State privacy laws of the United States

From Deep web, the free encyclopedia
Jump to navigation Jump to search

Privacy laws vary from state to state within the United States of America. Several states have recently passed new legislation that adapt to changes in cyber security laws, medical privacy laws, and other privacy related laws. State laws are typically extensions of existing United States federal laws, expanding them or changing the implementation of the law.

History[edit]

Historically, state laws on privacy date back before the founding of the United States and most authorities left protection of personal information to the individual. However, after the creation of a national economy, after the Civil War, made personal protection of privacy impractical and that led to the creation of governmental agencies which recommended stronger privacy protections. This led to the creation of de facto privacy commissioners, such as the Federal Trade Commission (FTC) and the State Attorney General.[1]

The FTC was created in 1914 to protect individuals from harmful trade practices, and in 1995 the FTC began to study and analyze privacy issues in electronic commerce and began to place and enforce regulations.[1]

Most state legislation on privacy are expansions of federal laws.

Types of privacy legislation[edit]

There are several different types of privacy legislation currently in place. State laws vary between these niche privacy spheres. Each type of legislation tries to protect a certain area of privacy. Types of legislation include:

  • Medical Privacy
  • Data Privacy
  • Financial Privacy

Medical privacy[edit]

Laws on biobanks[edit]

One major aspect of medical privacy is laws placed on biobanks. A biobank is a collection source that stores and manages human specimens. Major federal laws that apply to biobanks are regulations by the Food and Drug Administration and Common Rule. The Common Rule is a guideline for in the United States on research involving human subjects. Other major federals laws that govern biobanks include: The Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Nondiscrimination Act (GINA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and Newborn Screening Saves Lives Reauthorization Act of 2014.

State legislation on privacy tends to follow the same patterns and orders as federal laws in these matters. But in some cases state laws can be more detailed and stringent, while being in ordinance to the federal laws in place.[2] With focus to biobanks, state laws can restrict a laboratory's ability to reject a customer and can regulate what happened with data after a test.[2] Certain states have privacy laws that deal with genetic-specific information. Genetic-specific information relates to information what information like DNA that can be used to find details about individuals. Information that can be collected includes race and gender.[2] State can place legislation that let individuals have control over the tests conducted on their genes and regulate how long data is stored in biobanks. State laws can also control who has control, the individual from whom they were collected or the pharmaceutical companies.

Digital privacy laws[edit]

Corporate data security laws[edit]

An important aspect of digital privacy laws is cyber security, which encompasses corporate data security. At the national level, the Federal Trade Commission (FTC) is in charge of data security regulation.[3] With relation to cyber security, the FTC makes sure that companies have security application in place and that companies are not misrepresenting their level of digital security. Several aspects of the FTC regulations are outdated and are loosely connected to data security though section 5. Section 5 of the FTC fines companies for having substandard security measures, neglecting the security of consumer data, and failing to train employees on data security.[3] Additional federal laws on this topic include: the Cybersecurity Act of 2015, the Electronics Communications Privacy Act, Computer Fraud and Abuse Act and the Economic Espionage Act.[3]

Financial privacy laws[edit]

Financial Privacy laws regulate how companies, specifically those with a focus in finance, handle financial consumer information. Federal laws that regulate this include, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Credit and Debit Card Receipt Clarification Act, Bank Secrecy Act, Fair Debt Collection Practices Act, Electronic Funds Transfer Act, and the Dodd-Frank Wall Street Reform and Consumer Protection Act. All of these acts make changes at the national level.

States[edit]

Alabama[edit]

Name of Article Purpose Type of Privacy Protected Law on
Ala. Admin. Code r. 420-5-7-.05 (4) Privacy and safety.

(a) The patient has the right to personal privacy.

(b) The patient has the right to receive care in a safe setting.

(c) The patient has the right to be free from all forms of abuse or harassment.

(5) Confidentiality of Patient Records.

(a) The patient has the right to the confidentiality of his or her clinical records.

(b) The patient has the right to access information contained in his or her clinical records within a reasonable time frame. The hospital shall not frustrate the legitimate efforts of individuals to gain access to their own medical records and shall

Medical Privacy Confidentiality of information
Ala. Admin. Code r. 420-5-7-.13 (3) Form and retention of record. The hospital shall maintain a medical record for each inpatient and outpatient. Medical records shall be accurately written, promptly completed, properly filed and retained, and accessible. The hospital shall use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.

(c) The hospital shall have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital shall ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records shall be released by the hospital only in accordance with federal or state laws, court orders, or subpoenas.

(4) Content of record. The medical record shall contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient's progress and response to medications and services.

Medical Privacy Medical record services
Ala. Admin. Code r. 545-X-4-.08 (1) Physicians should maintain legible well documented records reflecting the history, findings, diagnosis and course of treatment in the care of a patient. Medical records should be maintained by the treating physician for such period as may be necessary to treat the patient and for such additional time as may be required for medical legal purposes.

(2) Access. On the request of a patient, and with the authorization of the patient, a physician should provide a copy or a summary of the medical record to the patient or to another physician, attorney or other person designated by the patient. By state law, a physician is allowed to condition the release of copies of medical records on the payment by the requesting party of the reasonable costs of reproducing the record. Reasonable cost as defined by law may not exceed onedollar ($1.00) per page for the first twenty-five (25) pages, fifty cents ($.50) per page for each page in excess of twenty-five (25) pages, plus the actual cost of mailing the record. In addition, the actual costs of reproducing x-rays or other special records may be included. For medical records provided in an electronic file, a flat fee that would not exceed the cost of providing the records in paper form may be charged. Records subpoenaed by the State Board of Medical Examiners are exempt from this law. Physicians charging for the cost of reproduction of medical records should give primary consideration to the ethical and professional duties owed to other physicians and to their patients, and waive copying charges when appropriate.

Medical Privacy Medical Records
Ala. Code § 25-5-339 (b) Employers, laboratories, medical review officers, employee assistance programs, drug or alcohol rehabilitation programs, and their agents who receive or have access to information concerning test results shall keep all information confidential. Release of such information under any other circumstance shall be solely pursuant to a written consent form signed voluntarily by the person tested, unless the release is compelled by an agency of the state or a court of competent jurisdiction or unless deemed appropriate by a professional or occupational licensing board in a related disciplinary proceeding. The consent form shall contain at a minimum all of the following:

(1) The name of the person who is authorized to obtain the information.

(2) The purpose of the disclosure.

(3) The precise information to be disclosed.

(4) The duration of the consent.

(5) The signature of the person authorizing release of the information

Medical Privacy Confidentiality of information
Alabama Data Breach Notification Act In case of hacking, notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following:

(1) The date, estimated date, or estimated date range of the breach.

(2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach.

(3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach.

(4) A general description of steps an affected individual can take to protect himself or herself from identity theft.

(5) Information that the individual can use to contact the covered entity to inquire about the breach.

Data Privacy Breach notification
Alabama Insurance Regulation Chapter 482-1-122 A. Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to both of the following:

(1) Customer. An individual who becomes the licensee’s customer, not later than when the licensee establishes a customer relationship, except as provided in Subsection E of this section.

(2) Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by Sections 15 and 16.

B. When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under Subsection A(2) of this section if either of the following are true:

(1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Sections 15 and 16, and the licensee does not have a customer relationship with the consumer.

(2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions.

Financial Privacy Third Parties

Alaska[edit]

Name of Article Purpose Type of Privacy Protected Law on
AS §18.13.010 et seq This Alaska legislation provides privacy regulations for genetic information and states that genetic information belongs to the individual it originated from.[4] Medical Privacy Genetics
AS 45.48.100 - .290 (section in the Alaska Personal Information Privacy Act) This article allows for consumers to place security holds on their credit report. This will prevent any third party from gaining access to that individual's credit report. The hold can also be removed by the consumer, by submitting a similar request as the one needed to place the hold.[5] Financial Privacy Credit Reports
Section 45.48.400 (section in the Alaska Personal Information Privacy Act) These sections say that it is illegal to make Social Security numbers available to the public. It is also illegal to request and collect Social Security numbers. Additionally, it is illegal to sell, trade, lease or loan SSN and disclosures of SSN are only valid if is authorized by law if they are requested by a government agency, to a person subject to the Gramm-Leach-Bliley Act or Fair Credit Reporting Act, an individual part of a consumer reporting agency, or someone requesting for a background check.[5] Data Security Social Security

Arizona[edit]

Name of Article Purpose Type of Privacy Protected Law on
Ariz. Rev. Stat. Ann. § 12–2803 This Arizona state legislation states that must written consent must be provided for genetic testing, unless the data is collected for research purposes.[2] Medical Privacy Consent for information collection
Arizona 2010 SB 1309 This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.[4] Medical Privacy Genetic information belonging to minors
ARS §1-602 This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.[4] Medical Privacy Genetic information belonging to minors
ARS §12-2801 et seq: This Arizona state legislation states that written parental consent and health care provider consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.[4] Medical Privacy Genetic information belonging to minors
Arizona 2016 HB 2144 This Arizona state legislation states that genetic testing can only be conducted with consent with the person being tested.[4] Medical Privacy Genetics
Arizona 2019 SB 1297 This Arizona state legislation removes self-conducted genetics-tests from the definition of genetics testing and it adds details on providing medical-care provider the results of genetics tests.[4] Medical Privacy Genetics
ARS §20-448.02 This Arizona state legislation states that a genetics test cannot be conducted without the knowledge of the individual being tested.[4] Medical Privacy Genetics
ARS § 41-151.22 Libraries are not allowed to disclose any information that identifies a user from the materials that they requested digitally or physically.[6] Digital Privacy E-readers

Arkansas[edit]

Name of Article Purpose Type of Privacy Protected Law on
Ark. Code § 20-35-103 This Arkansas state legislation states genetic testing is allowed if the information is anonymized.[2] Medical Privacy Notifications and treatment of patients
Arkansas 2015 HB 1827 This Arkansas state legislation states that written parent content must acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights.[4] Medical Privacy Genetic information belonging to minors
Ark. Code §20-35-101 et seq. This Arkansas state legislation states that individual records cannot be released without court permission or a consent form.[4] Medical Privacy Genetics
Arkansas. Code Ann. §4-110-104 (b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Digital Privacy Corporate data security
Ark. Code § 11-2-124 (b) (1) An employer shall not require, request, suggest, or cause a current or prospective employee to:

(A) Disclose his or her username and password to the current or prospective employee's social media account;

(B) Add an employee, supervisor, or administrator to the list or contacts associated with his or her social media account; or

(C) Change the privacy settings associated with his or her social media account.

(2) If an employer inadvertently receives an employee's username, password, or other login information to the employee's social media account through the use of an electronic device provided to the employee by the employer or a program that monitors an employer's network, the employer is not liable for having the information but may not use the information to gain access to an employee's social media account.

Digital Privacy Social media privacy
Ark. Code § 6-60-104 (b) An institution of higher education shall not require, request, suggest, or cause:

(1) A current or prospective employee or student to disclose his or her username and password to the current or prospective employee's or student's social media account; or

(2) A current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to:

(A) Add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with his or her social media account; or

(B) Change the privacy settings associated with his or her social media account.

(c) An institution of higher education shall not:

(1) Take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising his or her rights under subsection (b) of this section; or

(2) Fail or refuse to admit or hire a prospective employee or student for exercising his or her rights under subsection (b) of this section.

Digital Privacy Educational institutions

California[edit]

Name of Article Purpose Type of Privacy Protected Law on
Cal. Health & Safety Code § 24175 This California state legislation states that Common Rule applies to all human subject.[2] Medical Privacy Notifications and treatment of patients
California 2017 AB 375 This California state legislation states individuals control their biometric information and can sell that data to businesses.[4] Medical Privacy Genetics
Cal. Civil Code §56.17 This California state legislation state that any person with revealed genetic results without consent can be fine.[4] Medical Privacy Genetics
SB-1121 California Consumer Privacy Act of 2018 (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s rights to request the deletion of the consumer’s personal information.

(c) A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

(d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

(3) Debug to identify and repair errors that impair existing intended functionality.

(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

Medical Privacy Genetics
California Civ. Code §1798.81.5 (b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Digital Privacy Corporate data security
Calif. Lab. Code § 980 (b) An employer shall not require or request an employee or applicant for employment to do any of the following:

(1) Disclose a username or password for the purpose of accessing personal social media.

(2) Access personal social media in the presence of the employer.

(3) Divulge any personal social media, except as provided in subdivision (c).

(c) Nothing in this section shall affect an employer’s existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.

(d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.

(e) An employer shall not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant for not complying with a request or demand by the employer that violates this section. However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.

Digital Privacy Social media privacy
Calif. Ed. Code § 99121 (a) Public and private postsecondary educational institutions, and their employees and representatives, shall not require or request a student, prospective student, or student group to do any of the following:

(1) Disclose a user name or password for accessing personal social media.

(2) Access personal social media in the presence of the institution’s employee or representative.

(3) Divulge any personal social media information.

(b) A public or private postsecondary educational institution shall not suspend, expel, discipline, threaten to take any of those actions, or otherwise penalize a student, prospective student, or student group in any way for refusing to comply with a request or demand that violates this section.

(c) This section shall not do either of the following:

(1) Affect a public or private postsecondary educational institution’s existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations.

(2) Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason.

Digital Privacy Educational institutions
Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018”) This legislation states that businesses must disclose to customers that type of information that they collect on them. And if the customers refuse to provide that information the business may not use that as a ground to refuse service to the customer.[6] Digital Privacy Consumer data privacy
Cal. Bus. & Prof. Code § 22948.20 This legislation states that if a device has a voice recognition feature, the user must be aware that the feature exists on that device. Additionally, it prohibits the use of voice recognition for advertising, espionage, or law enforcement purpose.[6] Digital Privacy Consumer data privacy
Calif. Bus. & Prof. Code §§ 22580-22582 This legislation states that minors must be able to delete information posted on a website or application. And it prohibits that use of known usage of a minor's information for advertisement purposes.[6] Digital Privacy Children's online privacy
Cal. Govt. Code § 6267 The library cannot release any information about the patron that can be used to identify them or their reading patterns.[6] Digital Privacy E-readers
Cal. Civil Code § 1798.90 Digital books are treated like physical books and will need a warrant to be searched through.[6] Digital Privacy E-readers
Calif. Bus. & Prof. Code § 22575 Requires operators of websites to inform the user is third-parties are conducting background information tracking. Additionally, a website must make available information on how it responds to a 'Do Not Track' signal in its privacy policy.[6] Digital Privacy Websites or online services
Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA) Any webpage collection information on users must make this clear on their privacy policy page. This includes mobile apps. Additionally, the website must make clear the type of information that they collect.[6] Digital Privacy Websites or online services
California Ed. Code § 99122 Educational institutions must have a social media privacy policy on their internet website.[6] Digital Privacy Websites or online services
California Civil Code §§ 1798.83 to .84 ("Shine the Light Law") Businesses must put a privacy statement that allows (for free) the consumer to choose not to share their information.[6] Digital Privacy Disclosure or sharing of personal information
California Consumer Privacy Act This act places regulations on the selling of consumer information including consumer financial information.[6] Financial Privacy Consumer information
California Privacy Act This act was a stricter version of the Gramm-Leach-Bliley Act. This regulation provides that an individual must opt-in in situations with financial institutions in order for those institutions to gain their personal initial information.[6] Financial Privacy Opt-in dispersal of personal information
California Consumer Credit Reporting Agencies Act This act regulates consumer credit reporting agencies as well as any users of credit reports.[6] Financial Privacy Credit report

Colorado[edit]

Name of Article Purpose Type of Privacy Protected Law on
Colo. Rev. Stat. Ann. § 10-3-1104.6 This Colorado state legislation states that information belongs to the individual from whom it was collected.[2] Medical Privacy Biobanks
Colo. Rev. Stat. §10-3-1104.6(4) This Colorado state legislation states genetic testing is allowed if the information is anonymized.[2] Medical Privacy Notification and treatment of patients
Colorado 2015 SB 77 This Colorado state legislation states that written parent content must acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights.[4] Medical Privacy Genetic information belonging to minors
Colorado 2009 HB 1338 (a) Genetic information is the unique property of the individual to whom the information pertains.

(b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains.

Medical Privacy Genetics
CRS §10-3-1104.6 (a) Genetic information is the unique property of the individual to whom the information pertains;

(b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains;

(c) To protect individual privacy and to preserve individual autonomy with regard to the individual's genetic information, it is appropriate to limit the use and availability of genetic information;

Medical Privacy Genetics
C.R.S. 8-2-127 (2) (a) An employer may not suggest, request, or require that an employee or applicant disclose, or cause an employee or applicant to disclose, any user name, password, or other means for accessing the employee's or applicant's personal account or service through the employee's or applicant's personal electronic communications device. An employer shall not compel an employee or applicant to add anyone, including the employer or his or her agent, to the employee's or applicant's list of contacts associated with a social media account or require, request, suggest, or cause an employee or applicant to change privacy settings associated with a social networking account. (b) Paragraph (a) of this subsection (2) does not prohibit an employer from requiring

an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer's internal computer or information systems.

Digital Privacy Social media privacy
Colorado's Consumer Data Protection Laws If the government or private entities have a PII, or a document which contains personal information, including Social Security, biometric data and financial account numbers, then they are required to have a written policy to make sure that the PII is destroyed when it is no longer needed. Financial Privacy PII

Connecticut[edit]

Name of Article Purpose Type of Privacy Protected Law on
Conn. Gen. Stat. § 42-471 Any business that collects a Social Security Number must have a privacy protection policy in place which should be posted on their website, not allow the unlawful disclosure of Social Security Numbers, and limit access to Social Security Number.[6] Digital Privacy Websites and online services.

Delaware[edit]

Name of Article Purpose Type of Privacy Protected Law on
Del. Code § 1203 This Delaware state legislation states that labs must dispose any samples from which genetic information has been collected. However, there are several loop holes, such as, anonymizing genetic information.[2] Medical Privacy Biobanks
Delaware 2015 SB 151 Medical Privacy Genetics
Delaware 2015 SB 68 Medical Privacy Genetics
Delaware 2015 SB 79 Medical Privacy Genetics
Delaware 2017 HS 1 for HB 180 Medical Privacy Genetics
Del. Code 16 §1201 et seq. Medical Privacy Genetics
19 Del. Code § 709A [7] Digital Privacy Social Media
14 Del. Code § 8103 [7] Digital Privacy Educational Institutions
Del. Code § 1204C This legislation states that any digital programs that focus as children as a target group must ensure that their information is child appropriate. They are also not allowed to collect any information that can be used to identify the child.

This also prohibits the collection of information from the child which is able to identify the child.[6]

Digital Privacy Children's Online Privacy
2015 SS 1 FOR SB 68

Del. Code tit. 6, § 1206C

Personal information of the reader cannot be disclosed to law enforcement, governmental and commercial entities.[6] Digital Privacy E-reader privacy
Del. Code Tit. 6 § 205C Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information of people in Delaware must make this collection of information known on their privacy page.[6] Digital Privacy Website and Online Services

Florida[edit]

Name of Article Purpose Type of Privacy Protected Law on
Fla. Stat. Ann. § 760.40 This Florida state legislation states that information belongs to the individual from whom it was collected and is subject to privacy laws.[2] Medical Privacy Biobanks
FS §760.40 Medical Privacy Genetics
Florida Stat. § 501.171(2) Digital Privacy Corporate Data Security

Georgia[edit]

Name of Article Purpose Type of Privacy Protected Law on
Ga. Rev. Code §§ 33-54-3 This Georgia state legislation states genetic testing is allowed if the information is anonymized.[2] Medical Privacy Notifications and Treatment of Patients
Ga. Rev. Code §§ 33-54-6 This Georgia state legislation states genetic testing is allowed if the information is anonymized.[2] Medical Privacy Notifications and Treatment of Patients
OCGA §§33-54-1 et seq. Medical Privacy Genetics

Hawaii[edit]

Name of Article Purpose Type of Privacy Protected Law on
HRS §§431:10A-118 Medical Privacy Genetics
HRS §§431:10A-404.5 Medical Privacy Genetics
HRS §§432:1-607 Medical Privacy Genetics
HRS §§432:2-404.5 Medical Privacy Genetics
HRS §§432D-26 Medical Privacy Genetics

Idaho[edit]

Name of Article Purpose Type of Privacy Protected Law on
IC §39-8301 et seq. Medical Privacy Genetics

Illinois[edit]

Name of Article Purpose Type of Privacy Protected Law on
Ill. Comp. Stat. § 50/3.1(a) This Illinois state legislation states hospital patient must be informed if they are taking part in research.[2] Medical Privacy Notifications and Treatment of Patients
Illinois 2007 SB 941 Medical Privacy Genetics
Illinois 2008 SB 2399 Medical Privacy Genetics
Illinois 2017 SB 318 Medical Privacy Genetics
Illinois 2019 HB 2189 Medical Privacy Genetics
Illinois 2019 SB 1307 Medical Privacy Genetics
Illinois: 410 ILCS 513/1 et seq. Medical Privacy Genetics
820 ILCS 55/10 [7] Digital Privacy Social Media
105 ILCS 75/10, 105 ILCS 75/15 [7] Digital Privacy Educational Institutions

Indiana[edit]

Name of Article Purpose Type of Privacy Protected Law on
Indiana Code Ann. § 24-4.9-3-3.5(b) Digital Privacy Corporate Data Security

Iowa[edit]

Name of Article Purpose Type of Privacy Protected Law on
2010 SF 2215 Medical Privacy Genetics
2019 HSB 14 Medical Privacy Genetics
2019 SSB 1071 Medical Privacy Genetics
IC §§507B.4 Medical Privacy Genetics
IC §§507B.4 Medical Privacy Genetics
IC §§513B.9A Medical Privacy Genetics
IC §§513B.10 Medical Privacy Genetics

Kansas[edit]

Name of Article Purpose Type of Privacy Protected Law on
Kansas 2014 SB 367 This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent.[4] Medical Privacy Laws for Minors
KSA §72-6214 This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent.[4] Medical Privacy Laws for Minors

Kentucky[edit]

Name of Article Purpose Type of Privacy Protected Law on
Kentucky 2019 SB 152 This Kentucky state legislation states that school may not collect DNA or blood from students unless a court order or parental consent has been issued or provided.[4] Medical Privacy Laws for Minors
Kentucky 2014 HB 5 Medical Privacy Genetics
Kentucky 2019 SB 152 Medical Privacy Genetics
KRS §304.12-085 Medical Privacy Genetics
KRS §61.931 et seq. Medical Privacy Genetics

Louisiana[edit]

Name of Article Purpose Type of Privacy Protected Law on
2009 HB 406 Medical Privacy Genetics
LRS 40:2210 Medical Privacy Genetics
LRS 22:1023 Medical Privacy Genetics
LRS 22:1097 Medical Privacy Genetics
La. Rev. Stat. § 51:1951 to §§ 1953 and 1955 [7] Digital Privacy Social Media
La. Rev. Stat. § 51:1951 to § 1952 and §§ 1954 to 1955 [7] Digital Privacy Educational Institutions

Maine[edit]

Name of Article Purpose Type of Privacy Protected Law on
Me. Rev. Stat. Ann. tit. 22, § 1711-C This Maine state legislation states all health data, including genetic information must be confidential.[2] Medical Privacy Encryption of Collected Data
Me. Rev. Stat. Ann. tit. 22, § 1711-C This Maine state legislation states genetic testing is allowed if the information is anonymized.[2] Medical Privacy Notifications and Treatment of Patients
MRS 22 §1711C Medical Privacy Genetics
MRS 24A §2204 Medical Privacy Genetics
26 M.R.S. § 616 to 619 [7] Digital Privacy Social Media

Maryland[edit]

Name of Article Purpose Type of Privacy Protected Law on
Md. Code Ann., Health-Gen. § 13–2002 This Maryland state legislation states that Common Rule applies to all human subject.[2] Medical Privacy Notifications and Treatment of Patients
2017 HB 974 Medical Privacy Genetics
2019 HB 1127 Medical Privacy Genetics
2019 HB 716 Medical Privacy Genetics
2019 HB 901 Medical Privacy Genetics
2019 SB 613 Medical Privacy Genetics
2019 SB 786 Medical Privacy Genetics
2019 SB 871 Medical Privacy Genetics
Md. Commercial Code §14-3501 et seq. Medical Privacy Genetics
Md. Insurance Code §27-909 Medical Privacy Genetics
Md. Health-General Code §19-706 Medical Privacy Genetics
Md. State Government Code §20-601 et seq. Medical Privacy Genetics
Maryland Code Ann., Com. Law § 14-3503(a) Digital Privacy Corporate Data Security
Md. Code, Labor and Emp. Law § 3-712 [7] Digital Privacy Social Media
Md. Code, Ed. Law § 26-401 Digital Privacy Educational Institutions

Massachusetts[edit]

Name of Article Purpose Type of Privacy Protected Law on
Massachusetts 2013 H 1909 Medical Privacy Genetics
Massachusetts 2015 H 1900 Medical Privacy Genetics
Massachusetts 2017 H2814 Medical Privacy Genetics
Massachusetts: MGL Public Health 111 §70G Medical Privacy Genetics
201 Massachusetts Code Regs. 17.03 Companies must take specific steps to access security risks, train employees, and other security related tasks.[3] Digital Privacy Corporate Data Security

Michigan[edit]

Name of Article Purpose Type of Privacy Protected Law on
Michigan 2013 SB 178 Medical Privacy Genetics
MCL § 500.2212c Medical Privacy Genetics
MCL §500.3829a Medical Privacy Genetics
MCL §§333.16221 Medical Privacy Genetics
MCL §§333.17020 Medical Privacy Genetics
MCL §§333.17520 Medical Privacy Genetics
MCL § 37.271-37.278 [7] Digital Privacy Social Media
MCL § 37.271-37.278 [7] Digital Privacy Educational Institutions

Minnesota[edit]

Name of Article Purpose Type of Privacy Protected Law on
Minnesota 2013 HF 5 Medical Privacy Genetics
Minnesota 2019 HF 112 Medical Privacy Genetics
MS §13.386 Medical Privacy Genetics
MS §144.192 Medical Privacy Genetics
MS §176.138 Medical Privacy Genetics
MS §62V.06 Medical Privacy Genetics
Minn. Stat. §§ 325M.01 to .09 Any information that can be used to identify the user cannot be discloses. Additionally, Internet service providers must get permission to disclose information.[6] Digital Privacy Personal Information

Mississippi[edit]

Name of Article Purpose Type of Privacy Protected Law on
Miss. Code. Ann. § 41-119–13 This Mississippi state legislation states that patient-specific information can only be released with compliance to HIPPA regulation.[2] Medical Privacy Biobanks

Missouri[edit]

Name of Article Purpose Type of Privacy Protected Law on
MRS §§375.1300 Medical Privacy Genetics
MRS §§375.1309 Medical Privacy Genetics
Mo. Rev. Stat. § 182.815, 182.817 States that an e-book is similar to a book, so a user must "borrow" it from a library and must return that material. In addition, a library may collect information on the readers of e-books.[6] Digital Privacy E-Reader Privacy

Montana[edit]

Name of Article Purpose Type of Privacy Protected Law on
Mont. Code Ann. § 39-2-307 [7] Digital Privacy Social Media
MT Code Sec. 30-14-1704 [8] Data Privacy Breach notification
MT Code Sec. 33-19-321 [8] Data Privacy Insurance companies
MT Code Sec. 30-14-1704 [8] Data Privacy Breach notification

Nebraska[edit]

Name of Article Purpose Type of Privacy Protected Law on
Neb. Rev. Stat. 48-3501 et seq. [7] Digital Privacy Social Media
NRS §71-551 Medical Privacy Genetics
Nebraska Stat. § 87-302(14) Posting incorrect information regarding identifiable information regarding people is illegal.[6] Digital Privacy False and Misleading Statements in Privacy Policies

Nevada[edit]

Name of Article Purpose Type of Privacy Protected Law on
Nev. Rev. Stat. § 629.161 This Nevada state legislation states that genetic information must be destroyed if an individual wants to pull out of the research or if the research has ended.[2] Medical Privacy Biobanks
Nev. Rev. Stat. Ann. § 629.151 This Nevada state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes.[2] Medical Privacy Consent to Collect Information
Nevada 2009 SB 426 Medical Privacy Genetics
NRS §629.101 et seq. Medical Privacy Genetics
Rev. Stat. § 603A.215 It requires that companies use encryption to store certain type of data and to follow certain procedures when saving payment-card data.[3] Digital Privacy Corporate Data Security
NRS § 613.135 [7] Digital Privacy Social Media
NRS § 603A.340 Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information known on their privacy page. Additionally, they must describe the process used to collect the information and make this available on the privacy page.[6] Digital Privacy Websites and Online Services
Nevada Revised Stat. § 205.498 Any information that can be used to identify the user cannot be disclosed.[6] Digital Privacy Personal Information held by Internet Service Providers
Nevada Stat. § 87-302(14) Posting incorrect information regarding identifiable information regarding people is illegal.[6] Digital Privacy Privacy Policies

New Hampshire[edit]

Name of Article Purpose Type of Privacy Protected Law on
New Hampshire 2014 HB 1262 Medical Privacy Genetics
New Hampshire 2014 HB 1484
New Hampshire 2014 HB 1586
New Hampshire 2016 HB 1493
New Hampshire 2017 HB 523
New Hampshire 2018 HB 1373
New Hampshire 2019 HB 536
New Hampshire 2019 SB 316
NHS §132:10-a V.
NHS §141-H:1
NHS §141-H:2
NHS §141:H-6
N.H. Rev. Stat. § 275:74 [7] Digital Privacy Social Media
N.H. Rev. Stat. 189:70 [7] Digital Privacy Educational Institutions

New Jersey[edit]

Name of Article Purpose Type of Privacy Protected Law on
N.J. Stat. Ann. § 26:14–4 This New Jersey state legislation states hospital patient must be informed if they are taking part in research.[2] Medical Privacy Notifications and Treatment of Patients
New Jersey 2018 A4640 Medical Privacy Genetics
New Jersey 2018 S3153 Medical Privacy Genetics
NJS §10:5-43 et seq. Medical Privacy Genetics
N.J. Stat. § 34:6B-6 [7] Digital Privacy Social Media
N.J. Stat. § 18A:3-30 [7] Digital Privacy Educational Institutions

New Mexico[edit]

Name of Article Purpose Type of Privacy Protected Law on
N.M. Stat. Ann. § 24-21–3 This New Mexico state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes.[2] Medical Privacy Consent to Collect Information
N.M. Stat. Ann. § 24-21-3C(8) This New Mexico state legislation states can be collected for medical registers without the data needing to be anonymized.[2] Medical Privacy Consent to Collect Information
N.M. Stat. Ann. § 24-21–3 This New Mexico state legislation states genetic testing is allowed if the information is anonymized.[2] Medical Privacy Notifications and Treatment of Patients
New Mexico 2013 SB 445 Medical Privacy Genetics
New Mexico 2015 HB 369 Medical Privacy Genetics
New Mexico 2019 HB 141 Medical Privacy Genetics
NMSA §24-21-1 et seq. Medical Privacy Genetics
N.M. Stat. § 50-4-34

(covers job applicants only)

[7] Digital Privacy Social Media
N.M. Stat. § 21-1-46 [7] Digital Privacy Educational Institutions

New York[edit]

Name of Article Purpose Type of Privacy Protected Law on
N.Y. Pub. Health §§ 2442, 2444 This New York state legislation states that Common Rule applies to all human subject.[2] Medical Privacy Notifications and Treatment of Patients
New York 2019 A1911 Medical Privacy Genetics
New York 2019 A465 Medical Privacy Genetics
New York 2019 S1203 Medical Privacy Genetics
NYCL (CVR) 79-l Medical Privacy Genetics

North Carolina[edit]

Name of Article Purpose Type of Privacy Protected Law on
N.C. Gen. Stat. §§ 75-60 – 75-66 (Identity Theft Protection Act) [9] Data Privacy Identity Theft
N.C. Gen. Stat. § 58-2-105 (Confidentiality of Medical and Credentialing Records) [9] Medical Privacy Medical Records
N.C. Gen. Stat. § 58-39-45 (Access to Recorded Personal Information) [9] Data Privacy Recordings
N.C. Gen. Stat. § 132-1.10 (Social Security Numbers and Other Personal Identification Information) [9] Data Privacy Personal Identification Information

North Dakota[edit]

Name of Article Purpose Type of Privacy Protected Law on
2015 SB 2334 Medical Privacy Genetics
N.D. Cent. Code § 26.1-36-12.4 Confidentiality of medical information.

1. An insurance company, as defined in section 26.1-02-01, health maintenance organization, or any other entity providing a plan of health insurance subject to state insurance regulation may not deliver, issue, execute or renew a health insurance policy or health service contract unless confidentiality of medical information is assured pursuant to this section. An insurer shall adopt and maintain procedures to ensure that all identifiable information maintained by the insurer regarding the health, diagnosis, and treatment of persons covered under a policy or contract is adequately protected and remains confidential in compliance with all federal and state laws and regulations and professional ethical standards. Unless otherwise provided by law, any data or information pertaining to the health, diagnosis, or treatment of a person covered under a policy or contract, or a prospective insured, obtained by an insurer from that person or from a health care provider, regardless of whether the information is in the form of paper, is preserved on microfilm, or is stored in computer-retrievable form, is confidential and may not be disclosed to any person

Data Privacy Storage of Data

Ohio[edit]

Name of Article Purpose Type of Privacy Protected Law on
2018 SB 220 (Also known as Ohio Data Protection Act) (B) A covered entity's cybersecurity program shall be designed to do all of the following:

(1) Protect the security and confidentiality of personal information;

(2) Protect against any anticipated threats or hazards to the security or integrity of personal information;

(3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

(C) The scale and scope of a covered entity's cybersecurity program under division (A) of this section shall be appropriate if it is based on all of the following factors:

(1) The size and complexity of the covered entity;

(2) The nature and scope of the activities of the covered entity;

(3) The sensitivity of the personal information to be protected;

(4) The cost and availability of tools to improve information security and reduce vulnerabilities;

(5) The resources available to the covered entity.

Data Privacy Breach Notification

Oklahoma[edit]

Name of Article Purpose Type of Privacy Protected Law on
Oklahoma 2013 HB 1384 This Oklahoma legislation states that genetic information can not collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV.[4] Medical Privacy Minors
Oklahoma OS §25-2001 This Oklahoma legislation states that genetic information can not collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV.[4] Medical Privacy Minors
Oklahoma 2013 HB 1384 Medical Privacy Genetics
OS §25-2001 Medical Privacy Genetics
OS §36-3614.3 Medical Privacy Genetics
40 Okla. Stat. § 173.2 [7] Digital Privacy Social Media
Oklahoma H.B. 1877 This Oklahoma legislation gives guidelines on employers' access to employees' online social media accounts, and it provides both exception and an effective date.[7] Employee Privacy; Digital Privacy Social Media

Oregon[edit]

Name of Article Purpose Type of Privacy Protected Law on
Or. Laws Ch. 680 (1995) This Oregon state legislation was passed in 1995 and stated that information belongs to the individual from whom it was collected.[2] Medical Privacy Biobanks
Or. Laws Ch. 780 (1997) This Oregon state legislation was passed in 1997 and stated that genetic information can be used if it is anonymized.[2] Medical Privacy Biobanks
Or. Laws Ch. 588 (2001) This Oregon state legislation was passed in 2001 and states that genetic information was not owned by individuals from whom it was collected and that genetic information should remain anonymized and should follow privacy laws.[2] Medical Privacy Biobanks
Oregon 2007 SB 244 Medical Privacy Genetics
Oregon 2009 HB 2009 Medical Privacy Genetics
ORS §192.531 et seq. Medical Privacy Genetics
Oregon. Rev. Stat. Ann. § 646A.622 This legislation has three important aspects which include: training employees, having regular security control tests, and placing reasonable safeguards against hacks.[3] Digital Privacy Corporate data security
O.R.S. § 659A.330 Digital Privacy Social media privacy
O.R.S. §§ 350.272, 350.274 Digital Privacy Educational institutions
ORS § 646.607 It is illegal to publish information that is inconsistent with the behaviour of the user.[6] Digital Privacy Websites or online services
ORS § 646.607 This states that is illegal for any body to publish information that is purposefully incorrect.[6] Digital Privacy False and misleading statements posted online

Pennsylvania[edit]

Name of Article Purpose Type of Privacy Protected Law on
Pennsylvania 2019 HB 245 Medical Privacy Genetics
18 Pa. C.S.A § 4107(a)(10) Distribution of fraudulent information on the internet is illegal.[6] Digital Privacy False and misleading statements posted online

Rhode Island[edit]

Name of Article Purpose Type of Privacy Protected Law on
Rhode Island 2019 S234 [4] Medical Privacy Genetics
RIGL §§27-18-52 [4] Medical Privacy Genetics
RIGL §§27-18-52.1 [4] Medical Privacy Genetics
RIGL §§27-19-44 [4] Medical Privacy Genetics
RIGL §§27-19-44.1 [4] Medical Privacy Genetics
RIGL §§27-20-39 [4] Medical Privacy Genetics
RIGL §§27-20-39.1 [4] Medical Privacy Genetics
RIGL §§27-41-53 [4] Medical Privacy Genetics
RIGL §§27-41-53.1 [4] Medical Privacy Genetics
Rhode Island Gen. Laws Ann. § 11-49.3-2(a) The legislation states that the level of digital security programs a company must have is relative to the size of the company.[3] Digital Privacy Corporate data security
R.I. Gen. Laws § 28-56-1 to -6 Digital Privacy Social media privacy
R.I. Gen. Laws § 16-103-1 to -6 Digital Privacy Educational institutions

South Carolina[edit]

Name of Article Purpose Type of Privacy Protected Law on
South Carolina 2010 SB 1224 Medical Privacy Genetics
SCCL §38-93 et seq. Medical Privacy Genetics
SCCL §§38-93-10 et seq. Medical Privacy Genetics

South Dakota[edit]

Name of Article Purpose Type of Privacy Protected Law on
SDCL §§34-14-21 et seq. Medical Privacy Genetics

Tennessee[edit]

Name of Article Purpose Type of Privacy Protected Law on
Tennessee 2018 HB 2690 Medical Privacy Genetics
Tennessee 2018 SB 2029 Medical Privacy Genetics
Tenn. Code §§ 50-1-1001 to -1004 Digital Privacy Social media privacy
TC §49-1-702 This Tennessee state legislation states that written parent content must be acquired before any medical screening is performed on a minor.[4] Medical Privacy Genetic information of minors

Texas[edit]

Name of Article Purpose Type of Privacy Protected Law on
Texas 2017 HB 2891 Medical Privacy Genetics
TS (Civil Practice and Remedies) Code §74.052 Medical Privacy Genetics
TS (Insurance) Code §546.001 et seq. Medical Privacy Genetics
TS (Occupations) Code §58.001 et seq. Medical Privacy Genetics

Utah[edit]

Name of Article Purpose Type of Privacy Protected Law on
Utah 2016 HB 358 Medical Privacy Genetics
UC §26-45-101 et seq. Medical Privacy Genetics
UC §53A-1-1401 et seq. Medical Privacy Genetics
Utah Code Ann. § 13-44-201(1)(a) Digital Privacy Corporate Data Security
Utah Code § 34-48-201 et seq. [7] Digital Privacy Social Media
Utah Code § 53B-25-101 et seq. [7] Digital Privacy Educational Institutions
Utah Code §§ 13-37-201 to -203 Must let the consumer know that their information is being shared for a profit/marketing strategy.[6] Digital Privacy Disclosure or Sharing of Personal Information

Vermont[edit]

Name of Article Purpose Type of Privacy Protected Law on
VSA 18 §9331 et seq. Medical Privacy Genetics
21 V.S.A. § 495l [7] Digital Privacy Social Media
VA C § B-2018-01 This law regulates how private institutions handle consumer/ customer information. Financial Privacy Regulation of Private Institutions

Virginia[edit]

Name of Article Purpose Type of Privacy Protected Law on
Va. Code Ann. §§ 32.1-162.16 to 32.1-162.20 This Virginia state legislation states that Common Rule applies to all human subjects.[2] Medical Privacy Notifications and Treatment of Patients
Code of Va. §§ 38.2-508.4 Medical Privacy Genetics
Code of Va. §§38.2-613 Medical Privacy Genetics
Va. Code § 40.1-28.7:5 [7] Digital Privacy Social Media
Va. Code § 23.1-405 [7] Digital Privacy Educational Institutions
H.B. 2081 This law states that employers are prohibited from requiring employees to add an employer, supervisor or an administrator to his or her social media, or to change the privacy settings.[7] Digital Privacy Social Media

Washington[edit]

Name of Article Purpose Type of Privacy Protected Law on
Washington 2017 HB 2213 Medical Privacy Genetics
RCW §70.02.010 et seq. Medical Privacy Genetics
RCW §§ 49.44.200 and 49.44.205 [7] Digital Privacy Social Media

West Virginia[edit]

Name of Article Purpose Type of Privacy Protected Law on
West Virginia 2016 HB 4261 Medical Privacy Genetics
West Virginia: WVC §18-2-5h Medical Privacy Genetics
W.V. Code § 21-5H-1 [7] Digital Privacy Social Media

Wisconsin[edit]

Name of Article Purpose Type of Privacy Protected Law on
Wis. Stat. § 995.55 [7] Digital Privacy Social Media
Wis. Stat. § 995.55 [7] Digital Privacy Educational Institutions

Wyoming[edit]

Name of Article Purpose Type of Privacy Protected Law on
Wyoming WSA §35-31-101 et seq. Medical Privacy Genetics

See also[edit]

References[edit]

  1. ^ a b Dilbert, Robert (2016). "United States CyberSecurity Enforcement: Leading Roles of the Federal Trade Commission and State Attorneys General". Kentucky Law Review. 43: 1–28 – via JSTOR.
  2. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab Harrell, Heather (2016). "Biobanking Research and Privacy Laws in the United States". The Journal of Law, Medicine & Ethics. 44: 106–127. doi:10.1177/1073110516644203.
  3. ^ a b c d e f g Kosseff, Jeff. 2018. “Defining Cybersecurity Law.” Iowa Law Review 103(3):985–1031. Retrieved March 1, 2019.
  4. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa "Policy and Legislation Database - Browse All Records". National Human Genome Research Institute (NHGRI). Retrieved 2019-03-21.
  5. ^ a b "Alaska Personal Information Protection Act - Consumer Protection Laws". law.alaska.gov. Retrieved 2019-04-29.
  6. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa "State Laws Related to Internet Privacy". www.ncsl.org. Retrieved 2019-04-04.
  7. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae "State Social Media Privacy Laws". www.ncsl.org. Retrieved 2019-04-04.
  8. ^ a b c "Montana Privacy laws & HR compliance analysis". www.blr.com. Retrieved 2019-05-01.
  9. ^ a b c d "North Carolina Data Privacy Regulations Overview". CSR Privacy Solutions. Retrieved 2019-05-01.