2017 State Policy Review: Privacy

Technology and the rise of social media have pushed privacy concerns into the spotlight for policymakers. States have grappled with how to protect consumers' personal information and prevent it from falling into nefarious hands. Recent high-profile hacks at Uber, Verizon, and Equifax have led to greater scrutiny of how organizations protect customer data.

This is the third in a series of posts reviewing the top state issues of 2017 and previewing what's ahead in 2018. Earlier posts covered state budget issues and transportation and infrastructure.

More Security Breach Notification Laws

Although Congress introduced some bills this year to address personal data notification and protection, notification laws regarding security breaches have been left largely to the states. Many states already have laws on the books addressing security breaches, yet many additional bills were introduced this year to refine them further. Some states expanded the scope of what type of information is covered under security breach laws — including information like biometric data — to keep up with the changing technology. Another emerging trend is requiring companies that experience a breach to notify not just the consumer, but also the state agency charged with regulating the industry, or the state attorney general. Security breach bills have also extended the laws to educational institutions to protect students' personal information. Overall, six states and Washington, D.C., enacted eight bills addressing security breaches in 2017. Read More...

Regulating Data from Internet Providers Shifts to States

In April, the Trump Administration repealed Obama-era rules that required broadband providers to obtain consent from consumers before using geolocation, financial information, health information, children’s information, and web browsing history for advertising and marketing purposes. Proponents of the repeal argued that the previous rules required more regulation on Internet providers than on websites, which face no such consent requirement. However, rather than end the controversy, the battle shifted to the state level. A number of states introduced measures this year that would require broadband providers to obtain consent before selling consumer data. Some lawmakers have argued that the absence of federal policy gives states latitude to enact their own policies, though others question whether states are overreaching. Ultimately, leaving the matter in state hands could lead to a confusing patchwork of requirements for Internet providers. In 2017, lawmakers in 22 states introduced 50 bills on this issue with legislation in Nevada and Montana enacted this year. Read More...

What to Expect in 2018

States will continue to consider measures aimed at protecting consumers from security breaches. Many have already filed bills for next year that would waive fees for credit security freezes in the wake of a breach. Federal policy will also continue to drive state policy on these issues, and the recent FCC decision to repeal net neutrality rules has prompted many state lawmakers to file legislation to prevent Internet providers from blocking or throttling content or allowing paid prioritization for certain content. Emerging technology continues to prompt new legislation, and popular microphone-enabled electronic devices like Amazon's Echo or Google's Home have raised concerns about what data is being collected from these devices in people's homes, which has already led to some states filing legislation.