Patchwork of state privacy laws emerging

USA Map

28 July 2017. By Amy Miller and Mike Swift.

Several states including California, Illinois and Washington moved forward with online privacy legislation this summer after US President Donald Trump and Congress overturned Obama-era privacy protections for consumers.

Now it's increasingly likely that websites and Internet service providers will soon have to navigate a patchwork of state regulations addressing a wide-range privacy issues, from facial recognition technology to geolocation tracking. It's a situation many have fought hard to avoid.

Online privacy has been a particular concern for state legislatures after Congress voted in April to block the US Federal Communications Commission's privacy rules for ISPs before they took effect. In more than 20 states, lawmakers have introduced or moved forward with legislation that, like the FCC rules, would restrict the sharing of consumers' personal information by ISPs.

One of the most closely watched broadband privacy bills moved forward this month in California, the world's sixth-largest economy, despite facing opposition from lobbyists for tech and advertising companies. The state's Senate Rules Committee will consider the bill after the legislature reconvenes on Aug. 21.

Bills introduced in the Washington state legislature that would requires ISPs to get written consent from customers before selling their information to third parties are also moving through committees.

Other states' legislators have been less successful, so far. New York state Senator Tim Kennedy, a Democrat from Buffalo, introduced a bill that would prohibit ISPs from selling customer browsing history and other personal information to third parties, but it didn't advance in the Republican-dominated state Senate.

Meanwhile, Republicans in Congress are already trying to block states from regulating broadband privacy.

US Representative Marsha Blackburn, a Republican from Tennessee who led the effort to repeal the FCC's privacy rules, has introduced a bill that would require ISPs and websites to get permission before selling consumers' personal information. It would also preempt states' efforts to legislate online privacy.

State legislatures are also trying to regulate biometric data. Washington state this week joined Illinois and Texas as the third US state to enact a law that regulates the privacy of biometric data such as fingerprints, retina scans or voice identification.

The Washington state law that went into effect July 24 requires companies to disclose how they collect and use biometric identifiers, and to obtain consent from consumers before using their biometric information. The law was proposed before the FCC privacy rules change, but it gained momentum this spring.

But Washington state, home to tech giants Microsoft and Amazon, has taken a more lenient stance on the use of biometric identifiers than Illinois. Unlike the Illinois Biometric Information Privacy Act, which has sparked class-action litigation against Facebook and Google, the Washington law does not let consumers sue companies directly, only the state attorney general.

The law also allows the use of biometric identifiers for security purposes, such as plans by Amazon and MasterCard to allow consumers to authenticate a transaction by taking an identifying selfie with a smartphone.

"The goal of the Washington statute is to allow companies to actually use this technology," said Ben Byer, a lawyer in Seattle with the firm Davis Wright Tremaine who has been tracking the law.

States are also beginning to regulate privacy disclosures. Nevada joined California and Delaware in passing a law requiring websites, mobile apps and other online services to disclose their privacy practices.

Nevada has joined California and Delaware in passing a law requiring websites, mobile apps and other online services to disclose their privacy practices. But the Nevada law, does not carry the same privacy requirements as the other state laws, such as requiring websites to disclose whether they honor a "Do Not Track" signal from a user's browser.

Like the California and Delaware laws, the Nevada privacy law requires websites to identify the categories of personally identifiable information they collect, and to identify the categories of third parties they might sell that information to.

But the Nevada law has exemptions that would excuse many commercial websites from complying, including websites that don't direct their business at Nevada residents, as well as websites based in Nevada whose primary business is not online and that have fewer than 20,000 unique visitors a year.

Oregon, meanwhile, enacted a law that explicitly says websites that fail to adhere to disclosures in their privacy policies are in violation of the Oregon consumer protection laws.

But in Illinois, a bill that would have required significant privacy disclosures by any online company failed to clear the state House of Representatives. The Illinois "Right to Know" Act passed by the state Senate in May would have allowed state residents to request a copy of the information that companies such as Google and Facebook collect and store about them.

The bill failed to pass the House by a May 31 deadline, but could resurface in 2018, in the second year of a two-year legislative session.

Illinois has also taken on geolocation tracking, and may soon become the first state in the country to make it illegal to track mobile phones without the owner's consent. Earlier this month, the state's General Assembly passed the Geolocation Privacy Protection Act, which would set the strictest geolocation data requirements in the country.

The geolocation bill, was sent to the Illinois governor on July 26, would require companies to get "affirmative express consent" before collecting location information. They must also provide a hyperlink to the geolocation information being collected.

But unlike Illinois' biometric privacy law, this proposed law won't let individuals sue under the proposal — only the state's attorney general. The bill also has many exceptions, including for Internet and telecommunications companies.

Privacy report