Every state in the U.S. has the ability to pass its own laws in areas not reserved for the federal government, and many are taking initiative to better protect individuals’ human rights in the digital age.
State-level protections can give us much-needed human rights safeguards, change the existing legal landscape, or even stir legislative movement at the federal level. For example, in the absence of a comprehensive federal privacy law in the U.S., state and local governments are now offering important legal protections against harmful data practices that jeopardize our rights on a daily basis. State lawmakers are addressing issues that require urgent legislative attention, such as government surveillance and cybersecurity. In 2019, Access Now will increase our focus on supporting strong, user-centric human rights protections in state and local laws and policies across the U.S.
State laws are changing the privacy landscape
As countries and regions around the world continue to move toward the adoption and implementation of data protection laws, the U.S. remains without vital and necessary protections at the federal level. The partisan deadlock in Congress has long prevented real progress. In addition, tech companies have successfully lobbied against a comprehensive federal regime for many years, favoring an approach based on “self regulation.” This approach has led to the systematic and unrelenting abuse of users’ trust, as our personal information is increasingly exposed, mishandled, and leveraged by malicious actors for manipulation, as underscored by the Cambridge Analytica scandal. There are few alternatives to existing services and limited avenues or opportunities for redress of harm done. Further, although sector-specific patches of protection exist — such as for health and financial information — these are wholly inadequate to protect us from the ongoing exploitation and abuse of the full range of personally revealing information that remain vulnerable in the digital era.
Unsurprisingly, individual states have taken it upon themselves to protect their residents, stepping up to the plate when Congress has failed to act. For example, states have responded to the lack of a federal data breach notification law by enacting their own laws; by 2018, all 50 states had implemented a data breach notification law, making it so that people in every state can at minimum get information that is useful for mitigating the impact of a devastating data breach.
In addition to picking up the slack when Congress falters, states have also nimbly responded to the gaps in privacy protections created by rapid changes in technology. For example, California enacted its own version of the federal Electronic Communications Privacy Act (ECPA), dubbed “CalECPA,” to address the gap between the unacceptable privacy harms created by current industry-standard data collection practices and the outdated laws that cannot protect people against those harms.
Access Now recognizes and welcomes this state leadership, and we are committing to track and support positive developments. Below are key areas where states and local governments are stepping in to protect our privacy and personal information in the digital age.
California protects your data from abuse and manipulation
The California Consumer Privacy Act (CCPA), which will take effect in 2020, is a benchmark state data privacy law that gives people in the U.S. the capacity to opt-out of a company’s sale of their personal information (§ 1798.120) and to ask to have their personal information deleted (with exceptions) (§ 1798.105). The passage of CCPA is widely seen as one of the primary reasons U.S. tech companies have switched gears to advocate for a single federal privacy law, but many corporations appear to want a law that would specifically preempt state-level protections like those in the CCPA. Another notable state protection is Vermont’s “data broker” law, which was passed in 2018. The law requires data brokers — those who profit from gathering and selling our data — to register with the state (§ 2446(a)) and prohibits them from acquiring our personal information in a fraudulent way (§ 2433(a)(1)).
In addition to pursuing laws similar to California’s, many states are also considering laws that would apply new rules to internet service providers, such as Comcast and Charter, who have privileged access to our personal data and have been caught tracking people for profit. These laws would prohibit these companies from disclosing your personal information to third parties, whether the sale is governments or bounty hunters. Some states, such as New York, have introduced bills that would require companies to adopt technical and administrative safeguards to keep your personal information secure. Unfortunately, not all bills give you the power to take the companies that violate your privacy and do you harm to court. Without a proper enforcement mechanism, your legal “protection” on paper may not help you very much in real life.
Illinois safeguards your biometric data
The Illinois Biometric Information Privacy Act (BIPA), passed in 2008, offers one of the strongest state-level protections for biometric information — information about your immutable characteristics, such as your face, fingerprints, voice, or even your walking pattern. The act does not allow companies to collect or purchase your biometric information without your permission (§ 14/15(b)(3)), nor can a company profit from your biometric information (§ 14/15(c)). Most importantly, the law ensures that the restrictions in place are actually meaningful. In other words, it lets you take violators to court (§ 14/20). A company has recently challenged the legitimacy of this power, and we await the answer from the highest court in Illinois.
BIPA has served as a model for other states, such as Alaska and New York, to pursue their own versions. While most bills require companies to obtain your consent before collecting your biometric information, not all bills give you the power to take those who break the law by collecting your biometric data to court.
Seattle, Oakland, Berkeley, and New York City are wary of police surveillance
Many civil society organizations have been campaigning since 2016 to encourage local governments to adopt “Community Control Over Police Surveillance” (CCOPS) laws that enable community oversight on the acquisition of new surveillance technologies by local police. Seattle and several cities in California such as Oakland and Berkeley have already passed such ordinances. New York City and California have previously introduced similar CCOPS laws.
States across the nation seek to tighten cybersecurity
Many of the current state-level cybersecurity laws require state agencies to assess cybersecurity risks, undergo testing, and report on the findings. Some states, such as New York, Colorado, and Vermont, have laws requiring financial services companies to take steps to protect our confidential information. Washington, Hawaii, and Rhode Island have previously introduced bills seeking to improve state cybersecurity practices, such as by establishing an agency dedicated to cybersecurity issues. California recently passed a law that requires manufacturers of “Internet of Things” devices — such as smart watches, speakers, refrigerators — to equip our devices with reasonable security features.
Supporting leadership on digital rights in the states
While tech companies and U.S. lawmakers appear to be warming to the idea of a single federal privacy regime, our goal remains to ensure that by whatever means, people’s rights are protected. In the U.S., much of the innovation and leadership on privacy regulation is happening at the state and local level. It is imperative that we not only continue to allow states the space to act by opposing any federal preemption, but also take action to encourage and support state-level endeavors.
For this reason, Access Now aims to engage more deeply at the state level, including by providing expertise and advice on the importance of adhering to internationally recognized principles for human rights, and by highlighting the impact of rapidly developing technologies on the most vulnerable populations in the U.S. We recognize the role that states are playing in protecting privacy and other human rights, and we hope to better support those endeavors.