The Best & Worst States in America for Online Privacy (2024 Update)

There are no all-encompassing online privacy laws in the US, so each state has its own rules. While some have comprehensive protections in place, others allow sites to collect your data, share it, and use it to track what you’re doing online. 

In this article, we explore which states currently have the best and worst protection, what the US is doing at the federal and state levels to protect online privacy, and how you can protect your privacy in states with little cybersecurity legislation.

Our Ranking Criteria

Our research team examined various criteria to determine which states have the best and worst consumer protections in place at the moment, and are making the best progress toward improving consumer privacy. 

To create our rankings, we asked the following questions and tallied the results for each state:

General Strength of Privacy Laws

• Does the consumer have a right to access, delete, or modify personal data?
• Can consumers opt out of data collection and use?
• Are companies required to disclose data collection, source, and use information?
• Are ISPs required to protect online privacy under current legislation?

General Strength of Data Security Laws 

• What methods are used to create and enforce privacy policies?
• How do companies in each state safeguard consumer data?

Presence of Data Broker Laws

• Do laws exist that prevent the sale of certain forms of information?
• Do laws exist to monitor/regulate what type of information is collected?
• What, if any, rights do consumers have in regard to data brokers?

Laws in Place to Protect Children’s Privacy

• Are laws in place to protect children aged 0–9 while using the internet?
• Do parents/minors have the ability to remove data on request?

Strength of Companies’ Data Collection Policies

• Do employees have the right to delete personal data on request?
• Do employees have the right to opt out of third-party sharing?
• Are companies required to disclose what employee data they collect/store?

Laws that Infringe on Digital Privacy

•  Has the state implemented any laws that infringe on digital privacy?
•  Have state legislators been vocal in their support of further legislation that would harm citizens’ rights to online privacy?

PIA’s Ranking of the Best & Worst States for Digital Privacy

US States with Notable Improvements to Digital Privacy

Online Privacy Laws Across the US
Protection	Applies To	Adopted In
Access, delete, or change personal data already collected by businesses	Consumer	UT, CA, VA, NV
Opt out of the collection/use of personal data	Consumer	CO, UT, VA, CA
Request that business disclose what personal information they collect, the source, and how it’s used	Consumer	CA, UT, NV
Opt out of having personal data sold to third parties	Consumer	CO, NV, UT, VA
Require ISPs to keep certain information about subscribers private, unless the subscriber requests otherwise	Consumer	NV, MN
Require ISPs to get permission from subscribers before disclosing a subscriber’s surfing habits or sites visited	Consumer	NV, MN
Prohibits ISPs from using, disclosing, selling, or permitting access to subscriber personal information except on request of the subscriber	Consumer	ME
Prohibit site/online service operators from advertising certain products to minors based on information specific to the minor, or knowingly using, disclosing, or compiling a minor’s information or allowing third parties to do so	Children	DE, CA
Permit minors to remove, or request removal, of personal content or information from sites, services, and mobile apps	Children	CA
Require privacy policies to be publicly and noticeably displayed on websites	Consumer	CO, CA, CT, UT, VA
Require operators to disclose whether third parties are/may conduct tracking on the operator’s site/service	Consumer	DE, CA
Require operators to disclose how a site/service responds to “Do Not Track” signals/similar transmissions	Consumer	CA
Prohibit knowingly making false or misleading statements in privacy policies	Consumer	NE, PA
Require government sites and state portals to establish privacy policies or procedures or incorporate machine-readable privacy policies	Consumer	AZ, AR, CA, CO, DE, IA, IL, ME, MD, MN, MT, NY, SC, TX, UT, VA
Require employers to notify employees prior to monitoring electronic communications or internet access	Employees	CT, DE, NY
Require states and public entities to adopt policies in regard to monitoring public employee emails	Employees	CO, TN
(A) Prohibit employers from requiring employees to download a mobile app to their personal devices that allows their location to be tracked or personal information to be revealed. (B) Prohibit any form of retribution for refusing or opposing any practice forbidden as stated in part (A).	Employees	HI
Require private sector employers to provide written notice immediately on hiring any employee that makes them aware if they are subject to electronic, internet, or phone monitoring	Employees	NY
Require the state and any subdivision thereof that operates or maintains electronic mail communications systems to adopt a written policy on monitoring and when/why they conduct monitoring	Employees	CO, TN
Require employers to make a statement available that any form of electronic mail may be public record under the Public Record Law, and that makes it subject to public inspection	Employees	CO, TN
Protect the personal information of students in grades K–12	Children	NJ

States Most in Need of Privacy Law Improvements

Other Notable Online Privacy Laws
Summation	Adopted In
Have biometric data protection legislation in place	NY, IL, CA, TX, WA
Apply data disposal laws to government and business entities	AL, AK, HI, IL, MA, AZ, AR, KS, MD, MA, MI, NJ, OR, SC, WA
Apply data disposal laws to government entities only	VA, MN, TX
Apply data disposal laws to business entities only	CA, CO, CT, DE, FL, GA, IN, KY, LA, MT, NE, TN, VT, NV, NM, NY, NC, RI, UT, WI
Require consent from both parties when recording calls of any kind	CA, CT, FL, IL, MD, MA, MT, NH, PA, WA
Have laws/legislation surrounding the use of artificial intelligence (AI)	AL, CO, IL, MS, NYC

States with Cybersecurity Task Forces

As a response to the increase in cybercrime, some states have developed special task forces to deal with cyber threats. Currently, 30 states have a task force or similar enforcement group in place. Only 8 states took the initiative to create legislation and develop their task forces on their own; the rest were issued by executive order.

US States with Specialized Cybercrime Task Forces
★ Arizona ★ Arkansas ★ California ★ Colorado ★ Connecticut ★ Delaware ★ Florida ★ Georgia ★ Idaho ★ Illinois	★ Indiana ★ Iowa ★ Kansas ★ Louisiana ★ Maine ★ Maryland ★ Minnesota ★ Mississippi ★ Missouri ★ Montana	★ New Hampshire ★ New York ★ North Carolina ★ North Dakota ★ Oregon ★ Rhode Island ★ Texas ★ Utah ★ Vermont ★ Virginia

Federal Digital Privacy and Security Laws

Currently, federal (nationwide) laws on digital privacy and security are well meaning but ambiguous. Each tends to isolate one sector, issue, age group, or industry instead of providing a stable solution for all consumers and companies. I’ll show you what I mean – here are a few of the major federal online privacy laws

HIPAA’s Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) created a national standard for the security of electronic protected health information (e-PHI), electronic exchange, and privacy of e-PHI. 

It applies to any care provider sending health information electronically in connection with transactions. Ultimately, HIPAA is a branch of the Privacy Rule, and covers all of the personally identifiable health information (PHI) related to patients.

Federal Trade Commission (FTC) Fair Information Practices

The FTC has enacted several fair information practices to protect your online privacy. Most relate to sites being transparent about what information they request, how it’s used, and why they require the information. Site operators must provide a notice of the site’s privacy practices, including if:

• Consumers can access, correct, and delete personal information
• Consumers have a say in how the site uses the information it collects
• Parents have control over the collection and use of information gathered from children
• The site safeguards any collected information, and how

Sites must also have enforcement mechanisms to prove they’re following fair information practices.

Electronic Communication Protections Act (ECPA)

Adopted in 1986, the ECPA originally protected telephone communications. The amended ECPA now protects electronic communications during creation, transit, and storage. It defines electronic communications as email, telephone calls, and electronically stored data.

The ECPA also contains an amendment called the Stored Communications Act (SCA) which protects all subscriber records kept by service providers, including names, billing information/records, and IP addresses.

American Data Privacy and Protection Act (ADPPA)

A federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The proposed ADPPA and its legislative path are the closest US Congress has ever been to passing comprehensive federal privacy legislation. 

The bill “establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual.”  The bipartisan, bicameral bill was the first US consumer privacy bill to pass committee markup, which it did with near unanimity.

FD&C Act, Section 524B

The FD&C Act was amended in 2023 to include Section 524B Ensuring Cybersecurity of Devices. Manufacturers (sponsors) developing medical devices must submit plans for addressing, identifying, and monitoring potential cybersecurity threats with their development plans. 

It was amended after increasing concern from the federal government over the massive amounts of PII and ePHI transmitted by cyber medical devices (CMDs). The law requires manufacturers to make updates and patches available to cyber devices, as well as all related software and connected systems, to better prevent cyberattacks.

This includes addressing (a) unacceptable vulnerabilities in a timely manner or justified regular cycle, and (b) critical vulnerabilities that pose unnecessary risks as soon as possible.

Children’s Online Privacy Protection Act (COPPA)

Under COPPA, sites are required to verify parental or legal guardian consent if they intend to collect or use a minor’s personal information. Other notable online privacy protections in COPPA include:

• Information on when and how verifiable consent must be acquired from a parent/legal guardian
• The responsibilities, if any, that the site’s operator holds in regard to the online safety and privacy of the child
• Limits on how much data it’s acceptable to collect about children under 13
• Requirements for site operators to post the privacy policy on any page data is collected

Federal vs State Laws

As a general rule, federal laws take precedence over state laws in the US. The Supremacy Clause states that when there’s conflict, federal law will override state law. Unfortunately, this isn’t an absolute rule, so loopholes exist for both branches. 

States have the right to refute any federal law they can prove goes against the United States Constitution. The same precedent doesn’t apply to federal laws that a state believes go against its Constitution. Individual states also have the right to include or modify requirements.

On the other hand, the federal government can sue states on behalf of the national government. An example of these loopholes in action is California’s fight to keep its Internet Consumer Protection and Net Neutrality Act in place.

In September of 2018, the Justice Department sued the State of California to prevent its new net neutrality bill, despite the fact it had already been signed by Governor Jerry Brown. Then-Attorney General Jeff Sessions felt strongly that states didn’t have the right to regulate interstate commerce, and that it should be the job of the federal government to do so. 

The Attorney General believed the legislature was enacted illegally after the FCC abolished net neutrality protections nationwide. Ultimately, a lower court ruled that California could keep its net neutrality law in place and a federal appeals court upheld this ruling in January 2022.

Enter the American Data Privacy and Protection Act

On June 3rd, 2022, the House and Senate released the American Data Privacy and Protection Act (ADPPA), which could supersede California’s law, according to Omer Tene, attorney and speaker on data, privacy, and cybersecurity.

The biggest development these days is the three-corner US federal privacy bill introduced in the House. If it passes, it will be a watershed event with implications greater than those of GDPR and CCPA. The bill introduces new concepts such as algorithm impact assessments, dark patterns, and senior officer responsibility. It would greatly tighten regulation over data brokers and ad tech companies in the US. It would wipe out state privacy laws such as California’s, Virginia’s, and Colorado’s, and provide individuals with a robust private right of action.

While the online privacy bill has yet to pass, it will limit data collection, processing, and transfer to what is absolutely necessary to provide and maintain products or services requested by consumers. 

The ADPPA will also prohibit activities including the collection, processing, and transfer of social security numbers, biometric information, genetic information, and non-consensual sexual imagery. The transfer of geolocation information, passwords, browsing history, and even physical activity from smartphones and wearable devices will also be restricted. 

The ADPPA is a bit murky when it comes to cohesive legislation for the policies and procedures around data collection, processing, and transfer, though. It calls for companies to consider reducing privacy risks to minors, and provides allowances dependent upon a company’s size, the volume of data handled, and other criteria. Unfortunately, the words “reasonable,” “necessary,” and “consider” appear frequently, and they all leave room for interpretation. What’s reasonable for one is excessive for another, consideration doesn’t mean compliance, and necessary is in the eye of the data broker. While it may be imperfect legislation, it will offer far more protection than what was previously available on a federal level.

Use PIA to Protect Your Digital Privacy in the US

Online privacy laws in the US are evolving, but not nearly fast enough to keep up with the ever-increasing threat of cybercrime. As citizens, we need to stay vigilant and take steps to protect our online privacy until the laws catch up with the times.

A VPN like Private Internet Access is a great way to protect your data. We provide military-grade encryption and tough security protocols to protect your data as it travels between your device and our servers. You also get MACE, an all-in-one ad, malware, and tracker blocker that stops threats at the DNS level before they reach your device. 

Check out the latest on our 50 Servers in 50 States campaign to see how you can get a secure IP address no matter where you are in the US. You can use these servers to connect to a location without age verification laws or other invasive pieces of legislation. That way, you can protect your digital privacy while the US develops better cybersecurity policies at the state and federal levels.

FAQ