The Best & Worst States in America for Online Privacy (2024 Update)
There are no all-encompassing online privacy laws in the US, so each state has its own rules. While some have comprehensive protections in place, others allow sites to collect your data, share it, and use it to track what you’re doing online.
In this article, we explore which states currently have the best and worst protection, what the US is doing at the federal and state levels to protect online privacy, and how you can protect your privacy in states with little cybersecurity legislation.
Our Ranking Criteria
Our research team examined various criteria to determine which states have the best and worst consumer protections in place at the moment, and are making the best progress toward improving consumer privacy.
To create our rankings, we asked the following questions and tallied the results for each state:
General Strength of Privacy Laws
- Does the consumer have a right to access, delete, or modify personal data?
- Can consumers opt out of data collection and use?
- Are companies required to disclose data collection, source, and use information?
- Are ISPs required to protect online privacy under current legislation?
General Strength of Data Security Laws
- What methods are used to create and enforce privacy policies?
- How do companies in each state safeguard consumer data?
Presence of Data Broker Laws
- Do laws exist that prevent the sale of certain forms of information?
- Do laws exist to monitor/regulate what type of information is collected?
- What, if any, rights do consumers have in regard to data brokers?
Laws in Place to Protect Children’s Privacy
- Are laws in place to protect children aged 0–9 while using the internet?
- Do parents/minors have the ability to remove data on request?
Strength of Companies’ Data Collection Policies
- Do employees have the right to delete personal data on request?
- Do employees have the right to opt out of third-party sharing?
- Are companies required to disclose what employee data they collect/store?
Laws that Infringe on Digital Privacy
- Has the state implemented any laws that infringe on digital privacy?
- Have state legislators been vocal in their support of further legislation that would harm citizens’ rights to online privacy?
PIA’s Ranking of the Best & Worst States for Digital Privacy
US States with Notable Improvements to Digital Privacy
Online Privacy Laws Across the US | ||
---|---|---|
Protection | Applies To | Adopted In |
Access, delete, or change personal data already collected by businesses | Consumer | UT, CA, VA, NV |
Opt out of the collection/use of personal data | Consumer | CO, UT, VA, CA |
Request that business disclose what personal information they collect, the source, and how it’s used | Consumer | CA, UT, NV |
Opt out of having personal data sold to third parties | Consumer | CO, NV, UT, VA |
Require ISPs to keep certain information about subscribers private, unless the subscriber requests otherwise | Consumer | NV, MN |
Require ISPs to get permission from subscribers before disclosing a subscriber’s surfing habits or sites visited | Consumer | NV, MN |
Prohibits ISPs from using, disclosing, selling, or permitting access to subscriber personal information except on request of the subscriber | Consumer | ME |
Prohibit site/online service operators from advertising certain products to minors based on information specific to the minor, or knowingly using, disclosing, or compiling a minor’s information or allowing third parties to do so | Children | DE, CA |
Permit minors to remove, or request removal, of personal content or information from sites, services, and mobile apps | Children | CA |
Require privacy policies to be publicly and noticeably displayed on websites | Consumer | CO, CA, CT, UT, VA |
Require operators to disclose whether third parties are/may conduct tracking on the operator’s site/service | Consumer | DE, CA |
Require operators to disclose how a site/service responds to “Do Not Track” signals/similar transmissions | Consumer | CA |
Prohibit knowingly making false or misleading statements in privacy policies | Consumer | NE, PA |
Require government sites and state portals to establish privacy policies or procedures or incorporate machine-readable privacy policies | Consumer | AZ, AR, CA, CO, DE, IA, IL, ME, MD, MN, MT, NY, SC, TX, UT, VA |
Require employers to notify employees prior to monitoring electronic communications or internet access | Employees | CT, DE, NY |
Require states and public entities to adopt policies in regard to monitoring public employee emails | Employees | CO, TN |
(A) Prohibit employers from requiring employees to download a mobile app to their personal devices that allows their location to be tracked or personal information to be revealed. (B) Prohibit any form of retribution for refusing or opposing any practice forbidden as stated in part (A). | Employees | HI |
Require private sector employers to provide written notice immediately on hiring any employee that makes them aware if they are subject to electronic, internet, or phone monitoring | Employees | NY |
Require the state and any subdivision thereof that operates or maintains electronic mail communications systems to adopt a written policy on monitoring and when/why they conduct monitoring | Employees | CO, TN |
Require employers to make a statement available that any form of electronic mail may be public record under the Public Record Law, and that makes it subject to public inspection | Employees | CO, TN |
Protect the personal information of students in grades K–12 | Children | NJ |
States Most in Need of Privacy Law Improvements
Other Notable Online Privacy Laws | |
---|---|
Summation | Adopted In |
Have biometric data protection legislation in place | NY, IL, CA, TX, WA |
Apply data disposal laws to government and business entities | AL, AK, HI, IL, MA, AZ, AR, KS, MD, MA, MI, NJ, OR, SC, WA |
Apply data disposal laws to government entities only | VA, MN, TX |
Apply data disposal laws to business entities only | CA, CO, CT, DE, FL, GA, IN, KY, LA, MT, NE, TN, VT, NV, NM, NY, NC, RI, UT, WI |
Require consent from both parties when recording calls of any kind | CA, CT, FL, IL, MD, MA, MT, NH, PA, WA |
Have laws/legislation surrounding the use of artificial intelligence (AI) | AL, CO, IL, MS, NYC |
States with Cybersecurity Task Forces
As a response to the increase in cybercrime, some states have developed special task forces to deal with cyber threats. Currently, 30 states have a task force or similar enforcement group in place. Only 8 states took the initiative to create legislation and develop their task forces on their own; the rest were issued by executive order.
US States with Specialized Cybercrime Task Forces | ||
---|---|---|
★ Arizona ★ Arkansas ★ California ★ Colorado ★ Connecticut ★ Delaware ★ Florida ★ Georgia ★ Idaho ★ Illinois | ★ Indiana ★ Iowa ★ Kansas ★ Louisiana ★ Maine ★ Maryland ★ Minnesota ★ Mississippi ★ Missouri ★ Montana | ★ New Hampshire ★ New York ★ North Carolina ★ North Dakota ★ Oregon ★ Rhode Island ★ Texas ★ Utah ★ Vermont ★ Virginia |
Federal Digital Privacy and Security Laws
Currently, federal (nationwide) laws on digital privacy and security are well meaning but ambiguous. Each tends to isolate one sector, issue, age group, or industry instead of providing a stable solution for all consumers and companies. I’ll show you what I mean – here are a few of the major federal online privacy laws
HIPAA’s Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) created a national standard for the security of electronic protected health information (e-PHI), electronic exchange, and privacy of e-PHI.
It applies to any care provider sending health information electronically in connection with transactions. Ultimately, HIPAA is a branch of the Privacy Rule, and covers all of the personally identifiable health information (PHI) related to patients.
Con: HIPAA covers only e-PHI.
Federal Trade Commission (FTC) Fair Information Practices
The FTC has enacted several fair information practices to protect your online privacy. Most relate to sites being transparent about what information they request, how it’s used, and why they require the information. Site operators must provide a notice of the site’s privacy practices, including if:
- Consumers can access, correct, and delete personal information
- Consumers have a say in how the site uses the information it collects
- Parents have control over the collection and use of information gathered from children
- The site safeguards any collected information, and how
Sites must also have enforcement mechanisms to prove they’re following fair information practices.
Con: While sites must let you know if you have a say in how they use the information collected, FTC practices don’t prevent sites from sharing or selling your data to third parties. The site only needs to tell you if it does, if you have any control over it, and if it has security in place for collected information.
Electronic Communication Protections Act (ECPA)
Adopted in 1986, the ECPA originally protected telephone communications. The amended ECPA now protects electronic communications during creation, transit, and storage. It defines electronic communications as email, telephone calls, and electronically stored data.
The ECPA also contains an amendment called the Stored Communications Act (SCA) which protects all subscriber records kept by service providers, including names, billing information/records, and IP addresses.
Con: While ECPA covers email and electronically stored data are covered, it’s unclear whether VoIP communications are protected.
American Data Privacy and Protection Act (ADPPA)
A federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The proposed ADPPA and its legislative path are the closest US Congress has ever been to passing comprehensive federal privacy legislation.
The bill “establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual.” The bipartisan, bicameral bill was the first US consumer privacy bill to pass committee markup, which it did with near unanimity.
Con: The law is currently only strict on how new personal data can be used, and offers minimal restrictions on pre-existing data.
FD&C Act, Section 524B
The FD&C Act was amended in 2023 to include Section 524B Ensuring Cybersecurity of Devices. Manufacturers (sponsors) developing medical devices must submit plans for addressing, identifying, and monitoring potential cybersecurity threats with their development plans.
It was amended after increasing concern from the federal government over the massive amounts of PII and ePHI transmitted by cyber medical devices (CMDs). The law requires manufacturers to make updates and patches available to cyber devices, as well as all related software and connected systems, to better prevent cyberattacks.
This includes addressing (a) unacceptable vulnerabilities in a timely manner or justified regular cycle, and (b) critical vulnerabilities that pose unnecessary risks as soon as possible.
Con: It doesn’t address legacy CMDs as diligently as new technologies.
Children’s Online Privacy Protection Act (COPPA)
Under COPPA, sites are required to verify parental or legal guardian consent if they intend to collect or use a minor’s personal information. Other notable online privacy protections in COPPA include:
- Information on when and how verifiable consent must be acquired from a parent/legal guardian
- The responsibilities, if any, that the site’s operator holds in regard to the online safety and privacy of the child
- Limits on how much data it’s acceptable to collect about children under 13
- Requirements for site operators to post the privacy policy on any page data is collected
Con: COPPA doesn’t provide a definitive set of rules for how verifiable parental/legal guardian consent must be collected, though the FTC does provide some guidelines and suggestions.
Federal vs State Laws
As a general rule, federal laws take precedence over state laws in the US. The Supremacy Clause states that when there’s conflict, federal law will override state law. Unfortunately, this isn’t an absolute rule, so loopholes exist for both branches.
States have the right to refute any federal law they can prove goes against the United States Constitution. The same precedent doesn’t apply to federal laws that a state believes go against its Constitution. Individual states also have the right to include or modify requirements.
On the other hand, the federal government can sue states on behalf of the national government. An example of these loopholes in action is California’s fight to keep its Internet Consumer Protection and Net Neutrality Act in place.
In September of 2018, the Justice Department sued the State of California to prevent its new net neutrality bill, despite the fact it had already been signed by Governor Jerry Brown. Then-Attorney General Jeff Sessions felt strongly that states didn’t have the right to regulate interstate commerce, and that it should be the job of the federal government to do so.
The Attorney General believed the legislature was enacted illegally after the FCC abolished net neutrality protections nationwide. Ultimately, a lower court ruled that California could keep its net neutrality law in place and a federal appeals court upheld this ruling in January 2022.
Enter the American Data Privacy and Protection Act
On June 3rd, 2022, the House and Senate released the American Data Privacy and Protection Act (ADPPA), which could supersede California’s law, according to Omer Tene, attorney and speaker on data, privacy, and cybersecurity.
The biggest development these days is the three-corner US federal privacy bill introduced in the House. If it passes, it will be a watershed event with implications greater than those of GDPR and CCPA. The bill introduces new concepts such as algorithm impact assessments, dark patterns, and senior officer responsibility. It would greatly tighten regulation over data brokers and ad tech companies in the US. It would wipe out state privacy laws such as California’s, Virginia’s, and Colorado’s, and provide individuals with a robust private right of action.
While the online privacy bill has yet to pass, it will limit data collection, processing, and transfer to what is absolutely necessary to provide and maintain products or services requested by consumers.
The ADPPA will also prohibit activities including the collection, processing, and transfer of social security numbers, biometric information, genetic information, and non-consensual sexual imagery. The transfer of geolocation information, passwords, browsing history, and even physical activity from smartphones and wearable devices will also be restricted.
The ADPPA is a bit murky when it comes to cohesive legislation for the policies and procedures around data collection, processing, and transfer, though. It calls for companies to consider reducing privacy risks to minors, and provides allowances dependent upon a company’s size, the volume of data handled, and other criteria. Unfortunately, the words “reasonable,” “necessary,” and “consider” appear frequently, and they all leave room for interpretation. What’s reasonable for one is excessive for another, consideration doesn’t mean compliance, and necessary is in the eye of the data broker. While it may be imperfect legislation, it will offer far more protection than what was previously available on a federal level.
Use PIA to Protect Your Digital Privacy in the US
Online privacy laws in the US are evolving, but not nearly fast enough to keep up with the ever-increasing threat of cybercrime. As citizens, we need to stay vigilant and take steps to protect our online privacy until the laws catch up with the times.
A VPN like Private Internet Access is a great way to protect your data. We provide military-grade encryption and tough security protocols to protect your data as it travels between your device and our servers. You also get MACE, an all-in-one ad, malware, and tracker blocker that stops threats at the DNS level before they reach your device.
Check out the latest on our 50 Servers in 50 States campaign to see how you can get a secure IP address no matter where you are in the US. You can use these servers to connect to a location without age verification laws or other invasive pieces of legislation. That way, you can protect your digital privacy while the US develops better cybersecurity policies at the state and federal levels.
FAQ
Data privacy refers to your ability to control how your personal information is collected, stored, shared, and used. While many US states have laws in place to protect people’s online privacy, no national standard exists.
Absolutely. Imagine people were allowed to follow you around tracking your day-to-day activities without you being able to do anything about it. No one would tolerate that in real life, so why accept it in the virtual world?
Unfortunately, restraining orders don’t exist for online trackers, malicious software, or shady data brokers, so defending your right to online privacy and security is crucial. PIA provides the strong security you need to keep your online activity and data private.
Data security focuses on how your data is protected in transit and ensures only authorized parties can access it. Data privacy focuses on the responsible collection, storage, and use of your information, such as your right to delete or modify collected data.
Basically, data security aims to protect your data from external threats while data privacy is focused on protecting your identity.
There are data privacy laws at both the federal and state levels in the US, but individual state laws vary greatly from one state to the next. No federal or state law provides a singular set of regulations for data privacy.
A new federal law, the ADDPA, was proposed in June of 2022. It offers stronger federal privacy protections. Until then and even afterward, your best bet is to safeguard your personal information using a VPN. That way, you’ll take back control of your personal information regardless of where you are in the US.