State privacy laws of the United States

Last updated January 11, 2024

Privacy laws vary from state to state within the United States of America. Several states have recently passed new legislation that adapt to changes in cyber security laws, medical privacy laws, and other privacy related laws. State laws are typically extensions of existing United States federal laws, expanding them or changing the implementation of the law.

History

Historically, state laws on privacy date back before the founding of the United States and most authorities left protection of personal information to the individual. However, after the creation of a national economy as a result of the Civil War, governmental agencies were created to recommend stronger privacy protections. This led to the creation of de facto privacy commissioners, such as the Federal Trade Commission (FTC) and the State Attorney General.^[1]

The FTC was created in 1914 to protect individuals from harmful trade practices, and in 1995 the FTC began to study and analyze privacy issues in electronic commerce and began to place and enforce regulations.^[1]

Most state legislation on privacy are expansions of federal laws.

The Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”), which “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.”^[2]

Types of privacy legislation

There are several different types of privacy legislation currently in place. State laws vary between these niche privacy spheres. Each type of legislation tries to protect a certain area of privacy. Types of legislation include:

Medical Privacy
Data Privacy
Financial Privacy

Medical privacy

Laws on biobanks

One major aspect of medical privacy is laws placed on biobanks. A biobank is a collection source that stores and manages human specimens. Major federal laws that apply to biobanks are regulations by the Food and Drug Administration and Common Rule. The Common Rule is a guideline for in the United States on research involving human subjects. Other major federals laws that govern biobanks include: The Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Nondiscrimination Act (GINA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and Newborn Screening Saves Lives Reauthorization Act of 2014.

State legislation on privacy tends to follow the same patterns and orders as federal laws in these matters. But in some cases state laws can be more detailed and stringent, while being in ordinance to the federal laws in place.^[3] With focus to biobanks, state laws can restrict a laboratory's ability to reject a customer and can regulate what happened with data after a test.^[3] Certain states have privacy laws that deal with genetic-specific information. Genetic-specific information relates to information what information like DNA that can be used to find details about individuals. Information that can be collected includes race and gender.^[3] State can place legislation that let individuals have control over the tests conducted on their genes and regulate how long data is stored in biobanks. State laws can also control who has control, the individual from whom they were collected or the pharmaceutical companies.

Digital privacy laws

Corporate data security laws

An important aspect of digital privacy laws is cyber security, which encompasses corporate data security. At the national level, the Federal Trade Commission (FTC) is in charge of data security regulation.^[4] With relation to cyber security, the FTC makes sure that companies have security application in place and that companies are not misrepresenting their level of digital security. Several aspects of the FTC regulations are outdated and are loosely connected to data security though section 5. Section 5 of the FTC fines companies for having substandard security measures, neglecting the security of consumer data, and failing to train employees on data security.^[4] Additional federal laws on this topic include: the Cybersecurity Act of 2015, the Electronics Communications Privacy Act, Computer Fraud and Abuse Act and the Economic Espionage Act.^[4]

Financial privacy laws

Financial Privacy laws regulate how companies, specifically those with a focus in finance, handle financial consumer information. Federal laws that regulate this include, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Credit and Debit Card Receipt Clarification Act, Bank Secrecy Act, Fair Debt Collection Practices Act, Electronic Funds Transfer Act, and the Dodd-Frank Wall Street Reform and Consumer Protection Act. All of these acts make changes at the national level.

States

Alabama

Name of Article	Purpose	Type of Privacy Protected	Law on
Ala. Admin. Code r. 420-5-7-.05	(4) Privacy and safety. (a) The patient has the right to personal privacy. (b) The patient has the right to receive care in a safe setting. (c) The patient has the right to be free from all forms of abuse or harassment. (5) Confidentiality of Patient Records. (a) The patient has the right to the confidentiality of his or her clinical records. (b) The patient has the right to access information contained in his or her clinical records within a reasonable time frame. The hospital shall not frustrate the legitimate efforts of individuals to gain access to their own medical records and shall	Medical Privacy	Confidentiality of information
Ala. Admin. Code r. 420-5-7-.13	(3) Form and retention of record. The hospital shall maintain a medical record for each inpatient and outpatient. Medical records shall be accurately written, promptly completed, properly filed and retained, and accessible. The hospital shall use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries. (c) The hospital shall have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital shall ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records shall be released by the hospital only in accordance with federal or state laws, court orders, or subpoenas. (4) Content of record. The medical record shall contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient's progress and response to medications and services.	Medical Privacy	Medical record services
Ala. Admin. Code r. 545-X-4-.08	(1) Physicians should maintain legible well documented records reflecting the history, findings, diagnosis and course of treatment in the care of a patient. Medical records should be maintained by the treating physician for such period as may be necessary to treat the patient and for such additional time as may be required for medical legal purposes. (2) Access. On the request of a patient, and with the authorization of the patient, a physician should provide a copy or a summary of the medical record to the patient or to another physician, attorney or other person designated by the patient. By state law, a physician is allowed to condition the release of copies of medical records on the payment by the requesting party of the reasonable costs of reproducing the record. Reasonable cost as defined by law may not exceed onedollar ($1.00) per page for the first twenty-five (25) pages, fifty cents ($.50) per page for each page in excess of twenty-five (25) pages, plus the actual cost of mailing the record. In addition, the actual costs of reproducing x-rays or other special records may be included. For medical records provided in an electronic file, a flat fee that would not exceed the cost of providing the records in paper form may be charged. Records subpoenaed by the State Board of Medical Examiners are exempt from this law. Physicians charging for the cost of reproduction of medical records should give primary consideration to the ethical and professional duties owed to other physicians and to their patients, and waive copying charges when appropriate.	Medical Privacy	Medical Records
Ala. Code § 25-5-339	(b) Employers, laboratories, medical review officers, employee assistance programs, drug or alcohol rehabilitation programs, and their agents who receive or have access to information concerning test results shall keep all information confidential. Release of such information under any other circumstance shall be solely pursuant to a written consent form signed voluntarily by the person tested, unless the release is compelled by an agency of the state or a court of competent jurisdiction or unless deemed appropriate by a professional or occupational licensing board in a related disciplinary proceeding. The consent form shall contain at a minimum all of the following: (1) The name of the person who is authorized to obtain the information. (2) The purpose of the disclosure. (3) The precise information to be disclosed. (4) The duration of the consent. (5) The signature of the person authorizing release of the information	Medical Privacy	Confidentiality of information
Alabama Data Breach Notification Act	In case of hacking, notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following: (1) The date, estimated date, or estimated date range of the breach. (2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach. (3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach. (4) A general description of steps an affected individual can take to protect himself or herself from identity theft. (5) Information that the individual can use to contact the covered entity to inquire about the breach.	Data Privacy	Breach notification
Alabama Insurance Regulation Chapter 482-1-122	A. Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to both of the following: (1) Customer. An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in Subsection E of this section. (2) Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by Sections 15 and 16. B. When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under Subsection A(2) of this section if either of the following are true: (1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Sections 15 and 16, and the licensee does not have a customer relationship with the consumer. (2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.	Financial Privacy	Third Parties

Alaska

Name of Article	Purpose	Type of Privacy Protected	Law on
AS §18.13.010 et seq	This Alaska legislation provides privacy regulations for genetic information and states that genetic information belongs to the individual it originated from.^[5]	Medical Privacy	Genetics
AS 45.48.100 - .290 (section in the Alaska Personal Information Privacy Act)	This article allows for consumers to place security holds on their credit report. This will prevent any third party from gaining access to that individual's credit report. The hold can also be removed by the consumer, by submitting a similar request as the one needed to place the hold.^[6]	Financial Privacy	Credit Reports
Section 45.48.400 (section in the Alaska Personal Information Privacy Act)	These sections say that it is illegal to make Social Security numbers available to the public. It is also illegal to request and collect Social Security numbers. Additionally, it is illegal to sell, trade, lease or loan SSN and disclosures of SSN are only valid if it is authorized by law if they are requested by a government agency, to a person subject to the Gramm-Leach-Bliley Act or Fair Credit Reporting Act, an individual part of a consumer reporting agency, or someone requesting for a background check.^[6]	Data Security	Social Security

Arizona

Name of Article	Purpose	Type of Privacy Protected	Law on
Ariz. Rev. Stat. Ann. § 12–2803	This Arizona state legislation states that must written consent must be provided for genetic testing, unless the data is collected for research purposes.^[3]	Medical Privacy	Consent for information collection
Arizona 2010 SB 1309	This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.^[5]	Medical Privacy	Genetic information belonging to minors
ARS §1-602	This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.^[5]	Medical Privacy	Genetic information belonging to minors
ARS §12-2801 et seq:	This Arizona state legislation states that written parental consent and health care provider consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.^[5]	Medical Privacy	Genetic information belonging to minors
Arizona 2016 HB 2144	This Arizona state legislation states that genetic testing can only be conducted with consent with the person being tested.^[5]	Medical Privacy	Genetics
Arizona 2019 SB 1297	This Arizona state legislation removes self-conducted genetics-tests from the definition of genetics testing and it adds details on providing medical-care provider the results of genetics tests.^[5]	Medical Privacy	Genetics
ARS §20-448.02	This Arizona state legislation states that a genetics test cannot be conducted without the knowledge of the individual being tested.^[5]	Medical Privacy	Genetics
ARS § 41–151.22	Libraries are not allowed to disclose any information that identifies a user from the materials that they requested digitally or physically.^[7]	Digital Privacy	E-readers

Arkansas

Name of Article	Purpose	Type of Privacy Protected	Law on
Ark. Code § 20-35-103	This Arkansas state legislation states genetic testing is allowed if the information is anonymized.^[3]	Medical Privacy	Notifications and treatment of patients
Arkansas 2015 HB 1827	This Arkansas state legislation states that written parent content must be acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights.^[5]	Medical Privacy	Genetic information belonging to minors
Ark. Code §20-35-101 et seq.	This Arkansas state legislation states that individual records cannot be released without court permission or a consent form.^[5]	Medical Privacy	Genetics
Arkansas. Code Ann. §4-110-104	(b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.	Digital Privacy	Corporate data security
Ark. Code § 11-2-124	(b) (1) An employer shall not require, request, suggest, or cause a current or prospective employee to: (A) Disclose his or her username and password to the current or prospective employee's social media account; (B) Add an employee, supervisor, or administrator to the list or contacts associated with his or her social media account; or (C) Change the privacy settings associated with his or her social media account. (2) If an employer inadvertently receives an employee's username, password, or other login information to the employee's social media account through the use of an electronic device provided to the employee by the employer or a program that monitors an employer's network, the employer is not liable for having the information but may not use the information to gain access to an employee's social media account.	Digital Privacy	Social media privacy
Ark. Code § 6-60-104	(b) An institution of higher education shall not require, request, suggest, or cause: (1) A current or prospective employee or student to disclose his or her username and password to the current or prospective employee's or student's social media account; or (2) A current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to: (A) Add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with his or her social media account; or (B) Change the privacy settings associated with his or her social media account. (c) An institution of higher education shall not: (1) Take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising his or her rights under subsection (b) of this section; or (2) Fail or refuse to admit or hire a prospective employee or student for exercising his or her rights under subsection (b) of this section.	Digital Privacy	Educational institutions

California

Name of Article	Purpose	Type of Privacy Protected	Law on
Cal. Health & Safety Code § 24175	This California state legislation states that Common Rule applies to all human subject.^[3]	Medical Privacy	Notifications and treatment of patients
California 2017 AB 375	This California state legislation states individuals control their biometric information and can sell that data to businesses.^[5]	Medical Privacy	Genetics
Cal. Civil Code §56.17	This California state legislation state that any person with revealed genetic results without consent can be fine.^[5]	Medical Privacy	Genetics
SB-1121 California Consumer Privacy Act of 2018	(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. (b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information. (c) A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records. (d) A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to: (1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. (3) Debug to identify and repair errors that impair existing intended functionality. (4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.	Medical Privacy	Genetics
California Civ. Code §1798.81.5	(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.	Digital Privacy	Corporate data security
Calif. Lab. Code § 980	(b) An employer shall not require or request an employee or applicant for employment to do any of the following: (1) Disclose a username or password for the purpose of accessing personal social media. (2) Access personal social media in the presence of the employer. (3) Divulge any personal social media, except as provided in subdivision (c). (c) Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding. (d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device. (e) An employer shall not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant for not complying with a request or demand by the employer that violates this section. However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.	Digital Privacy	Social media privacy
Calif. Ed. Code § 99121	(a) Public and private postsecondary educational institutions, and their employees and representatives, shall not require or request a student, prospective student, or student group to do any of the following: (1) Disclose a user name or password for accessing personal social media. (2) Access personal social media in the presence of the institution's employee or representative. (3) Divulge any personal social media information. (b) A public or private postsecondary educational institution shall not suspend, expel, discipline, threaten to take any of those actions, or otherwise penalize a student, prospective student, or student group in any way for refusing to comply with a request or demand that violates this section. (c) This section shall not do either of the following: (1) Affect a public or private postsecondary educational institution's existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations. (2) Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason.	Digital Privacy	Educational institutions
Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018”)	This legislation states that businesses must disclose to customers that type of information that they collect on them. And if the customers refuse to provide that information the business may not use that as a ground to refuse service to the customer.^[7]	Digital Privacy	Consumer data privacy
Cal. Bus. & Prof. Code § 22948.20	This legislation states that if a device has a voice recognition feature, the user must be aware that the feature exists on that device. Additionally, it prohibits the use of voice recognition for advertising, espionage, or law enforcement purpose.^[7]	Digital Privacy	Consumer data privacy
Calif. Bus. & Prof. Code §§ 22580-22582	This legislation states that minors must be able to delete information posted on a website or application. And it prohibits that use of known usage of a minor's information for advertisement purposes.^[7]	Digital Privacy	Children's online privacy
Cal. Govt. Code § 6267	The library cannot release any information about the patron that can be used to identify them or their reading patterns.^[7]	Digital Privacy	E-readers
Cal. Civil Code § 1798.90	Digital books are treated like physical books and will need a warrant to be searched through.^[7]	Digital Privacy	E-readers
Calif. Bus. & Prof. Code § 22575	Requires operators of websites to inform the user is third-parties are conducting background information tracking. Additionally, a website must make available information on how it responds to a 'Do Not Track' signal in its privacy policy.^[7]	Digital Privacy	Websites or online services
Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)	Any webpage collection information on users must make this clear on their privacy policy page. This includes mobile apps. Additionally, the website must make clear the type of information that they collect.^[7]	Digital Privacy	Websites or online services
California Ed. Code § 99122	Educational institutions must have a social media privacy policy on their internet website.^[7]	Digital Privacy	Websites or online services
California Civil Code §§ 1798.83 to .84 ("Shine the Light Law")	Businesses must put a privacy statement that allows (for free) the consumer to choose not to share their information.^[7]	Digital Privacy	Disclosure or sharing of personal information
California Consumer Privacy Act (CCPA)	This act places regulations on the selling of consumer information including consumer financial information.^[7]	Digital Privacy	Consumer information
California Privacy Act	This act was a stricter version of the Gramm-Leach-Bliley Act. This regulation provides that an individual must opt-in in situations with financial institutions in order for those institutions to gain their personal initial information.^[7]	Financial Privacy	Opt-in dispersal of personal information
California Consumer Credit Reporting Agencies Act	This act regulates consumer credit reporting agencies as well as any users of credit reports.^[7]	Financial Privacy	Credit report
California Privacy Rights Act (CPRA)	This act expands the CCPA, gives consumers more rights to access, correct, and limit the usage and sharing of their personal information, and establishes the California Privacy Protection Agency.^[8]	Digital Privacy	Consumer Information
California's Senate Bill 41: The Genetic Information Privacy Act	The bill requires a direct-to-consumer genetic testing company to "provide a consumer with certain information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer's express consent for collection, use, or disclosure of the consumer's genetic data, as specified." It also requires DTCs "to implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified."^[2]	Medical Privacy	Consumer Information

Colorado

Name of Article	Purpose	Type of Privacy Protected	Law on
Colo. Rev. Stat. Ann. § 10-3-1104.6	This Colorado state legislation states that information belongs to the individual from whom it was collected.^[3]	Medical Privacy	Biobanks
Colo. Rev. Stat. §10-3-1104.6(4)	This Colorado state legislation states genetic testing is allowed if the information is anonymized.^[3]	Medical Privacy	Notification and treatment of patients
Colorado 2015 SB 77	This Colorado state legislation states that written parent content must be acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights.^[5]	Medical Privacy	Genetic information belonging to minors
Colorado 2009 HB 1338	(a) Genetic information is the unique property of the individual to whom the information pertains. (b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains.	Medical Privacy	Genetics
CRS §10-3-1104.6	(a) Genetic information is the unique property of the individual to whom the information pertains; (b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains; (c) To protect individual privacy and to preserve individual autonomy with regard to the individual's genetic information, it is appropriate to limit the use and availability of genetic information;	Medical Privacy	Genetics
C.R.S. 8-2-127	(2) (a) An employer may not suggest, request, or require that an employee or applicant disclose, or cause an employee or applicant to disclose, any user name, password, or other means for accessing the employee's or applicant's personal account or service through the employee's or applicant's personal electronic communications device. An employer shall not compel an employee or applicant to add anyone, including the employer or his or her agent, to the employee's or applicant's list of contacts associated with a social media account or require, request, suggest, or cause an employee or applicant to change privacy settings associated with a social networking account. (b) Paragraph (a) of this subsection (2) does not prohibit an employer from requiring an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer's internal computer or information systems.	Digital Privacy	Social media privacy
Colorado's Consumer Data Protection Laws	If the government or private entities have a PII, or a document which contains personal information, including Social Security, biometric data and financial account numbers, then they are required to have a written policy to make sure that the PII is destroyed when it is no longer needed.	Financial Privacy	PII

Connecticut

Name of Article	Purpose	Type of Privacy Protected	Law on
Conn. Gen. Stat. § 42-471	Any business that collects a Social Security Number must have a privacy protection policy in place which should be posted on their website, not allow the unlawful disclosure of Social Security Numbers, and limit access to Social Security Number.^[7]	Digital Privacy	Websites and online services.
Connecticut Data Privacy Law (Senate Bill 6)	Businesses that hold data on more than 100,000 consumers or those who earn 25% of their annual revenue from the sale of data of more than 25,000 consumers. Exempts from its requirements (1) various entities, including state and local governments, nonprofits, and higher education institutions, and (2) specified information and data, including certain health records, identifiable private information for human research, certain credit-related information, and certain information collected under specified federal laws.	Personal Data Privacy and Online Monitoring	Websites and companies managing PI

Delaware

Name of Article	Purpose	Type of Privacy Protected	Law on
Del. Code § 1203	This Delaware state legislation states that labs must dispose any samples from which genetic information has been collected. However, there are several loop holes, such as, anonymizing genetic information.^[3]	Medical Privacy	Biobanks
Delaware 2015 SB 151		Medical Privacy	Genetics
Delaware 2015 SB 68		Medical Privacy	Genetics
Delaware 2015 SB 79		Medical Privacy	Genetics
Delaware 2017 HS 1 for HB 180		Medical Privacy	Genetics
Del. Code 16 §1201 et seq.		Medical Privacy	Genetics
19 Del. Code § 709A	^[9]	Digital Privacy	Social Media
14 Del. Code § 8103	^[9]	Digital Privacy	Educational Institutions
Del. Code § 1204C	This legislation states that any digital programs that focus as children as a target group must ensure that their information is child appropriate. They are also not allowed to collect any information that can be used to identify the child. This also prohibits the collection of information from the child which is able to identify the child.^[7]	Digital Privacy	Children's Online Privacy
2015 SS 1 FOR SB 68 Del. Code tit. 6, § 1206C	Personal information of the reader cannot be disclosed to law enforcement, governmental and commercial entities.^[7]	Digital Privacy	E-reader privacy
Del. Code Tit. 6 § 205C	Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information of people in Delaware must make this collection of information known on their privacy page.^[7]	Digital Privacy	Website and Online Services

Florida

Name of Article	Purpose	Type of Privacy Protected	Law on
Fla. Stat. Ann. § 760.40	This Florida state legislation states that information belongs to the individual from whom it was collected and is subject to privacy laws.^[3]	Medical Privacy	Biobanks
FS §760.40		Medical Privacy	Genetics
Florida Stat. § 501.171(2)		Digital Privacy	Corporate Data Security

Georgia

Name of Article	Purpose	Type of Privacy Protected	Law on
Ga. Rev. Code §§ 33-54-3	This Georgia state legislation states genetic testing is allowed if the information is anonymized.^[3]	Medical Privacy	Notifications and Treatment of Patients
Ga. Rev. Code §§ 33-54-6	This Georgia state legislation states genetic testing is allowed if the information is anonymized.^[3]	Medical Privacy	Notifications and Treatment of Patients
OCGA §§33-54-1 et seq.		Medical Privacy	Genetics

Hawaii

Name of Article	Type of Privacy Protected	Law on
HRS §§431:10A-118	Medical Privacy	Genetics
HRS §§431:10A-404.5	Medical Privacy	Genetics
HRS §§432:1-607	Medical Privacy	Genetics
HRS §§432:2-404.5	Medical Privacy	Genetics
HRS §§432D-26	Medical Privacy	Genetics

Idaho

Name of Article	Purpose	Type of Privacy Protected	Law on
IC §39-8301 et seq.		Medical Privacy	Genetics

Illinois

Name of Article	Purpose	Type of Privacy Protected	Law on
Ill. Comp. Stat. § 50/3.1(a)	This Illinois state legislation states hospital patient must be informed if they are taking part in research.^[3]	Medical Privacy	Notifications and Treatment of Patients
Illinois 2007 SB 941		Medical Privacy	Genetics
Illinois 2008 SB 2399		Medical Privacy	Genetics
Illinois 2017 SB 318		Medical Privacy	Genetics
Illinois 2019 HB 2189		Medical Privacy	Genetics
Illinois 2019 SB 1307		Medical Privacy	Genetics
Illinois: 410 ILCS 513/1 et seq.		Medical Privacy	Genetics
820 ILCS 55/10	^[9]	Digital Privacy	Social Media
105 ILCS 75/10, 105 ILCS 75/15	^[9]	Digital Privacy	Educational Institutions

Indiana

Name of Article	Purpose	Type of Privacy Protected	Law on
Indiana Code Ann. § 24–4.9-3-3.5(b)		Digital Privacy	Corporate Data Security

Iowa

Name of Article	Type of Privacy Protected	Law on
2010 SF 2215	Medical Privacy	Genetics
2019 HSB 14	Medical Privacy	Genetics
2019 SSB 1071	Medical Privacy	Genetics
IC §§507B.4	Medical Privacy	Genetics
IC §§507B.4	Medical Privacy	Genetics
IC §§513B.9A	Medical Privacy	Genetics
IC §§513B.10	Medical Privacy	Genetics

Kansas

Name of Article	Purpose	Type of Privacy Protected	Law on
Kansas 2014 SB 367	This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent.^[5]	Medical Privacy	Laws for Minors
KSA §72-6214	This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent.^[5]	Medical Privacy	Laws for Minors

Kentucky

Name of Article	Purpose	Type of Privacy Protected	Law on
Kentucky 2019 SB 152	This Kentucky state legislation states that school may not collect DNA or blood from students unless a court order or parental consent has been issued or provided.^[5]	Medical Privacy	Laws for Minors
Kentucky 2014 HB 5		Medical Privacy	Genetics
Kentucky 2019 SB 152		Medical Privacy	Genetics
KRS §304.12-085		Medical Privacy	Genetics
KRS §61.931 et seq.		Medical Privacy	Genetics

Louisiana

Name of Article	Purpose	Type of Privacy Protected	Law on
2009 HB 406		Medical Privacy	Genetics
LRS 40:2210		Medical Privacy	Genetics
LRS 22:1023		Medical Privacy	Genetics
LRS 22:1097		Medical Privacy	Genetics
La. Rev. Stat. § 51:1951 to §§ 1953 and 1955	^[9]	Digital Privacy	Social Media
La. Rev. Stat. § 51:1951 to § 1952 and §§ 1954 to 1955	^[9]	Digital Privacy	Educational Institutions

Maine

Name of Article	Purpose	Type of Privacy Protected	Law on
Me. Rev. Stat. Ann. tit. 22, § 1711-C	This Maine state legislation states all health data, including genetic information must be confidential.^[3]	Medical Privacy	Encryption of Collected Data
Me. Rev. Stat. Ann. tit. 22, § 1711-C	This Maine state legislation states genetic testing is allowed if the information is anonymized.^[3]	Medical Privacy	Notifications and Treatment of Patients
MRS 22 §1711C		Medical Privacy	Genetics
MRS 24A §2204		Medical Privacy	Genetics
26 M.R.S. § 616 to 619	^[9]	Digital Privacy	Social Media

Maryland

Name of Article	Purpose	Type of Privacy Protected	Law on
Md. Code Ann., Health-Gen. § 13–2002	This Maryland state legislation states that Common Rule applies to all human subject.^[3]	Medical Privacy	Notifications and Treatment of Patients
2017 HB 974		Medical Privacy	Genetics
2019 HB 1127		Medical Privacy	Genetics
2019 HB 716		Medical Privacy	Genetics
2019 HB 901		Medical Privacy	Genetics
2019 SB 613		Medical Privacy	Genetics
2019 SB 786		Medical Privacy	Genetics
2019 SB 871		Medical Privacy	Genetics
Md. Commercial Code §14-3501 et seq.		Medical Privacy	Genetics
Md. Insurance Code §27-909		Medical Privacy	Genetics
Md. Health-General Code §19-706		Medical Privacy	Genetics
Md. State Government Code §20-601 et seq.		Medical Privacy	Genetics
Maryland Code Ann., Com. Law § 14-3503(a)		Digital Privacy	Corporate Data Security
Md. Code, Labor and Emp. Law § 3-712	^[9]	Digital Privacy	Social Media
Md. Code, Ed. Law § 26-401		Digital Privacy	Educational Institutions

Massachusetts

Name of Article	Purpose	Type of Privacy Protected	Law on
Massachusetts 2013 H 1909		Medical Privacy	Genetics
Massachusetts 2015 H 1900		Medical Privacy	Genetics
Massachusetts 2017 H2814		Medical Privacy	Genetics
Massachusetts: MGL Public Health 111 §70G		Medical Privacy	Genetics
201 Massachusetts Code Regs. 17.03	Companies must take specific steps to access security risks, train employees, and other security related tasks.^[4]	Digital Privacy	Corporate Data Security

Michigan

Name of Article	Purpose	Type of Privacy Protected	Law on
Michigan 2013 SB 178		Medical Privacy	Genetics
MCL § 500.2212c		Medical Privacy	Genetics
MCL §500.3829a		Medical Privacy	Genetics
MCL §§333.16221		Medical Privacy	Genetics
MCL §§333.17020		Medical Privacy	Genetics
MCL §§333.17520		Medical Privacy	Genetics
MCL § 37.271-37.278	^[9]	Digital Privacy	Social Media
MCL § 37.271-37.278	^[9]	Digital Privacy	Educational Institutions

Minnesota

Name of Article	Purpose	Type of Privacy Protected	Law on
Minnesota 2013 HF 5		Medical Privacy	Genetics
Minnesota 2019 HF 112		Medical Privacy	Genetics
MS §13.386		Medical Privacy	Genetics
MS §144.192		Medical Privacy	Genetics
MS §176.138		Medical Privacy	Genetics
MS §62V.06		Medical Privacy	Genetics
Minn. Stat. §§ 325M.01 to .09	Any information that can be used to identify the user cannot be discloses. Additionally, Internet service providers must get permission to disclose information.^[7]	Digital Privacy	Personal Information

Mississippi

Name of Article	Purpose	Type of Privacy Protected	Law on
Miss. Code. Ann. § 41-119–13	This Mississippi state legislation states that patient-specific information can only be released with compliance to HIPAA regulation.^[3]	Medical Privacy	Biobanks

Missouri

Name of Article	Purpose	Type of Privacy Protected	Law on
MRS §§375.1300		Medical Privacy	Genetics
MRS §§375.1309		Medical Privacy	Genetics
Mo. Rev. Stat. § 182.815, 182.817	States that an e-book is similar to a book, so a user must "borrow" it from a library and must return that material. In addition, a library may collect information on the readers of e-books.^[7]	Digital Privacy	E-Reader Privacy

Montana

Name of Article	Purpose	Type of Privacy Protected	Law on
Mont. Code Ann. § 39-2-307	^[9]	Digital Privacy	Social Media
MT Code Sec. 30-14-1704	^[10]	Data Privacy	Breach notification
MT Code Sec. 33-19-321	^[10]	Data Privacy	Insurance companies
MT Code Sec. 30-14-1704	^[10]	Data Privacy	Breach notification

Nebraska

Name of Article	Purpose	Type of Privacy Protected	Law on
Neb. Rev. Stat. 48-3501 et seq.	^[9]	Digital Privacy	Social Media
NRS §71-551		Medical Privacy	Genetics
Nebraska Stat. § 87-302(14)	Posting incorrect information regarding identifiable information regarding people is illegal.^[7]	Digital Privacy	False and Misleading Statements in Privacy Policies

Nevada

Name of Article	Purpose	Type of Privacy Protected	Law on
Nev. Rev. Stat. § 629.161	This Nevada state legislation states that genetic information must be destroyed if an individual wants to pull out of the research or if the research has ended.^[3]	Medical Privacy	Biobanks
Nev. Rev. Stat. Ann. § 629.151	This Nevada state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes.^[3]	Medical Privacy	Consent to Collect Information
Nevada 2009 SB 426		Medical Privacy	Genetics
NRS §629.101 et seq.		Medical Privacy	Genetics
Rev. Stat. § 603A.215	It requires that companies use encryption to store certain type of data and to follow certain procedures when saving payment-card data.^[4]	Digital Privacy	Corporate Data Security
NRS § 613.135	^[9]	Digital Privacy	Social Media
NRS § 603A.340	Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information known on their privacy page. Additionally, they must describe the process used to collect the information and make this available on the privacy page.^[7]	Digital Privacy	Websites and Online Services
Nevada Revised Stat. § 205.498	Any information that can be used to identify the user cannot be disclosed.^[7]	Digital Privacy	Personal Information held by Internet Service Providers
Nevada Stat. § 87-302(14)	Posting incorrect information regarding identifiable information regarding people is illegal.^[7]	Digital Privacy	Privacy Policies

New Hampshire

Name of Article	Purpose	Type of Privacy Protected	Law on
New Hampshire 2014 HB 1262		Medical Privacy	Genetics
New Hampshire 2014 HB 1484
New Hampshire 2014 HB 1586
New Hampshire 2016 HB 1493
New Hampshire 2017 HB 523
New Hampshire 2018 HB 1373
New Hampshire 2019 HB 536
New Hampshire 2019 SB 316
NHS §132:10-a V.
NHS §141-H:1
NHS §141-H:2
NHS §141:H-6
N.H. Rev. Stat. § 275:74	^[9]	Digital Privacy	Social Media
N.H. Rev. Stat. 189:70	^[9]	Digital Privacy	Educational Institutions

New Jersey

Name of Article	Purpose	Type of Privacy Protected	Law on
N.J. Stat. Ann. § 26:14–4	This New Jersey state legislation states hospital patient must be informed if they are taking part in research.^[3]	Medical Privacy	Notifications and Treatment of Patients
New Jersey 2018 A4640		Medical Privacy	Genetics
New Jersey 2018 S3153		Medical Privacy	Genetics
NJS §10:5-43 et seq.		Medical Privacy	Genetics
N.J. Stat. § 34:6B-6	^[9]	Digital Privacy	Social Media
N.J. Stat. § 18A:3-30	^[9]	Digital Privacy	Educational Institutions

New Mexico

Name of Article	Purpose	Type of Privacy Protected	Law on
N.M. Stat. Ann. § 24-21–3	This New Mexico state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes.^[3]	Medical Privacy	Consent to Collect Information
N.M. Stat. Ann. § 24-21-3C(8)	This New Mexico state legislation states can be collected for medical registers without the data needing to be anonymized.^[3]	Medical Privacy	Consent to Collect Information
N.M. Stat. Ann. § 24-21–3	This New Mexico state legislation states genetic testing is allowed if the information is anonymized.^[3]	Medical Privacy	Notifications and Treatment of Patients
New Mexico 2013 SB 445		Medical Privacy	Genetics
New Mexico 2015 HB 369		Medical Privacy	Genetics
New Mexico 2019 HB 141		Medical Privacy	Genetics
NMSA §24-21-1 et seq.		Medical Privacy	Genetics
N.M. Stat. § 50-4-34 (covers job applicants only)	^[9]	Digital Privacy	Social Media
N.M. Stat. § 21-1-46	^[9]	Digital Privacy	Educational Institutions

New York

Name of Article	Purpose	Type of Privacy Protected	Law on
N.Y. Pub. Health §§ 2442, 2444	This New York state legislation states that Common Rule applies to all human subject.^[3]	Medical Privacy	Notifications and Treatment of Patients
New York 2019 A1911		Medical Privacy	Genetics
New York 2019 A465		Medical Privacy	Genetics
New York 2019 S1203		Medical Privacy	Genetics
NYCL (CVR) 79-l		Medical Privacy	Genetics

North Carolina

Name of Article	Purpose	Type of Privacy Protected	Law on
N.C. Gen. Stat. §§ 75-60 – 75-66 (Identity Theft Protection Act)	^[11]	Data Privacy	Identity Theft
N.C. Gen. Stat. § 58-2-105 (Confidentiality of Medical and Credentialing Records)	^[11]	Medical Privacy	Medical Records
N.C. Gen. Stat. § 58-39-45 (Access to Recorded Personal Information)	^[11]	Data Privacy	Recordings
N.C. Gen. Stat. § 132–1.10 (Social Security Numbers and Other Personal Identification Information)	^[11]	Data Privacy	Personal Identification Information

North Dakota

Name of Article	Purpose	Type of Privacy Protected	Law on
2015 SB 2334		Medical Privacy	Genetics
N.D. Cent. Code § 26.1-36-12.4	Confidentiality of medical information. 1. An insurance company, as defined in section 26.1-02-01, health maintenance organization, or any other entity providing a plan of health insurance subject to state insurance regulation may not deliver, issue, execute or renew a health insurance policy or health service contract unless confidentiality of medical information is assured pursuant to this section. An insurer shall adopt and maintain procedures to ensure that all identifiable information maintained by the insurer regarding the health, diagnosis, and treatment of persons covered under a policy or contract is adequately protected and remains confidential in compliance with all federal and state laws and regulations and professional ethical standards. Unless otherwise provided by law, any data or information pertaining to the health, diagnosis, or treatment of a person covered under a policy or contract, or a prospective insured, obtained by an insurer from that person or from a health care provider, regardless of whether the information is in the form of paper, is preserved on microfilm, or is stored in computer-retrievable form, is confidential and may not be disclosed to any person	Data Privacy	Storage of Data

Ohio

Name of Article	Purpose	Type of Privacy Protected	Law on
2018 SB 220 (Also known as Ohio Data Protection Act)	(B) A covered entity's cybersecurity program shall be designed to do all of the following: (1) Protect the security and confidentiality of personal information; (2) Protect against any anticipated threats or hazards to the security or integrity of personal information; (3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. (C) The scale and scope of a covered entity's cybersecurity program under division (A) of this section shall be appropriate if it is based on all of the following factors: (1) The size and complexity of the covered entity; (2) The nature and scope of the activities of the covered entity; (3) The sensitivity of the personal information to be protected; (4) The cost and availability of tools to improve information security and reduce vulnerabilities; (5) The resources available to the covered entity.	Data Privacy	Breach Notification

Oklahoma

Name of Article	Purpose	Type of Privacy Protected	Law on
Oklahoma 2013 HB 1384	This Oklahoma legislation states that genetic information can not be collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV.^[5]	Medical Privacy	Minors
Oklahoma OS §25-2001	This Oklahoma legislation states that genetic information can not be collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV.^[5]	Medical Privacy	Minors
Oklahoma 2013 HB 1384		Medical Privacy	Genetics
OS §25-2001		Medical Privacy	Genetics
OS §36-3614.3		Medical Privacy	Genetics
40 Okla. Stat. § 173.2	^[9]	Digital Privacy	Social Media
Oklahoma H.B. 1877	This Oklahoma legislation gives guidelines on employers' access to employees' online social media accounts, and it provides both exception and an effective date.^[9]	Employee Privacy; Digital Privacy	Social Media

Oregon

Name of Article	Purpose	Type of Privacy Protected	Law on
Or. Laws Ch. 680 (1995)	This Oregon state legislation was passed in 1995 and stated that information belongs to the individual from whom it was collected.^[3]	Medical Privacy	Biobanks
Or. Laws Ch. 780 (1997)	This Oregon state legislation was passed in 1997 and stated that genetic information can be used if it is anonymized.^[3]	Medical Privacy	Biobanks
Or. Laws Ch. 588 (2001)	This Oregon state legislation was passed in 2001 and states that genetic information was not owned by individuals from whom it was collected and that genetic information should remain anonymized and should follow privacy laws.^[3]	Medical Privacy	Biobanks
Oregon 2007 SB 244		Medical Privacy	Genetics
Oregon 2009 HB 2009		Medical Privacy	Genetics
ORS §192.531 et seq.		Medical Privacy	Genetics
Oregon. Rev. Stat. Ann. § 646A.622	This legislation has three important aspects which include: training employees, having regular security control tests, and placing reasonable safeguards against hacks.^[4]	Digital Privacy	Corporate data security
O.R.S. § 659A.330		Digital Privacy	Social media privacy
O.R.S. §§ 350.272, 350.274		Digital Privacy	Educational institutions
ORS § 646.607	It is illegal to publish information that is inconsistent with the behaviour of the user.^[7]	Digital Privacy	Websites or online services
ORS § 646.607	This states that is illegal for any body to publish information that is purposefully incorrect.^[7]	Digital Privacy	False and misleading statements posted online

Pennsylvania

Name of Article	Purpose	Type of Privacy Protected	Law on
Pennsylvania 2019 HB 245		Medical Privacy	Genetics
18 Pa. C.S.A § 4107(a)(10)	Distribution of fraudulent information on the internet is illegal.^[7]	Digital Privacy	False and misleading statements posted online

Rhode Island

Name of Article	Purpose	Type of Privacy Protected	Law on
Rhode Island 2019 S234	^[5]	Medical Privacy	Genetics
RIGL §§27-18-52	^[5]	Medical Privacy	Genetics
RIGL §§27-18-52.1	^[5]	Medical Privacy	Genetics
RIGL §§27-19-44	^[5]	Medical Privacy	Genetics
RIGL §§27-19-44.1	^[5]	Medical Privacy	Genetics
RIGL §§27-20-39	^[5]	Medical Privacy	Genetics
RIGL §§27-20-39.1	^[5]	Medical Privacy	Genetics
RIGL §§27-41-53	^[5]	Medical Privacy	Genetics
RIGL §§27-41-53.1	^[5]	Medical Privacy	Genetics
Rhode Island Gen. Laws Ann. § 11–49.3-2(a)	The legislation states that the level of digital security programs a company must have is relative to the size of the company.^[4]	Digital Privacy	Corporate data security
R.I. Gen. Laws § 28-56-1 to -6		Digital Privacy	Social media privacy
R.I. Gen. Laws § 16-103-1 to -6		Digital Privacy	Educational institutions

South Carolina

Name of Article	Type of Privacy Protected	Law on
South Carolina 2010 SB 1224	Medical Privacy	Genetics
SCCL §38-93 et seq.	Medical Privacy	Genetics
SCCL §§38-93-10 et seq.	Medical Privacy	Genetics

South Dakota

Name of Article	Purpose	Type of Privacy Protected	Law on
SDCL §§34-14-21 et seq.		Medical Privacy	Genetics

Tennessee

Name of Article	Purpose	Type of Privacy Protected	Law on
Tennessee 2018 HB 2690		Medical Privacy	Genetics
Tennessee 2018 SB 2029		Medical Privacy	Genetics
Tenn. Code §§ 50-1-1001 to -1004		Digital Privacy	Social media privacy
TC §49-1-702	This Tennessee state legislation states that written parent content must be acquired before any medical screening is performed on a minor.^[5]	Medical Privacy	Genetic information of minors

Texas

Name of Article	Type of Privacy Protected	Law on
Texas 2017 HB 2891	Medical Privacy	Genetics
TS (Civil Practice and Remedies) Code §74.052	Medical Privacy	Genetics
TS (Insurance) Code §546.001 et seq.	Medical Privacy	Genetics
TS (Occupations) Code §58.001 et seq.	Medical Privacy	Genetics

Utah

Name of Article	Purpose	Type of Privacy Protected	Law on
Utah 2016 HB 358		Medical Privacy	Genetics
UC §26-45-101 et seq.		Medical Privacy	Genetics
UC §53A-1-1401 et seq.		Medical Privacy	Genetics
Utah Code Ann. § 13-44-201(1)(a)		Digital Privacy	Corporate Data Security
Utah Code § 34-48-201 et seq.	^[9]	Digital Privacy	Social Media
Utah Code § 53B-25-101 et seq.	^[9]	Digital Privacy	Educational Institutions
Utah Code §§ 13-37-201 to -203	Must let the consumer know that their information is being shared for a profit/marketing strategy.^[7]	Digital Privacy	Disclosure or Sharing of Personal Information

Vermont

Name of Article	Purpose	Type of Privacy Protected	Law on
VSA 18 §9331 et seq.		Medical Privacy	Genetics
21 V.S.A. § 495l	^[9]	Digital Privacy	Social Media
VA C § B-2018-01	This law regulates how private institutions handle consumer/ customer information.	Financial Privacy	Regulation of Private Institutions

Virginia

Name of Article	Purpose	Type of Privacy Protected	Law on
Va. Code Ann. §§ 32.1-162.16 to 32.1-162.20	This Virginia state legislation states that Common Rule applies to all human subjects.^[3]	Medical Privacy	Notifications and Treatment of Patients
Code of Va. §§ 38.2-508.4		Medical Privacy	Genetics
Code of Va. §§38.2-613		Medical Privacy	Genetics
Va. Code § 40.1-28.7:5	^[9]	Digital Privacy	Social Media
Va. Code § 23.1-405	^[9]	Digital Privacy	Educational Institutions
H.B. 2081	This law states that employers are prohibited from requiring employees to add an employer, supervisor or an administrator to his or her social media, or to change the privacy settings.^[9]	Digital Privacy	Social Media

Washington

Name of Article	Purpose	Type of Privacy Protected	Law on
Washington 2017 HB 2213		Medical Privacy	Genetics
RCW §70.02.010 et seq.		Medical Privacy	Genetics
RCW §§ 49.44.200 and 49.44.205	^[9]	Digital Privacy	Social Media

West Virginia

Name of Article	Purpose	Type of Privacy Protected	Law on
West Virginia 2016 HB 4261		Medical Privacy	Genetics
West Virginia: WVC §18-2-5h		Medical Privacy	Genetics
W.V. Code § 21-5H-1	^[9]	Digital Privacy	Social Media

Wisconsin

Name of Article	Purpose	Type of Privacy Protected	Law on
Wis. Stat. § 995.55	^[9]	Digital Privacy	Social Media
Wis. Stat. § 995.55	^[9]	Digital Privacy	Educational Institutions

Wyoming

Name of Article	Purpose	Type of Privacy Protected	Law on
Wyoming WSA §35-31-101 et seq.		Medical Privacy	Genetics

Related Research Articles

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Genetic discrimination occurs when people treat others differently because they have or are perceived to have a gene mutation(s) that causes or increases the risk of an inherited disorder. It may also refer to any and all discrimination based on the genotype of a person rather than their individual merits, including that related to race, although the latter would be more appropriately included under racial discrimination. Some legal scholars have argued for a more precise and broader definition of genetic discrimination: "Genetic discrimination should be defined as when an individual is subjected to negative treatment, not as a result of the individual's physical manifestation of disease or disability, but solely because of the individual's genetic composition." Genetic Discrimination is considered to have its foundations in genetic determinism and genetic essentialism, and is based on the concept of genism, i.e. distinctive human characteristics and capacities are determined by genes.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Consumer protection is the practice of safeguarding buyers of goods and services, and the public, against unfair practices in the marketplace. Consumer protection measures are often established by law. Such laws are intended to prevent businesses from engaging in fraud or specified unfair practices to gain an advantage over competitors or to mislead consumers. They may also provide additional protection for the general public which may be impacted by a product even when they are not the direct purchaser or consumer of that product. For example, government regulations may require businesses to disclose detailed information about their products—particularly in areas where public health or safety is an issue, such as with food or automobiles.

Information technology law(IT law) or information, communication and technology law (ICT law) (also called cyberlaw) concerns the juridical regulation of information technology, its possibilities and the consequences of its use, including computing, software coding, artificial intelligence, the internet and virtual worlds. The ICT field of law comprises elements of various branches of law, originating under various acts or statutes of parliaments, the common and continental law and international law. Some important areas it covers are information and data, communication, and information technology, both software and hardware and technical communications technology, including coding and protocols.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

The United States Federal Trade Commission (FTC) has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, initially called "online profiling", are now referred to as "behavioral targeting"; they are used to target online behavioral advertising (OBA) to consumers based on preferences inferred from their online behavior. During the period from the mid-1990s to the present, the FTC held a series of workshops, published a number of reports, and gave numerous recommendations regarding both industry self-regulation and Federal regulation of OBA. In late 2010, the FTC proposed a legislative framework for U.S. consumer data privacy including a proposal for a "Do Not Track" mechanism. In 2011, a number of bills were introduced into the United States Congress that would regulate OBA.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

Chris Jay Hoofnagle is an American professor at the University of California, Berkeley who teaches information privacy law, computer crime law, regulation of online privacy, internet law, and seminars on new technology. Hoofnagle has contributed to the privacy literature by writing privacy law legal reviews and conducting research on the privacy preferences of Americans. Notably, his research demonstrates that most Americans prefer not to be targeted online for advertising and despite claims to the contrary, young people care about privacy and take actions to protect it. Hoofnagle has written scholarly articles regarding identity theft, consumer privacy, U.S. and European privacy laws, and privacy policy suggestions.

DNA encryption is the process of hiding or perplexing genetic information by a computational method in order to improve genetic privacy in DNA sequencing processes. The human genome is complex and long, but it is very possible to interpret important, and identifying, information from smaller variabilities, rather than reading the entire genome. A whole human genome is a string of 3.2 billion base paired nucleotides, the building blocks of life, but between individuals the genetic variation differs only by 0.5%, an important 0.5% that accounts for all of human diversity, the pathology of different diseases, and ancestral story. Emerging strategies incorporate different methods, such as randomization algorithms and cryptographic approaches, to de-identify the genetic sequence from the individual, and fundamentally, isolate only the necessary information while protecting the rest of the genome from unnecessary inquiry. The priority now is to ascertain which methods are robust, and how policy should ensure the ongoing protection of genetic privacy.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

Privacy and the United States government consists of enacted legislation, funding of regulatory agencies, enforcement of court precedents, creation of congressional committees, evaluation of judicial decisions, and implementation of executive orders in response to major court cases and technological change. Because the United States government is composed of three distinct branches governed by both the separation of powers and checks and balances, the change in privacy practice can be separated relative to the actions performed by the three branches.

Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.

References

1 2 Dilbert, Robert (2016). "United States CyberSecurity Enforcement: Leading Roles of the Federal Trade Commission and State Attorneys General". Kentucky Law Review. 43: 1–28 – via JSTOR.
1 2 California Legislative Information (October 7, 2021). "SB-41 Privacy: genetic testing companies".
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Harrell, Heather (2016). "Biobanking Research and Privacy Laws in the United States". The Journal of Law, Medicine & Ethics. 44 (1): 106–127. doi:10.1177/1073110516644203. PMID 27256128.
1 2 3 4 5 6 7 Kosseff, Jeff (2018). "Defining Cybersecurity Law". Iowa Law Review. 103 (3): 985–1031.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 "Policy and Legislation Database - Browse All Records". National Human Genome Research Institute (NHGRI). Retrieved 2019-03-21.
1 2 "Alaska Personal Information Protection Act - Consumer Protection Laws". law.alaska.gov. Retrieved 2019-04-29.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 "State Laws Related to Internet Privacy". www.ncsl.org. Retrieved 2019-04-04.
↑ "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 "State Social Media Privacy Laws". www.ncsl.org. Retrieved 2019-04-04.
1 2 3 "Montana Privacy laws & HR compliance analysis". www.blr.com. Retrieved 2019-05-01.
1 2 3 4 "North Carolina Data Privacy Regulations Overview". CSR Privacy Solutions. Retrieved 2019-05-01.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:5-1] 1 2 Dilbert, Robert (2016). "United States CyberSecurity Enforcement: Leading Roles of the Federal Trade Commission and State Attorneys General". Kentucky Law Review. 43: 1–28 – via JSTOR.

[:2-2] 1 2 California Legislative Information (October 7, 2021). "SB-41 Privacy: genetic testing companies".

[:0-3] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Harrell, Heather (2016). "Biobanking Research and Privacy Laws in the United States". The Journal of Law, Medicine & Ethics. 44 (1): 106–127. doi:10.1177/1073110516644203. PMID 27256128.

[:22-4] 1 2 3 4 5 6 7 Kosseff, Jeff (2018). "Defining Cybersecurity Law". Iowa Law Review. 103 (3): 985–1031.

[:1-5] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 "Policy and Legislation Database - Browse All Records". National Human Genome Research Institute (NHGRI). Retrieved 2019-03-21.

[:6-6] 1 2 "Alaska Personal Information Protection Act - Consumer Protection Laws". law.alaska.gov. Retrieved 2019-04-29.

[:4-7] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 "State Laws Related to Internet Privacy". www.ncsl.org. Retrieved 2019-04-04.

[8] "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.

[:3-9] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 "State Social Media Privacy Laws". www.ncsl.org. Retrieved 2019-04-04.

[:7-10] 1 2 3 "Montana Privacy laws & HR compliance analysis". www.blr.com. Retrieved 2019-05-01.

[:8-11] 1 2 3 4 "North Carolina Data Privacy Regulations Overview". CSR Privacy Solutions. Retrieved 2019-05-01.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category