State_privacy_laws_of_the_United_States
Privacy laws vary from state to state within the United States of America. Several states have recently passed new legislation that adapt to changes in cyber security laws, medical privacy laws, and other privacy related laws. State laws are typically extensions of existing United States federal laws, expanding them or changing the implementation of the law.
Historically, state laws on privacy date back before the founding of the United States and most authorities left protection of personal information to the individual. However, after the creation of a national economy as a result of the Civil War, governmental agencies were created to recommend stronger privacy protections. This led to the creation of de facto privacy commissioners, such as the Federal Trade Commission (FTC) and the State Attorney General.[1]
The FTC was created in 1914 to protect individuals from harmful trade practices, and in 1995 the FTC began to study and analyze privacy issues in electronic commerce and began to place and enforce regulations.[1]
Most state legislation on privacy are expansions of federal laws.
The Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”), which “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.”[2]
There are several different types of privacy legislation currently in place. State laws vary between these niche privacy spheres. Each type of legislation tries to protect a certain area of privacy. Types of legislation include:
- Medical Privacy
- Data Privacy
- Financial Privacy
Medical privacy
Laws on biobanks
One major aspect of medical privacy is laws placed on biobanks. A biobank is a collection source that stores and manages human specimens. Major federal laws that apply to biobanks are regulations by the Food and Drug Administration and Common Rule. The Common Rule is a guideline for in the United States on research involving human subjects. Other major federals laws that govern biobanks include: The Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Nondiscrimination Act (GINA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and Newborn Screening Saves Lives Reauthorization Act of 2014.
State legislation on privacy tends to follow the same patterns and orders as federal laws in these matters. But in some cases state laws can be more detailed and stringent, while being in ordinance to the federal laws in place.[3] With focus to biobanks, state laws can restrict a laboratory's ability to reject a customer and can regulate what happened with data after a test.[3] Certain states have privacy laws that deal with genetic-specific information. Genetic-specific information relates to information what information like DNA that can be used to find details about individuals. Information that can be collected includes race and gender.[3] State can place legislation that let individuals have control over the tests conducted on their genes and regulate how long data is stored in biobanks. State laws can also control who has control, the individual from whom they were collected or the pharmaceutical companies.
Digital privacy laws
Corporate data security laws
An important aspect of digital privacy laws is cyber security, which encompasses corporate data security. At the national level, the Federal Trade Commission (FTC) is in charge of data security regulation.[4] With relation to cyber security, the FTC makes sure that companies have security application in place and that companies are not misrepresenting their level of digital security. Several aspects of the FTC regulations are outdated and are loosely connected to data security though section 5. Section 5 of the FTC fines companies for having substandard security measures, neglecting the security of consumer data, and failing to train employees on data security.[4] Additional federal laws on this topic include: the Cybersecurity Act of 2015, the Electronics Communications Privacy Act, Computer Fraud and Abuse Act and the Economic Espionage Act.[4]
Financial privacy laws
Financial Privacy laws regulate how companies, specifically those with a focus in finance, handle financial consumer information. Federal laws that regulate this include, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Credit and Debit Card Receipt Clarification Act, Bank Secrecy Act, Fair Debt Collection Practices Act, Electronic Funds Transfer Act, and the Dodd-Frank Wall Street Reform and Consumer Protection Act. All of these acts make changes at the national level.
Alabama
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Ala. Admin. Code r. 420-5-7-.05 | (4) Privacy and safety.
(a) The patient has the right to personal privacy. (b) The patient has the right to receive care in a safe setting. (c) The patient has the right to be free from all forms of abuse or harassment. (5) Confidentiality of Patient Records. (a) The patient has the right to the confidentiality of his or her clinical records. (b) The patient has the right to access information contained in his or her clinical records within a reasonable time frame. The hospital shall not frustrate the legitimate efforts of individuals to gain access to their own medical records and shall |
Medical Privacy | Confidentiality of information |
| Ala. Admin. Code r. 420-5-7-.13 | (3) Form and retention of record. The hospital shall maintain a medical record for each inpatient and outpatient. Medical records shall be accurately written, promptly completed, properly filed and retained, and accessible. The hospital shall use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.
(c) The hospital shall have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital shall ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records shall be released by the hospital only in accordance with federal or state laws, court orders, or subpoenas. (4) Content of record. The medical record shall contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient's progress and response to medications and services. |
Medical Privacy | Medical record services |
| Ala. Admin. Code r. 545-X-4-.08 | (1) Physicians should maintain legible well documented records reflecting the history, findings, diagnosis and course of treatment in the care of a patient. Medical records should be maintained by the treating physician for such period as may be necessary to treat the patient and for such additional time as may be required for medical legal purposes.
(2) Access. On the request of a patient, and with the authorization of the patient, a physician should provide a copy or a summary of the medical record to the patient or to another physician, attorney or other person designated by the patient. By state law, a physician is allowed to condition the release of copies of medical records on the payment by the requesting party of the reasonable costs of reproducing the record. Reasonable cost as defined by law may not exceed onedollar ($1.00) per page for the first twenty-five (25) pages, fifty cents ($.50) per page for each page in excess of twenty-five (25) pages, plus the actual cost of mailing the record. In addition, the actual costs of reproducing x-rays or other special records may be included. For medical records provided in an electronic file, a flat fee that would not exceed the cost of providing the records in paper form may be charged. Records subpoenaed by the State Board of Medical Examiners are exempt from this law. Physicians charging for the cost of reproduction of medical records should give primary consideration to the ethical and professional duties owed to other physicians and to their patients, and waive copying charges when appropriate. |
Medical Privacy | Medical Records |
| Ala. Code § 25-5-339 | (b) Employers, laboratories, medical review officers, employee assistance programs, drug or alcohol rehabilitation programs, and their agents who receive or have access to information concerning test results shall keep all information confidential. Release of such information under any other circumstance shall be solely pursuant to a written consent form signed voluntarily by the person tested, unless the release is compelled by an agency of the state or a court of competent jurisdiction or unless deemed appropriate by a professional or occupational licensing board in a related disciplinary proceeding. The consent form shall contain at a minimum all of the following:
(1) The name of the person who is authorized to obtain the information. (2) The purpose of the disclosure. (3) The precise information to be disclosed. (4) The duration of the consent. (5) The signature of the person authorizing release of the information |
Medical Privacy | Confidentiality of information |
| Alabama Data Breach Notification Act | In case of hacking, notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following:
(1) The date, estimated date, or estimated date range of the breach. (2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach. (3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach. (4) A general description of steps an affected individual can take to protect himself or herself from identity theft. (5) Information that the individual can use to contact the covered entity to inquire about the breach. |
Data Privacy | Breach notification |
| Alabama Insurance Regulation Chapter 482-1-122 | A. Initial notice requirement. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to both of the following:
(1) Customer. An individual who becomes the licensee's customer, not later than when the licensee establishes a customer relationship, except as provided in Subsection E of this section. (2) Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by Sections 15 and 16. B. When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under Subsection A(2) of this section if either of the following are true: (1) The licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Sections 15 and 16, and the licensee does not have a customer relationship with the consumer. (2) A notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies and is accurate with respect to the licensee and the other institutions. |
Financial Privacy | Third Parties |
Alaska
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| AS §18.13.010 et seq | This Alaska legislation provides privacy regulations for genetic information and states that genetic information belongs to the individual it originated from.[5] | Medical Privacy | Genetics |
| AS 45.48.100 - .290 (section in the Alaska Personal Information Privacy Act) | This article allows for consumers to place security holds on their credit report. This will prevent any third party from gaining access to that individual's credit report. The hold can also be removed by the consumer, by submitting a similar request as the one needed to place the hold.[6] | Financial Privacy | Credit Reports |
| Section 45.48.400 (section in the Alaska Personal Information Privacy Act) | These sections say that it is illegal to make Social Security numbers available to the public. It is also illegal to request and collect Social Security numbers. Additionally, it is illegal to sell, trade, lease or loan SSN and disclosures of SSN are only valid if it is authorized by law if they are requested by a government agency, to a person subject to the Gramm-Leach-Bliley Act or Fair Credit Reporting Act, an individual part of a consumer reporting agency, or someone requesting for a background check.[6] | Data Security | Social Security |
Arizona
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Ariz. Rev. Stat. Ann. § 12–2803 | This Arizona state legislation states that must written consent must be provided for genetic testing, unless the data is collected for research purposes.[3] | Medical Privacy | Consent for information collection |
| Arizona 2010 SB 1309 | This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.[5] | Medical Privacy | Genetic information belonging to minors |
| ARS §1-602 | This Arizona state legislation states that written parental consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.[5] | Medical Privacy | Genetic information belonging to minors |
| ARS §12-2801 et seq: | This Arizona state legislation states that written parental consent and health care provider consent must be obtained in order to collect and store a minor's DNA. There are some exceptions with newborns.[5] | Medical Privacy | Genetic information belonging to minors |
| Arizona 2016 HB 2144 | This Arizona state legislation states that genetic testing can only be conducted with consent with the person being tested.[5] | Medical Privacy | Genetics |
| Arizona 2019 SB 1297 | This Arizona state legislation removes self-conducted genetics-tests from the definition of genetics testing and it adds details on providing medical-care provider the results of genetics tests.[5] | Medical Privacy | Genetics |
| ARS §20-448.02 | This Arizona state legislation states that a genetics test cannot be conducted without the knowledge of the individual being tested.[5] | Medical Privacy | Genetics |
| ARS § 41–151.22 | Libraries are not allowed to disclose any information that identifies a user from the materials that they requested digitally or physically.[7] | Digital Privacy | E-readers |
Arkansas
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Ark. Code § 20-35-103 | This Arkansas state legislation states genetic testing is allowed if the information is anonymized.[3] | Medical Privacy | Notifications and treatment of patients |
| Arkansas 2015 HB 1827 | This Arkansas state legislation states that written parent content must be acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights.[5] | Medical Privacy | Genetic information belonging to minors |
| Ark. Code §20-35-101 et seq. | This Arkansas state legislation states that individual records cannot be released without court permission or a consent form.[5] | Medical Privacy | Genetics |
| Arkansas. Code Ann. §4-110-104 | (b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. | Digital Privacy | Corporate data security |
| Ark. Code § 11-2-124 | (b) (1) An employer shall not require, request, suggest, or cause a current or prospective employee to:
(A) Disclose his or her username and password to the current or prospective employee's social media account; (B) Add an employee, supervisor, or administrator to the list or contacts associated with his or her social media account; or (C) Change the privacy settings associated with his or her social media account. (2) If an employer inadvertently receives an employee's username, password, or other login information to the employee's social media account through the use of an electronic device provided to the employee by the employer or a program that monitors an employer's network, the employer is not liable for having the information but may not use the information to gain access to an employee's social media account. |
Digital Privacy | Social media privacy |
| Ark. Code § 6-60-104 | (b) An institution of higher education shall not require, request, suggest, or cause:
(1) A current or prospective employee or student to disclose his or her username and password to the current or prospective employee's or student's social media account; or (2) A current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to: (A) Add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with his or her social media account; or (B) Change the privacy settings associated with his or her social media account. (c) An institution of higher education shall not: (1) Take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising his or her rights under subsection (b) of this section; or (2) Fail or refuse to admit or hire a prospective employee or student for exercising his or her rights under subsection (b) of this section. |
Digital Privacy | Educational institutions |
California
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Cal. Health & Safety Code § 24175 | This California state legislation states that Common Rule applies to all human subject.[3] | Medical Privacy | Notifications and treatment of patients |
| California 2017 AB 375 | This California state legislation states individuals control their biometric information and can sell that data to businesses.[5] | Medical Privacy | Genetics |
| Cal. Civil Code §56.17 | This California state legislation state that any person with revealed genetic results without consent can be fine.[5] | Medical Privacy | Genetics |
| SB-1121 California Consumer Privacy Act of 2018 | (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information. (c) A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records. (d) A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to: (1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. (3) Debug to identify and repair errors that impair existing intended functionality. (4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. |
Medical Privacy | Genetics |
| California Civ. Code §1798.81.5 | (b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. |
Digital Privacy | Corporate data security |
| Calif. Lab. Code § 980 | (b) An employer shall not require or request an employee or applicant for employment to do any of the following:
(1) Disclose a username or password for the purpose of accessing personal social media. (2) Access personal social media in the presence of the employer. (3) Divulge any personal social media, except as provided in subdivision (c). (c) Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding. (d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device. (e) An employer shall not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or applicant for not complying with a request or demand by the employer that violates this section. However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law. |
Digital Privacy | Social media privacy |
| Calif. Ed. Code § 99121 | (a) Public and private postsecondary educational institutions, and their employees and representatives, shall not require or request a student, prospective student, or student group to do any of the following:
(1) Disclose a user name or password for accessing personal social media. (2) Access personal social media in the presence of the institution's employee or representative. (3) Divulge any personal social media information. (b) A public or private postsecondary educational institution shall not suspend, expel, discipline, threaten to take any of those actions, or otherwise penalize a student, prospective student, or student group in any way for refusing to comply with a request or demand that violates this section. (c) This section shall not do either of the following: (1) Affect a public or private postsecondary educational institution's existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations. (2) Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason. |
Digital Privacy | Educational institutions |
| Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018”) | This legislation states that businesses must disclose to customers that type of information that they collect on them. And if the customers refuse to provide that information the business may not use that as a ground to refuse service to the customer.[7] | Digital Privacy | Consumer data privacy |
| Cal. Bus. & Prof. Code § 22948.20 | This legislation states that if a device has a voice recognition feature, the user must be aware that the feature exists on that device. Additionally, it prohibits the use of voice recognition for advertising, espionage, or law enforcement purpose.[7] | Digital Privacy | Consumer data privacy |
| Calif. Bus. & Prof. Code §§ 22580-22582 | This legislation states that minors must be able to delete information posted on a website or application. And it prohibits that use of known usage of a minor's information for advertisement purposes.[7] | Digital Privacy | Children's online privacy |
| Cal. Govt. Code § 6267 | The library cannot release any information about the patron that can be used to identify them or their reading patterns.[7] | Digital Privacy | E-readers |
| Cal. Civil Code § 1798.90 | Digital books are treated like physical books and will need a warrant to be searched through.[7] | Digital Privacy | E-readers |
| Calif. Bus. & Prof. Code § 22575 | Requires operators of websites to inform the user is third-parties are conducting background information tracking. Additionally, a website must make available information on how it responds to a 'Do Not Track' signal in its privacy policy.[7] | Digital Privacy | Websites or online services |
| Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA) | Any webpage collection information on users must make this clear on their privacy policy page. This includes mobile apps. Additionally, the website must make clear the type of information that they collect.[7] | Digital Privacy | Websites or online services |
| California Ed. Code § 99122 | Educational institutions must have a social media privacy policy on their internet website.[7] | Digital Privacy | Websites or online services |
| California Civil Code §§ 1798.83 to .84 ("Shine the Light Law") | Businesses must put a privacy statement that allows (for free) the consumer to choose not to share their information.[7] | Digital Privacy | Disclosure or sharing of personal information |
| California Consumer Privacy Act (CCPA) | This act places regulations on the selling of consumer information including consumer financial information.[7] | Digital Privacy | Consumer information |
| California Privacy Act | This act was a stricter version of the Gramm-Leach-Bliley Act. This regulation provides that an individual must opt-in in situations with financial institutions in order for those institutions to gain their personal initial information.[7] | Financial Privacy | Opt-in dispersal of personal information |
| California Consumer Credit Reporting Agencies Act | This act regulates consumer credit reporting agencies as well as any users of credit reports.[7] | Financial Privacy | Credit report |
| California Privacy Rights Act (CPRA) | This act expands the CCPA, gives consumers more rights to access, correct, and limit the usage and sharing of their personal information, and establishes the California Privacy Protection Agency.[8] | Digital Privacy | Consumer Information |
| California's Senate Bill 41: The Genetic Information Privacy Act | The bill requires a direct-to-consumer genetic testing company to "provide a consumer with certain information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer's express consent for collection, use, or disclosure of the consumer's genetic data, as specified." It also requires DTCs "to implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified."[2] | Medical Privacy | Consumer Information |
Colorado
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Colo. Rev. Stat. Ann. § 10-3-1104.6 | This Colorado state legislation states that information belongs to the individual from whom it was collected.[3] | Medical Privacy | Biobanks |
| Colo. Rev. Stat. §10-3-1104.6(4) | This Colorado state legislation states genetic testing is allowed if the information is anonymized.[3] | Medical Privacy | Notification and treatment of patients |
| Colorado 2015 SB 77 | This Colorado state legislation states that written parent content must be acquired before any medical screening is performed on a minor. This enforces the Parents' Bill of Rights.[5] | Medical Privacy | Genetic information belonging to minors |
| Colorado 2009 HB 1338 | (a) Genetic information is the unique property of the individual to whom the information pertains.
(b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains. |
Medical Privacy | Genetics |
| CRS §10-3-1104.6 | (a) Genetic information is the unique property of the individual to whom the information pertains;
(b) Any information concerning an individual obtained through the use of genetic services may be subject to abuses if disclosed to unauthorized third parties without the willing consent of the individual to whom the information pertains; (c) To protect individual privacy and to preserve individual autonomy with regard to the individual's genetic information, it is appropriate to limit the use and availability of genetic information; |
Medical Privacy | Genetics |
| C.R.S. 8-2-127 | (2) (a) An employer may not suggest, request, or require that an employee or applicant disclose, or cause an employee or applicant to disclose, any user name, password, or other means for accessing the employee's or applicant's personal account or service through the employee's or applicant's personal electronic communications device. An employer shall not compel an employee or applicant to add anyone, including the employer or his or her agent, to the employee's or applicant's list of contacts associated with a social media account or require, request, suggest, or cause an employee or applicant to change privacy settings associated with a social networking account. (b) Paragraph (a) of this subsection (2) does not prohibit an employer from requiring
an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer's internal computer or information systems. |
Digital Privacy | Social media privacy |
| Colorado's Consumer Data Protection Laws | If the government or private entities have a PII, or a document which contains personal information, including Social Security, biometric data and financial account numbers, then they are required to have a written policy to make sure that the PII is destroyed when it is no longer needed. | Financial Privacy | PII |
Connecticut
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Conn. Gen. Stat. § 42-471 | Any business that collects a Social Security Number must have a privacy protection policy in place which should be posted on their website, not allow the unlawful disclosure of Social Security Numbers, and limit access to Social Security Number.[7] | Digital Privacy | Websites and online services. |
| Connecticut Data Privacy Law (Senate Bill 6) | Businesses that hold data on more than 100,000 consumers or those who earn 25% of their annual revenue from the sale of data of more than 25,000 consumers. Exempts from its requirements (1) various entities, including state and local governments, nonprofits, and higher education institutions, and (2) specified information and data, including certain health records, identifiable private information for human research, certain credit-related information, and certain information collected under specified federal laws. | Personal Data Privacy and Online Monitoring | Websites and companies managing PI |
Delaware
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Del. Code § 1203 | This Delaware state legislation states that labs must dispose any samples from which genetic information has been collected. However, there are several loop holes, such as, anonymizing genetic information.[3] | Medical Privacy | Biobanks |
| Delaware 2015 SB 151 | Medical Privacy | Genetics | |
| Delaware 2015 SB 68 | Medical Privacy | Genetics | |
| Delaware 2015 SB 79 | Medical Privacy | Genetics | |
| Delaware 2017 HS 1 for HB 180 | Medical Privacy | Genetics | |
| Del. Code 16 §1201 et seq. | Medical Privacy | Genetics | |
| 19 Del. Code § 709A | [9] | Digital Privacy | Social Media |
| 14 Del. Code § 8103 | [9] | Digital Privacy | Educational Institutions |
| Del. Code § 1204C | This legislation states that any digital programs that focus as children as a target group must ensure that their information is child appropriate. They are also not allowed to collect any information that can be used to identify the child.
This also prohibits the collection of information from the child which is able to identify the child.[7] |
Digital Privacy | Children's Online Privacy |
| 2015 SS 1 FOR SB 68
Del. Code tit. 6, § 1206C |
Personal information of the reader cannot be disclosed to law enforcement, governmental and commercial entities.[7] | Digital Privacy | E-reader privacy |
| Del. Code Tit. 6 § 205C | Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information of people in Delaware must make this collection of information known on their privacy page.[7] | Digital Privacy | Website and Online Services |
Florida
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Fla. Stat. Ann. § 760.40 | This Florida state legislation states that information belongs to the individual from whom it was collected and is subject to privacy laws.[3] | Medical Privacy | Biobanks |
| FS §760.40 | Medical Privacy | Genetics | |
| Florida Stat. § 501.171(2) | Digital Privacy | Corporate Data Security |
Georgia
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Ga. Rev. Code §§ 33-54-3 | This Georgia state legislation states genetic testing is allowed if the information is anonymized.[3] | Medical Privacy | Notifications and Treatment of Patients |
| Ga. Rev. Code §§ 33-54-6 | This Georgia state legislation states genetic testing is allowed if the information is anonymized.[3] | Medical Privacy | Notifications and Treatment of Patients |
| OCGA §§33-54-1 et seq. | Medical Privacy | Genetics |
Hawaii
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| HRS §§431:10A-118 | Medical Privacy | Genetics | |
| HRS §§431:10A-404.5 | Medical Privacy | Genetics | |
| HRS §§432:1-607 | Medical Privacy | Genetics | |
| HRS §§432:2-404.5 | Medical Privacy | Genetics | |
| HRS §§432D-26 | Medical Privacy | Genetics |
Idaho
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| IC §39-8301 et seq. | Medical Privacy | Genetics |
Illinois
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Ill. Comp. Stat. § 50/3.1(a) | This Illinois state legislation states hospital patient must be informed if they are taking part in research.[3] | Medical Privacy | Notifications and Treatment of Patients |
| Illinois 2007 SB 941 | Medical Privacy | Genetics | |
| Illinois 2008 SB 2399 | Medical Privacy | Genetics | |
| Illinois 2017 SB 318 | Medical Privacy | Genetics | |
| Illinois 2019 HB 2189 | Medical Privacy | Genetics | |
| Illinois 2019 SB 1307 | Medical Privacy | Genetics | |
| Illinois: 410 ILCS 513/1 et seq. | Medical Privacy | Genetics | |
| 820 ILCS 55/10 | [9] | Digital Privacy | Social Media |
| 105 ILCS 75/10, 105 ILCS 75/15 | [9] | Digital Privacy | Educational Institutions |
Indiana
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Indiana Code Ann. § 24–4.9-3-3.5(b) | Digital Privacy | Corporate Data Security |
Iowa
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| 2010 SF 2215 | Medical Privacy | Genetics | |
| 2019 HSB 14 | Medical Privacy | Genetics | |
| 2019 SSB 1071 | Medical Privacy | Genetics | |
| IC §§507B.4 | Medical Privacy | Genetics | |
| IC §§507B.4 | Medical Privacy | Genetics | |
| IC §§513B.9A | Medical Privacy | Genetics | |
| IC §§513B.10 | Medical Privacy | Genetics |
Kansas
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Kansas 2014 SB 367 | This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent.[5] | Medical Privacy | Laws for Minors |
| KSA §72-6214 | This Kansas state legislation prohibits schools from collecting any biometric information from a student, unless the student (if an adult) or a parent (if the student is a minor) has signed in consent.[5] | Medical Privacy | Laws for Minors |
Kentucky
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Kentucky 2019 SB 152 | This Kentucky state legislation states that school may not collect DNA or blood from students unless a court order or parental consent has been issued or provided.[5] | Medical Privacy | Laws for Minors |
| Kentucky 2014 HB 5 | Medical Privacy | Genetics | |
| Kentucky 2019 SB 152 | Medical Privacy | Genetics | |
| KRS §304.12-085 | Medical Privacy | Genetics | |
| KRS §61.931 et seq. | Medical Privacy | Genetics |
Louisiana
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| 2009 HB 406 | Medical Privacy | Genetics | |
| LRS 40:2210 | Medical Privacy | Genetics | |
| LRS 22:1023 | Medical Privacy | Genetics | |
| LRS 22:1097 | Medical Privacy | Genetics | |
| La. Rev. Stat. § 51:1951 to §§ 1953 and 1955 | [9] | Digital Privacy | Social Media |
| La. Rev. Stat. § 51:1951 to § 1952 and §§ 1954 to 1955 | [9] | Digital Privacy | Educational Institutions |
Maine
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Me. Rev. Stat. Ann. tit. 22, § 1711-C | This Maine state legislation states all health data, including genetic information must be confidential.[3] | Medical Privacy | Encryption of Collected Data |
| Me. Rev. Stat. Ann. tit. 22, § 1711-C | This Maine state legislation states genetic testing is allowed if the information is anonymized.[3] | Medical Privacy | Notifications and Treatment of Patients |
| MRS 22 §1711C | Medical Privacy | Genetics | |
| MRS 24A §2204 | Medical Privacy | Genetics | |
| 26 M.R.S. § 616 to 619 | [9] | Digital Privacy | Social Media |
Maryland
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Md. Code Ann., Health-Gen. § 13–2002 | This Maryland state legislation states that Common Rule applies to all human subject.[3] | Medical Privacy | Notifications and Treatment of Patients |
| 2017 HB 974 | Medical Privacy | Genetics | |
| 2019 HB 1127 | Medical Privacy | Genetics | |
| 2019 HB 716 | Medical Privacy | Genetics | |
| 2019 HB 901 | Medical Privacy | Genetics | |
| 2019 SB 613 | Medical Privacy | Genetics | |
| 2019 SB 786 | Medical Privacy | Genetics | |
| 2019 SB 871 | Medical Privacy | Genetics | |
| Md. Commercial Code §14-3501 et seq. | Medical Privacy | Genetics | |
| Md. Insurance Code §27-909 | Medical Privacy | Genetics | |
| Md. Health-General Code §19-706 | Medical Privacy | Genetics | |
| Md. State Government Code §20-601 et seq. | Medical Privacy | Genetics | |
| Maryland Code Ann., Com. Law § 14-3503(a) | Digital Privacy | Corporate Data Security | |
| Md. Code, Labor and Emp. Law § 3-712 | [9] | Digital Privacy | Social Media |
| Md. Code, Ed. Law § 26-401 | Digital Privacy | Educational Institutions |
Massachusetts
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Massachusetts 2013 H 1909 | Medical Privacy | Genetics | |
| Massachusetts 2015 H 1900 | Medical Privacy | Genetics | |
| Massachusetts 2017 H2814 | Medical Privacy | Genetics | |
| Massachusetts: MGL Public Health 111 §70G | Medical Privacy | Genetics | |
| 201 Massachusetts Code Regs. 17.03 | Companies must take specific steps to access security risks, train employees, and other security related tasks.[4] | Digital Privacy | Corporate Data Security |
Michigan
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Michigan 2013 SB 178 | Medical Privacy | Genetics | |
| MCL § 500.2212c | Medical Privacy | Genetics | |
| MCL §500.3829a | Medical Privacy | Genetics | |
| MCL §§333.16221 | Medical Privacy | Genetics | |
| MCL §§333.17020 | Medical Privacy | Genetics | |
| MCL §§333.17520 | Medical Privacy | Genetics | |
| MCL § 37.271-37.278 | [9] | Digital Privacy | Social Media |
| MCL § 37.271-37.278 | [9] | Digital Privacy | Educational Institutions |
Minnesota
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Minnesota 2013 HF 5 | Medical Privacy | Genetics | |
| Minnesota 2019 HF 112 | Medical Privacy | Genetics | |
| MS §13.386 | Medical Privacy | Genetics | |
| MS §144.192 | Medical Privacy | Genetics | |
| MS §176.138 | Medical Privacy | Genetics | |
| MS §62V.06 | Medical Privacy | Genetics | |
| Minn. Stat. §§ 325M.01 to .09 | Any information that can be used to identify the user cannot be discloses. Additionally, Internet service providers must get permission to disclose information.[7] | Digital Privacy | Personal Information |
Mississippi
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Miss. Code. Ann. § 41-119–13 | This Mississippi state legislation states that patient-specific information can only be released with compliance to HIPAA regulation.[3] | Medical Privacy | Biobanks |
Missouri
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| MRS §§375.1300 | Medical Privacy | Genetics | |
| MRS §§375.1309 | Medical Privacy | Genetics | |
| Mo. Rev. Stat. § 182.815, 182.817 | States that an e-book is similar to a book, so a user must "borrow" it from a library and must return that material. In addition, a library may collect information on the readers of e-books.[7] | Digital Privacy | E-Reader Privacy |
Montana
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Mont. Code Ann. § 39-2-307 | [9] | Digital Privacy | Social Media |
| MT Code Sec. 30-14-1704 | [10] | Data Privacy | Breach notification |
| MT Code Sec. 33-19-321 | [10] | Data Privacy | Insurance companies |
| MT Code Sec. 30-14-1704 | [10] | Data Privacy | Breach notification |
Nebraska
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Neb. Rev. Stat. 48-3501 et seq. | [9] | Digital Privacy | Social Media |
| NRS §71-551 | Medical Privacy | Genetics | |
| Nebraska Stat. § 87-302(14) | Posting incorrect information regarding identifiable information regarding people is illegal.[7] | Digital Privacy | False and Misleading Statements in Privacy Policies |
Nevada
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Nev. Rev. Stat. § 629.161 | This Nevada state legislation states that genetic information must be destroyed if an individual wants to pull out of the research or if the research has ended.[3] | Medical Privacy | Biobanks |
| Nev. Rev. Stat. Ann. § 629.151 | This Nevada state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes.[3] | Medical Privacy | Consent to Collect Information |
| Nevada 2009 SB 426 | Medical Privacy | Genetics | |
| NRS §629.101 et seq. | Medical Privacy | Genetics | |
| Rev. Stat. § 603A.215 | It requires that companies use encryption to store certain type of data and to follow certain procedures when saving payment-card data.[4] | Digital Privacy | Corporate Data Security |
| NRS § 613.135 | [9] | Digital Privacy | Social Media |
| NRS § 603A.340 | Commercial internet website, online or cloud computing service, online application, or mobile application that collect identifiable personal information known on their privacy page. Additionally, they must describe the process used to collect the information and make this available on the privacy page.[7] | Digital Privacy | Websites and Online Services |
| Nevada Revised Stat. § 205.498 | Any information that can be used to identify the user cannot be disclosed.[7] | Digital Privacy | Personal Information held by Internet Service Providers |
| Nevada Stat. § 87-302(14) | Posting incorrect information regarding identifiable information regarding people is illegal.[7] | Digital Privacy | Privacy Policies |
New Hampshire
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| New Hampshire 2014 HB 1262 | Medical Privacy | Genetics | |
| New Hampshire 2014 HB 1484 | |||
| New Hampshire 2014 HB 1586 | |||
| New Hampshire 2016 HB 1493 | |||
| New Hampshire 2017 HB 523 | |||
| New Hampshire 2018 HB 1373 | |||
| New Hampshire 2019 HB 536 | |||
| New Hampshire 2019 SB 316 | |||
| NHS §132:10-a V. | |||
| NHS §141-H:1 | |||
| NHS §141-H:2 | |||
| NHS §141:H-6 | |||
| N.H. Rev. Stat. § 275:74 | [9] | Digital Privacy | Social Media |
| N.H. Rev. Stat. 189:70 | [9] | Digital Privacy | Educational Institutions |
New Jersey
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| N.J. Stat. Ann. § 26:14–4 | This New Jersey state legislation states hospital patient must be informed if they are taking part in research.[3] | Medical Privacy | Notifications and Treatment of Patients |
| New Jersey 2018 A4640 | Medical Privacy | Genetics | |
| New Jersey 2018 S3153 | Medical Privacy | Genetics | |
| NJS §10:5-43 et seq. | Medical Privacy | Genetics | |
| N.J. Stat. § 34:6B-6 | [9] | Digital Privacy | Social Media |
| N.J. Stat. § 18A:3-30 | [9] | Digital Privacy | Educational Institutions |
New Mexico
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| N.M. Stat. Ann. § 24-21–3 | This New Mexico state legislation states that must consent must be provided for genetic testing, unless the data is collected for anonymous research purposes.[3] | Medical Privacy | Consent to Collect Information |
| N.M. Stat. Ann. § 24-21-3C(8) | This New Mexico state legislation states can be collected for medical registers without the data needing to be anonymized.[3] | Medical Privacy | Consent to Collect Information |
| N.M. Stat. Ann. § 24-21–3 | This New Mexico state legislation states genetic testing is allowed if the information is anonymized.[3] | Medical Privacy | Notifications and Treatment of Patients |
| New Mexico 2013 SB 445 | Medical Privacy | Genetics | |
| New Mexico 2015 HB 369 | Medical Privacy | Genetics | |
| New Mexico 2019 HB 141 | Medical Privacy | Genetics | |
| NMSA §24-21-1 et seq. | Medical Privacy | Genetics | |
| N.M. Stat. § 50-4-34
(covers job applicants only) |
[9] | Digital Privacy | Social Media |
| N.M. Stat. § 21-1-46 | [9] | Digital Privacy | Educational Institutions |
New York
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| N.Y. Pub. Health §§ 2442, 2444 | This New York state legislation states that Common Rule applies to all human subject.[3] | Medical Privacy | Notifications and Treatment of Patients |
| New York 2019 A1911 | Medical Privacy | Genetics | |
| New York 2019 A465 | Medical Privacy | Genetics | |
| New York 2019 S1203 | Medical Privacy | Genetics | |
| NYCL (CVR) 79-l | Medical Privacy | Genetics |
North Carolina
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| N.C. Gen. Stat. §§ 75-60 – 75-66 (Identity Theft Protection Act) | [11] | Data Privacy | Identity Theft |
| N.C. Gen. Stat. § 58-2-105 (Confidentiality of Medical and Credentialing Records) | [11] | Medical Privacy | Medical Records |
| N.C. Gen. Stat. § 58-39-45 (Access to Recorded Personal Information) | [11] | Data Privacy | Recordings |
| N.C. Gen. Stat. § 132–1.10 (Social Security Numbers and Other Personal Identification Information) | [11] | Data Privacy | Personal Identification Information |
North Dakota
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| 2015 SB 2334 | Medical Privacy | Genetics | |
| N.D. Cent. Code § 26.1-36-12.4 | Confidentiality of medical information.
1. An insurance company, as defined in section 26.1-02-01, health maintenance organization, or any other entity providing a plan of health insurance subject to state insurance regulation may not deliver, issue, execute or renew a health insurance policy or health service contract unless confidentiality of medical information is assured pursuant to this section. An insurer shall adopt and maintain procedures to ensure that all identifiable information maintained by the insurer regarding the health, diagnosis, and treatment of persons covered under a policy or contract is adequately protected and remains confidential in compliance with all federal and state laws and regulations and professional ethical standards. Unless otherwise provided by law, any data or information pertaining to the health, diagnosis, or treatment of a person covered under a policy or contract, or a prospective insured, obtained by an insurer from that person or from a health care provider, regardless of whether the information is in the form of paper, is preserved on microfilm, or is stored in computer-retrievable form, is confidential and may not be disclosed to any person |
Data Privacy | Storage of Data |
Ohio
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| 2018 SB 220 (Also known as Ohio Data Protection Act) | (B) A covered entity's cybersecurity program shall be designed to do all of the following:
(1) Protect the security and confidentiality of personal information; (2) Protect against any anticipated threats or hazards to the security or integrity of personal information; (3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. (C) The scale and scope of a covered entity's cybersecurity program under division (A) of this section shall be appropriate if it is based on all of the following factors: (1) The size and complexity of the covered entity; (2) The nature and scope of the activities of the covered entity; (3) The sensitivity of the personal information to be protected; (4) The cost and availability of tools to improve information security and reduce vulnerabilities; (5) The resources available to the covered entity. |
Data Privacy | Breach Notification |
Oklahoma
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Oklahoma 2013 HB 1384 | This Oklahoma legislation states that genetic information can not be collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV.[5] | Medical Privacy | Minors |
| Oklahoma OS §25-2001 | This Oklahoma legislation states that genetic information can not be collected from minors unless a court order has been issued or parental consent has been provided or the minor is being tests for syphilis or sexually transmitted infections and HIV.[5] | Medical Privacy | Minors |
| Oklahoma 2013 HB 1384 | Medical Privacy | Genetics | |
| OS §25-2001 | Medical Privacy | Genetics | |
| OS §36-3614.3 | Medical Privacy | Genetics | |
| 40 Okla. Stat. § 173.2 | [9] | Digital Privacy | Social Media |
| Oklahoma H.B. 1877 | This Oklahoma legislation gives guidelines on employers' access to employees' online social media accounts, and it provides both exception and an effective date.[9] | Employee Privacy; Digital Privacy | Social Media |
Oregon
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Or. Laws Ch. 680 (1995) | This Oregon state legislation was passed in 1995 and stated that information belongs to the individual from whom it was collected.[3] | Medical Privacy | Biobanks |
| Or. Laws Ch. 780 (1997) | This Oregon state legislation was passed in 1997 and stated that genetic information can be used if it is anonymized.[3] | Medical Privacy | Biobanks |
| Or. Laws Ch. 588 (2001) | This Oregon state legislation was passed in 2001 and states that genetic information was not owned by individuals from whom it was collected and that genetic information should remain anonymized and should follow privacy laws.[3] | Medical Privacy | Biobanks |
| Oregon 2007 SB 244 | Medical Privacy | Genetics | |
| Oregon 2009 HB 2009 | Medical Privacy | Genetics | |
| ORS §192.531 et seq. | Medical Privacy | Genetics | |
| Oregon. Rev. Stat. Ann. § 646A.622 | This legislation has three important aspects which include: training employees, having regular security control tests, and placing reasonable safeguards against hacks.[4] | Digital Privacy | Corporate data security |
| O.R.S. § 659A.330 | Digital Privacy | Social media privacy | |
| O.R.S. §§ 350.272, 350.274 | Digital Privacy | Educational institutions | |
| ORS § 646.607 | It is illegal to publish information that is inconsistent with the behaviour of the user.[7] | Digital Privacy | Websites or online services |
| ORS § 646.607 | This states that is illegal for any body to publish information that is purposefully incorrect.[7] | Digital Privacy | False and misleading statements posted online |
Pennsylvania
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Pennsylvania 2019 HB 245 | Medical Privacy | Genetics | |
| 18 Pa. C.S.A § 4107(a)(10) | Distribution of fraudulent information on the internet is illegal.[7] | Digital Privacy | False and misleading statements posted online |
Rhode Island
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Rhode Island 2019 S234 | [5] | Medical Privacy | Genetics |
| RIGL §§27-18-52 | [5] | Medical Privacy | Genetics |
| RIGL §§27-18-52.1 | [5] | Medical Privacy | Genetics |
| RIGL §§27-19-44 | [5] | Medical Privacy | Genetics |
| RIGL §§27-19-44.1 | [5] | Medical Privacy | Genetics |
| RIGL §§27-20-39 | [5] | Medical Privacy | Genetics |
| RIGL §§27-20-39.1 | [5] | Medical Privacy | Genetics |
| RIGL §§27-41-53 | [5] | Medical Privacy | Genetics |
| RIGL §§27-41-53.1 | [5] | Medical Privacy | Genetics |
| Rhode Island Gen. Laws Ann. § 11–49.3-2(a) | The legislation states that the level of digital security programs a company must have is relative to the size of the company.[4] | Digital Privacy | Corporate data security |
| R.I. Gen. Laws § 28-56-1 to -6 | Digital Privacy | Social media privacy | |
| R.I. Gen. Laws § 16-103-1 to -6 | Digital Privacy | Educational institutions |
South Carolina
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| South Carolina 2010 SB 1224 | Medical Privacy | Genetics | |
| SCCL §38-93 et seq. | Medical Privacy | Genetics | |
| SCCL §§38-93-10 et seq. | Medical Privacy | Genetics |
South Dakota
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| SDCL §§34-14-21 et seq. | Medical Privacy | Genetics |
Tennessee
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Tennessee 2018 HB 2690 | Medical Privacy | Genetics | |
| Tennessee 2018 SB 2029 | Medical Privacy | Genetics | |
| Tenn. Code §§ 50-1-1001 to -1004 | Digital Privacy | Social media privacy | |
| TC §49-1-702 | This Tennessee state legislation states that written parent content must be acquired before any medical screening is performed on a minor.[5] | Medical Privacy | Genetic information of minors |
Texas
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Texas 2017 HB 2891 | Medical Privacy | Genetics | |
| TS (Civil Practice and Remedies) Code §74.052 | Medical Privacy | Genetics | |
| TS (Insurance) Code §546.001 et seq. | Medical Privacy | Genetics | |
| TS (Occupations) Code §58.001 et seq. | Medical Privacy | Genetics |
Utah
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Utah 2016 HB 358 | Medical Privacy | Genetics | |
| UC §26-45-101 et seq. | Medical Privacy | Genetics | |
| UC §53A-1-1401 et seq. | Medical Privacy | Genetics | |
| Utah Code Ann. § 13-44-201(1)(a) | Digital Privacy | Corporate Data Security | |
| Utah Code § 34-48-201 et seq. | [9] | Digital Privacy | Social Media |
| Utah Code § 53B-25-101 et seq. | [9] | Digital Privacy | Educational Institutions |
| Utah Code §§ 13-37-201 to -203 | Must let the consumer know that their information is being shared for a profit/marketing strategy.[7] | Digital Privacy | Disclosure or Sharing of Personal Information |
Vermont
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| VSA 18 §9331 et seq. | Medical Privacy | Genetics | |
| 21 V.S.A. § 495l | [9] | Digital Privacy | Social Media |
| VA C § B-2018-01 | This law regulates how private institutions handle consumer/ customer information. | Financial Privacy | Regulation of Private Institutions |
Virginia
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Va. Code Ann. §§ 32.1-162.16 to 32.1-162.20 | This Virginia state legislation states that Common Rule applies to all human subjects.[3] | Medical Privacy | Notifications and Treatment of Patients |
| Code of Va. §§ 38.2-508.4 | Medical Privacy | Genetics | |
| Code of Va. §§38.2-613 | Medical Privacy | Genetics | |
| Va. Code § 40.1-28.7:5 | [9] | Digital Privacy | Social Media |
| Va. Code § 23.1-405 | [9] | Digital Privacy | Educational Institutions |
| H.B. 2081 | This law states that employers are prohibited from requiring employees to add an employer, supervisor or an administrator to his or her social media, or to change the privacy settings.[9] | Digital Privacy | Social Media |
Washington
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Washington 2017 HB 2213 | Medical Privacy | Genetics | |
| RCW §70.02.010 et seq. | Medical Privacy | Genetics | |
| RCW §§ 49.44.200 and 49.44.205 | [9] | Digital Privacy | Social Media |
West Virginia
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| West Virginia 2016 HB 4261 | Medical Privacy | Genetics | |
| West Virginia: WVC §18-2-5h | Medical Privacy | Genetics | |
| W.V. Code § 21-5H-1 | [9] | Digital Privacy | Social Media |
Wisconsin
Wyoming
| Name of Article | Purpose | Type of Privacy Protected | Law on |
|---|---|---|---|
| Wyoming WSA §35-31-101 et seq. | Medical Privacy | Genetics |
- Dilbert, Robert (2016). "United States CyberSecurity Enforcement: Leading Roles of the Federal Trade Commission and State Attorneys General". Kentucky Law Review. 43: 1–28 – via JSTOR.
- California Legislative Information (October 7, 2021). "SB-41 Privacy: genetic testing companies".
- Harrell, Heather (2016). "Biobanking Research and Privacy Laws in the United States". The Journal of Law, Medicine & Ethics. 44 (1): 106–127. doi:10.1177/1073110516644203. PMID 27256128.
- Kosseff, Jeff (2018). "Defining Cybersecurity Law". Iowa Law Review. 103 (3): 985–1031.
- "Policy and Legislation Database - Browse All Records". National Human Genome Research Institute (NHGRI). Retrieved 2019-03-21.
- "Alaska Personal Information Protection Act - Consumer Protection Laws". law.alaska.gov. Retrieved 2019-04-29.
- "State Laws Related to Internet Privacy". www.ncsl.org. Retrieved 2019-04-04.
- "Move Over, CCPA: The California Privacy Rights Act Gets the Spotlight Now". news.bloomberglaw.com. Retrieved 2020-12-10.
- "State Social Media Privacy Laws". www.ncsl.org. Retrieved 2019-04-04.
- "Montana Privacy laws & HR compliance analysis". www.blr.com. Retrieved 2019-05-01.
- "North Carolina Data Privacy Regulations Overview". CSR Privacy Solutions. Retrieved 2019-05-01.
