Over two dozen privacy laws have passed this year in more than 10 states, in places as different as Oklahoma and California. Many lawmakers say that news reports of widespread surveillance by the National Security Agency have led to more support for the bills among constituents. http://www.nytimes.com/2013/10/31/technology/no-us-action-so-states-move-on-privacy-law.html?ref=us And in some cases, the state lawmakers say, they have felt compelled to act because of the stalemate in Washington on legislation to strengthen privacy laws.
“Congress is obviously not interested in updating those things or protecting privacy,” said Jonathan Stickland, a Republican state representative in Texas. “If they’re not going to do it, states have to do it.”
For Internet companies, the patchwork of rules across the country means keeping a close eye on evolving laws to avoid overstepping. Many companies have an internal team to deal with state legislation. And the flurry of legislation has led some companies, particularly technology companies, to exert their lobbying muscles — with some success — when proposed measures stand to harm their bottom lines.
Some of the bills extend to surveillance beyond the web. Eight states, for example, have passed laws this year limiting the use of drones, according to the American Civil Liberties Union, which has advocated such privacy laws. In Florida, a lawmaker has drafted a bill that would prohibit schools from collecting biometric data to verify who gets free lunches and who gets off at which bus stop. Vermont has limited the use of data collected by license plate readers, which are used mostly by police to record images of license plates.
California, long a pioneer on digital privacy laws, has passed three online privacy bills this year. One gives children the right to erase social media posts, another makes it a misdemeanor to publish identifiable nude pictures online without the subject’s permission, and a third requires companies to tell consumers whether they abide by “do not track” signals on web browsers.
But stiff lobbying efforts were able to stop a so-called right to know bill proposed in California this year that stood to hurt the online industry. The bill would have required any business that “retains a customer’s personal information” to share a copy of that information at the customer’s request, as well as disclose which third parties have received the information. The practice of sharing customer data is central to digital advertising and to the large Internet companies that rely on advertising revenue.
Several legislators said they felt compelled to act because Congress had not. “They don’t act in the best interest unless it’s in their best interest,” said Daniel Zolnikov, a first-time legislator in Montana. Mr. Zolnikov, a Republican, suggested that the lack of action was because of lobbying efforts from “special interests” on Capitol Hill.
So Mr. Zolnikov took up the privacy issue in his state house: Montana became the first state in the nation this year to pass a law that requires police to obtain a search warrant before it can track a suspect’s whereabouts through cellphone records.
According to a survey conducted in July by the Pew Internet Center, most Americans said they believed that existing laws were inadequate to protect their privacy online, and a clear majority reported making great efforts to mask their identities online. Some of those surveyed said they cleared browsing histories, deleted social media posts or used virtual networks to conceal their Internet Protocol addresses — and a few even said they used encryption tools.
Many states have already responded to those opinions. In the last couple of years, about 10 states have passed laws restricting employers from demanding access to their employees’ social media accounts.
California set the stage on digital privacy 10 years ago with a law that required organizations, whether public or private, to inform consumers if their personal data had been breached or stolen. Several states followed, and today, nearly every state has a data breach notification law.
This year, California amended that landmark law, adding an Internet user’s login name and password to the menu of personal information that is covered. The California attorney general’s office also has a full-time unit to enforce digital privacy laws.