State Initiatives for Internet Privacy

by Kevin Mills

Recently, to the presumed delight of attorneys working in the area of internet privacy, states have become increasingly involved in imposing privacy requirements on companies that collect information from users on the internet.  Perhaps as a reaction to the lack of a clear overall privacy scheme at the national level, many states are now taking action to protect the privacy of citizens who are using the internet.  Such state efforts come in various forms.

Privacy Policies of Internet Companies

In February 2012, the California Attorney General negotiated a deal with six of the largest companies running mobile apps: Apple, Google, Amazon, Microsoft, RIM and Hewlett-Packard—Facebook became the seventh member of this group in June.  The deal requires that the companies put forth a written privacy policy on what information is collected and shared.  Because the AG lacks the power to write rules for mobile apps, the AG asserts authority under a 2004 state law that broadly requires that “online services” that collect personal information from consumers have privacy policies.  Failure to provide such a written policy may result in prosecutions against app makers that mislead California consumers about what uses are made of the personal information collected.  Penalties may be as high as $5,000 per download.

It is readily acknowledged that such efforts by states are not as effective or as efficient as a national privacy policy might be.  However, in the absence of such a national policy, states feel compelled to fill the void.  On a practical level, the existence of fifty different sets of privacy laws can be confusing and can result in the need for attorneys to sort out the checkerboard of legislative initiatives.

Data Security Legislation

In 2003, California enacted a landmark security breach notification law.  Since then, nearly every state has adopted a similar law; today, forty-six states (as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands) have security breach notification laws on the books, and in the past several years, many state legislatures have introduced amendments and updates to existing security breach notification laws.  Recent efforts in Connecticut and Vermont, and similar amendments made by other states last year, demonstrate a growing trend of enhancements to state data security legislation.

On May 5, 2012, Vermont approved a law that requires that notice of data security breaches be given to the Vermont AG.  Specifically, such a notice must include: (1) the date of the breach; (2) the date of discovery of the breach; (3) the number of Vermont consumers affected, if known; and (4) a copy of the notice provided to consumers.

On June 15, 2012, Connecticut replaced its security breach notification law.  The new law states that if a business is required to provide notice of a data security breach, the business also must notify the Connecticut AG.  While Vermont and Connecticut may be the most recent states to adopt AG breach notice requirements, they undoubtedly will not be the last.

On a practical level, it is important for businesses to keep in mind the existence of state AG breach notice requirements.  If a business experiences a security incident that requires notice to consumers in one or more states, the business also must consider whether those states have notice requirements to the AG or another state entity.

Other State Privacy Law Efforts

Some state internet privacy laws push the envelope. For example, Facebook and MySpace already bar sex offenders from using their services, but Louisiana feared that the online companies wouldn’t be able to weed out all sex offenders.  A new Louisiana law requires sex offenders to state their criminal convictions on their social networking pages.  It also requires the offenders to disclose their addresses and describe their physical characteristics.  This requirement, scheduled to take effect in August of this year, is the first of its kind in the nation.

States have a legitimate interest in regulating privacy policies on the internet.  It will be intersting to see how far the legislative interest extends.  Will it extend to the local level?  When cable televison was first introduced, city and local governments were agressive in exercising their regulatory powers.  It will be interesting to see if, now, city and local governments will similarly advance some kind of dominion over the internet, and if they do, what form it will take.  Regardless of whether they join the cause, privacy rights will continue to be an area rife with conflict and in need of uniformity.

Kevin Mills is an owner of the law firm of Kaye & Mills where his practice focuses on advising clients with transactions across a full range of issues in entertainment, media, technology, Internet and general business. His practice encompasses copyright; trademark; trade dress; trade secret; brand protection; content creation, protection and distribution; and general corporate, organizational and business matters.


Leave a comment

Filed under Privacy, Software, Technology

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s