card data. [4] Digital PrivacyCorporate Data Security
NRS § 613.135 [9] Digital PrivacySocial Media
NRS § 603A.340Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information known on their privacy page. Additionally, they must describe the process used to collect the information and make this available on the privacy page. [7] Digital PrivacyWebsites and Online Services
Nevada Revised Stat. § 205.498Any information that can be used to identify the user cannot be disclosed. [7] Digital PrivacyPersonal Information held by Internet Service Providers
Nevada Stat. § 87-302(14)Posting incorrect information regarding identifiable information regarding people is illegal. [7] Digital PrivacyPrivacy Policies

New Hampshire

Name of ArticlePurposeType of Privacy ProtectedLaw on
New Hampshire 2014 HB 1262Medical PrivacyGenetics
New Hampshire 2014 HB 1484
New Hampshire 2014 HB 1586
New Hampshire 2016 HB 1493
New Hampshire 2017 HB 523
New Hampshire 2018 HB 1373
New Hampshire 2019 HB 536
New Hampshire 2019 SB 316
NHS §132:10-a V.
NHS §141-H:1
NHS §141-H:2
NHS §141:H-6
N.H. Rev. Stat. § 275:74 [9] Digital PrivacySocial Media
N.H. Rev. Stat. 189:70 [9] Digital PrivacyEducational Institutions

New Jersey

Name of ArticlePurposeType of Privacy ProtectedLaw on
N.J. Stat. Ann. § 26:14–4This New Jersey state legislation states hospital patient must be informed if they are taking part in research. [3] Medical PrivacyNotifications and Treatment of Patients
New Jersey 2018 A4640Medical PrivacyGenetics
New Jersey 2018 S3153Medical PrivacyGenetics
NJS §10:5-43 et seq.Medical PrivacyGenetics
N.J. Stat. § 34:6B-6 [9] Digital PrivacySocial Media
N.J. Stat. § 18A:3-30 [9] Digital PrivacyEducational Institutions

New Mexico

Name of ArticlePurposeType of Privacy ProtectedLaw on
N.M. Stat. Ann. § 24-21–3This New Mexico state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes. [3] Medical PrivacyConsent to Collect Information
N.M. Stat. Ann. § 24-21-3C(8)This New Mexico state legislation states can be collected for medical registers without the data needing to be anonymized. [3] Medical PrivacyConsent to Collect Information
N.M. Stat. Ann. § 24-21–3This New Mexico state legislation states genetic testing is allowed if the information is anonymized. [3] Medical PrivacyNotifications and Treatment of Patients
New Mexico 2013 SB 445Medical PrivacyGenetics
New Mexico 2015 HB 369Medical PrivacyGenetics
New Mexico 2019 HB 141Medical PrivacyGenetics
NMSA §24-21-1 et seq.Medical PrivacyGenetics
N.M. Stat. § 50-4-34

(covers job applicants only)

[9] Digital PrivacySocial Media
N.M. Stat. § 21-1-46 [9] Digital PrivacyEducational Institutions

New York

Name of ArticlePurposeType of Privacy ProtectedLaw on
N.Y. Pub. Health §§ 2442, 2444This New York state legislation states that Common Rule applies to all human subject. [3] Medical PrivacyNotifications and Treatment of Patients
New York 2019 A1911Medical PrivacyGenetics
New York 2019 A465Medical PrivacyGenetics
New York 2019 S1203Medical PrivacyGenetics
NYCL (CVR) 79-lMedical PrivacyGenetics

North Carolina

Name of ArticlePurposeType of Privacy ProtectedLaw on
N.C. Gen. Stat. §§ 75-60 – 75-66 (Identity Theft Protection Act) [11] Data PrivacyIdentity Theft
N.C. Gen. Stat. § 58-2-105 (Confidentiality of Medical and Credentialing Records) [11] Medical PrivacyMedical Records
N.C. Gen. Stat. § 58-39-45 (Access to Recorded Personal Information) [11] Data PrivacyRecordings
N.C. Gen. Stat. § 132–1.10 (Social Security Numbers and Other Personal Identification Information) [11] Data PrivacyPersonal Identification Information

North Dakota

Name of ArticlePurposeType of Privacy ProtectedLaw on
2015 SB 2334Medical PrivacyGenetics
N.D. Cent. Code § 26.1-36-12.4 Confidentiality of medical information.

1. An insurance company, as defined in section 26.1-02-01, health maintenance organization, or any other entity providing a plan of health insurance subject to state insurance regulation may not deliver, issue, execute or renew a health insurance policy or health service contract unless confidentiality of medical information is assured pursuant to this section. An insurer shall adopt and maintain procedures to ensure that all identifiable information maintained by the insurer regarding the health, diagnosis, and treatment of persons covered under a policy or contract is adequately protected and remains confidential in compliance with all federal and state laws and regulations and professional ethical standards. Unless otherwise provided by law, any data or information pertaining to the health, diagnosis, or treatment of a person covered under a policy or contract, or a prospective insured, obtained by an insurer from that person or from a health care provider, regardless of whether the information is in the form of paper, is preserved on microfilm, or is stored in computer-retrievable form, is confidential and may not be disclosed to any person

Data PrivacyStorage of Data

Ohio

Name of ArticlePurposeType of Privacy ProtectedLaw on
2018 SB 220 (Also known as Ohio Data Protection Act)(B) A covered entity's cybersecurity program shall be designed to do all of the following:

(1) Protect the security and confidentiality of personal information;

(2) Protect against any anticipated threats or hazards to the security or integrity of personal information;

(3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

(C) The scale and scope of a covered entity's cybersecurity program under division (A) of this section shall be appropriate if it is based on all of the following factors:

(1) The size and complexity of the covered entity;

(2) The nature and scope of the activities of the covered entity;

(3) The sensitivity of the personal information to be protected;

(4) The cost and availability of tools to improve information security and reduce vulnerabilities;

(5) The resources available to the covered entity.

Data PrivacyBreach Notification

Oklahoma

Name of ArticlePurposeType of Privacy ProtectedLaw on
Oklahoma 2013 HB 1384This Oklahoma legislation states that genetic information can not be collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV. [5] Medical PrivacyMinors
Oklahoma OS §25-2001This Oklahoma legislation states that genetic information can not be collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV. [5] Medical PrivacyMinors
Oklahoma 2013 HB 1384Medical PrivacyGenetics
OS §25-2001Medical PrivacyGenetics
OS §36-3614.3Medical PrivacyGenetics
40 Okla. Stat. § 173.2 [9] Digital PrivacySocial Media
Oklahoma H.B. 1877This Oklahoma legislation gives guidelines on employers' access to employees' online social media accounts, and it provides both exception and an effective date. [9] Employee Privacy; Digital PrivacySocial Media

Oregon

Name of ArticlePurposeType of Privacy ProtectedLaw on
Or. Laws Ch. 680 (1995)This Oregon state legislation was passed in 1995 and stated that information belongs to the individual from whom it was collected. [3] Medical PrivacyBiobanks
Or. Laws Ch. 780 (1997)This Oregon state legislation was passed in 1997 and stated that genetic information can be used if it is anonymized. [3] Medical PrivacyBiobanks
Or. Laws Ch. 588 (2001)This Oregon state legislation was passed in 2001 and states that genetic information was not owned by individuals from whom it was collected and that genetic information should remain anonymized and should follow privacy laws. [3] Medical PrivacyBiobanks
Oregon 2007 SB 244Medical PrivacyGenetics
Oregon 2009 HB 2009Medical PrivacyGenetics
ORS §192.531 et seq.Medical PrivacyGenetics
Oregon. Rev. Stat. Ann. § 646A.622This legislation has three important aspects which include: training employees, having regular security control tests, and placing reasonable safeguards against hacks. [4] Digital PrivacyCorporate data security
O.R.S. § 659A.330Digital PrivacySocial media privacy
O.R.S. §§ 350.272, 350.274Digital PrivacyEducational institutions
ORS § 646.607It is illegal to publish information that is inconsistent with the behaviour of the user. [7] Digital PrivacyWebsites or online services
ORS § 646.607This states that is illegal for any body to publish information that is purposefully incorrect. [7] Digital PrivacyFalse and misleading statements posted online

Pennsylvania

Name of ArticlePurposeType of Privacy ProtectedLaw on
Pennsylvania 2019 HB 245Medical PrivacyGenetics
18 Pa. C.S.A § 4107(a)(10)Distribution of fraudulent information on the internet is illegal. [7] Digital PrivacyFalse and misleading statements posted online

Rhode Island

Name of ArticlePurposeType of Privacy ProtectedLaw on
Rhode Island 2019 S234 [5] Medical PrivacyGenetics
RIGL §§27-18-52 [5] Medical PrivacyGenetics
RIGL §§27-18-52.1 [5] Medical PrivacyGenetics
RIGL §§27-19-44 [5] Medical PrivacyGenetics
RIGL §§27-19-44.1 [5] Medical PrivacyGenetics
RIGL §§27-20-39 [5] Medical PrivacyGenetics
RIGL §§27-20-39.1 [5] Medical PrivacyGenetics
RIGL §§27-41-53 [5] Medical PrivacyGenetics
RIGL §§27-41-53.1 [5] Medical PrivacyGenetics
Rhode Island Gen. Laws Ann. § 11–49.3-2(a)The legislation states that the level of digital security programs a company must have is relative to the size of the company. [4] Digital PrivacyCorporate data security
R.I. Gen. Laws § 28-56-1 to -6Digital PrivacySocial media privacy
R.I. Gen. Laws § 16-103-1 to -6Digital PrivacyEducational institutions

South Carolina

Name of ArticlePurposeType of Privacy ProtectedLaw on
South Carolina 2010 SB 1224Medical PrivacyGenetics
SCCL §38-93 et seq.Medical PrivacyGenetics
SCCL §§38-93-10 et seq.Medical PrivacyGenetics

South Dakota

Name of ArticlePurposeType of Privacy ProtectedLaw on
SDCL §§34-14-21 et seq.Medical PrivacyGenetics

Tennessee

Name of ArticlePurposeType of Privacy ProtectedLaw on
Tennessee 2018 HB 2690Medical PrivacyGenetics
Tennessee 2018 SB 2029Medical PrivacyGenetics
Tenn. Code §§ 50-1-1001 to -1004Digital PrivacySocial media privacy
TC §49-1-702This Tennessee state legislation states that written parent content must be acquired before any medical screening is performed on a minor. [5] Medical PrivacyGenetic information of minors

Texas

Name of ArticlePurposeType of Privacy ProtectedLaw on
Texas 2017 HB 2891Medical PrivacyGenetics
TS (Civil Practice and Remedies) Code §74.052Medical PrivacyGenetics
TS (Insurance) Code §546.001 et seq.Medical PrivacyGenetics
TS (Occupations) Code §58.001 et seq.Medical PrivacyGenetics

Utah

Name of ArticlePurposeType of Privacy ProtectedLaw on
Utah 2016 HB 358Medical PrivacyGenetics
UC §26-45-101 et seq.Medical PrivacyGenetics
UC §53A-1-1401 et seq.Medical PrivacyGenetics
Utah Code Ann. § 13-44-201(1)(a)Digital PrivacyCorporate Data Security
Utah Code § 34-48-201 et seq. [9] Digital PrivacySocial Media
Utah Code § 53B-25-101 et seq. [9] Digital PrivacyEducational Institutions
Utah Code §§ 13-37-201 to -203Must let the consumer know that their information is being shared for a profit/marketing strategy. [7] Digital PrivacyDisclosure or Sharing of Personal Information

Vermont

Name of ArticlePurposeType of Privacy ProtectedLaw on
VSA 18 §9331 et seq.Medical PrivacyGenetics
21 V.S.A. § 495l [9] Digital PrivacySocial Media
VA C § B-2018-01This law regulates how private institutions handle consumer/ customer information.Financial PrivacyRegulation of Private Institutions

Virginia

Name of ArticlePurposeType of Privacy ProtectedLaw on
Va. Code Ann. §§ 32.1-162.16 to 32.1-162.20This Virginia state legislation states that Common Rule applies to all human subjects. [3] Medical PrivacyNotifications and Treatment of Patients
Code of Va. §§ 38.2-508.4Medical PrivacyGenetics
Code of Va. §§38.2-613Medical PrivacyGenetics
Va. Code § 40.1-28.7:5 [9] Digital PrivacySocial Media
Va. Code § 23.1-405 [9] Digital PrivacyEducational Institutions
H.B. 2081This law states that employers are prohibited from requiring employees to add an employer, supervisor or an administrator to his or her social media, or to change the privacy settings. [9] Digital PrivacySocial Media

Washington

Name of ArticlePurposeType of Privacy ProtectedLaw on
Washington 2017 HB 2213Medical PrivacyGenetics
RCW §70.02.010 et seq.Medical PrivacyGenetics
RCW §§ 49.44.200 and 49.44.205 [9] Digital PrivacySocial Media

West Virginia

Name of ArticlePurposeType of Privacy ProtectedLaw on
West Virginia 2016 HB 4261Medical PrivacyGenetics
West Virginia: WVC §18-2-5hMedical PrivacyGenetics
W.V. Code § 21-5H-1 [9] Digital PrivacySocial Media

Wisconsin

Name of ArticlePurposeType of Privacy ProtectedLaw on
Wis. Stat. § 995.55 [9] Digital PrivacySocial Media
Wis. Stat. § 995.55 [9] Digital PrivacyEducational Institutions

Wyoming

Name of ArticlePurposeType of Privacy ProtectedLaw on
Wyoming WSA §35-31-101 et seq.Medical PrivacyGenetics

See also

Related Research Articles

<span class="mw-page-title-main">Gramm–Leach–Bliley Act</span> Act of the 106th United States Congress (1999–2001)

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Fair Credit Reporting Act</span> U.S. federal legislation

The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Genetic discrimination occurs when people treat others differently because they have or are perceived to have a gene mutation(s) that causes or increases the risk of an inherited disorder. It may also refer to any and all discrimination based on the genotype of a person rather than their individual merits, including that related to race, although the latter would be more appropriately included under racial discrimination. Some legal scholars have argued for a more precise and broader definition of genetic discrimination: "Genetic discrimination should be defined as when an individual is subjected to negative treatment, not as a result of the individual's physical manifestation of disease or disability, but solely because of the individual's genetic composition." Genetic Discrimination is considered to have its foundations in genetic determinism and genetic essentialism, and is based on the concept of genism, i.e. distinctive human characteristics and capacities are determined by genes.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Consumer protection is the practice of safeguarding buyers of goods and services, and the public, against unfair practices in the marketplace. Consumer protection measures are often established by law. Such laws are intended to prevent businesses from engaging in fraud or specified unfair practices to gain an advantage over competitors or to mislead consumers. They may also provide additional protection for the general public which may be impacted by a product even when they are not the direct purchaser or consumer of that product. For example, government regulations may require businesses to disclose detailed information about their products—particularly in areas where public health or safety is an issue, such as with food or automobiles.

Information technology law(IT law) or information, communication and technology law (ICT law) (also called cyberlaw) concerns the juridical regulation of information technology, its possibilities and the consequences of its use, including computing, software coding, artificial intelligence, the internet and virtual worlds. The ICT field of law comprises elements of various branches of law, originating under various acts or statutes of parliaments, the common and continental law and international law. Some important areas it covers are information and data, communication, and information technology, both software and hardware and technical communications technology, including coding and protocols.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

<span class="mw-page-title-main">FTC regulation of behavioral advertising</span> US Regulations on Advertising Targeted by Online Activity

The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self-regulation and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">Chris Hoofnagle</span>

Chris Jay Hoofnagle is an American professor at the University of California, Berkeley who teaches information privacy law, computer crime law, regulation of online privacy, internet law, and seminars on new technology. Hoofnagle has contributed to the privacy literature by writing privacy law legal reviews and conducting research on the privacy preferences of Americans. Notably, his research demonstrates that most Americans prefer not to be targeted online for advertising and despite claims to the contrary, young people care about privacy and take actions to protect it. Hoofnagle has written scholarly articles regarding identity theft, consumer privacy, U.S. and European privacy laws, and privacy policy suggestions.

DNA encryption is the process of hiding or perplexing genetic information by a computational method in order to improve genetic privacy in DNA sequencing processes. The human genome is complex and long, but it is very possible to interpret important, and identifying, information from smaller variabilities, rather than reading the entire genome. A whole human genome is a string of 3.2 billion base paired nucleotides, the building blocks of life, but between individuals the genetic variation differs only by 0.5%, an important 0.5% that accounts for all of human diversity, the pathology of different diseases, and ancestral story. Emerging strategies incorporate different methods, such as randomization algorithms and cryptographic approaches, to de-identify the genetic sequence from the individual, and fundamentally, isolate only the necessary information while protecting the rest of the genome from unnecessary inquiry. The priority now is to ascertain which methods are robust, and how policy should ensure the ongoing protection of genetic privacy.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

Privacy and the United States government consists of enacted legislation, funding of regulatory agencies, enforcement of court precedents, creation of congressional committees, evaluation of judicial decisions, and implementation of executive orders in response to major court cases and technological change. Because the United States government is composed of three distinct branches governed by both the separation of powers and checks and balances, the change in privacy practice can be separated relative to the actions performed by the three branches.

Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.

References

  1. 1 2 Dilbert, Robert (2016). "United States CyberSecurity Enforcement: Leading Roles of the Federal Trade Commission and State Attorneys General". Kentucky Law Review. 43: 1–28 via JSTOR.
  2. 1 2 California Legislative Information (October 7, 2021). "SB-41 Privacy: genetic testing companies".
  3. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Harrell, Heather (2016). "Biobanking Research and Privacy Laws in the United States". The Journal of Law, Medicine & Ethics. 44 (1): 106–127. doi:10.1177/1073110516644203. PMID   27256128.
  4. 1 2 3 4 5 6 7 Kosseff, Jeff (2018). "Defining Cybersecurity Law". Iowa Law Review. 103 (3): 985–1031.
  5. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 "Policy and Legislation Database - Browse All Records". National Human Genome Research Institute (NHGRI). Retrieved 2019-03-21.
  6. 1 2 "Alaska Personal Information Protection Act - Consumer Protection Laws". law.alaska.gov. Retrieved 2019-04-29.
  7. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 "State Laws Related to Internet Privacy". www.ncsl.org. Retrieved 2019-04-04.
  8. "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.
  9. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 "State Social Media Privacy Laws". www.ncsl.org. Retrieved 2019-04-04.
  10. 1 2 3 "Montana Privacy laws & HR compliance analysis". www.blr.com. Retrieved 2019-05-01.
  11. 1 2 3 4 "North Carolina Data Privacy Regulations Overview". CSR Privacy Solutions. Retrieved 2019-05-01.