by Kevin Mills
Recently, to the presumed delight of attorneys working in the area of internet privacy, states have become increasingly involved in imposing privacy requirements on companies that collect information from users on the internet. Perhaps as a reaction to the lack of a clear overall privacy scheme at the national level, many states are now taking action to protect the privacy of citizens who are using the internet. Such state efforts come in various forms.
Privacy Policies of Internet Companies
Data Security Legislation
In 2003, California enacted a landmark security breach notification law. Since then, nearly every state has adopted a similar law; today, forty-six states (as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands) have security breach notification laws on the books, and in the past several years, many state legislatures have introduced amendments and updates to existing security breach notification laws. Recent efforts in Connecticut and Vermont, and similar amendments made by other states last year, demonstrate a growing trend of enhancements to state data security legislation.
On May 5, 2012, Vermont approved a law that requires that notice of data security breaches be given to the Vermont AG. Specifically, such a notice must include: (1) the date of the breach; (2) the date of discovery of the breach; (3) the number of Vermont consumers affected, if known; and (4) a copy of the notice provided to consumers.
On June 15, 2012, Connecticut replaced its security breach notification law. The new law states that if a business is required to provide notice of a data security breach, the business also must notify the Connecticut AG. While Vermont and Connecticut may be the most recent states to adopt AG breach notice requirements, they undoubtedly will not be the last.
On a practical level, it is important for businesses to keep in mind the existence of state AG breach notice requirements. If a business experiences a security incident that requires notice to consumers in one or more states, the business also must consider whether those states have notice requirements to the AG or another state entity.
Other State Privacy Law Efforts
Some state internet privacy laws push the envelope. For example, Facebook and MySpace already bar sex offenders from using their services, but Louisiana feared that the online companies wouldn’t be able to weed out all sex offenders. A new Louisiana law requires sex offenders to state their criminal convictions on their social networking pages. It also requires the offenders to disclose their addresses and describe their physical characteristics. This requirement, scheduled to take effect in August of this year, is the first of its kind in the nation.
States have a legitimate interest in regulating privacy policies on the internet. It will be intersting to see how far the legislative interest extends. Will it extend to the local level? When cable televison was first introduced, city and local governments were agressive in exercising their regulatory powers. It will be interesting to see if, now, city and local governments will similarly advance some kind of dominion over the internet, and if they do, what form it will take. Regardless of whether they join the cause, privacy rights will continue to be an area rife with conflict and in need of uniformity.
Kevin Mills is an owner of the law firm of Kaye & Mills where his practice focuses on advising clients with transactions across a full range of issues in entertainment, media, technology, Internet and general business. His practice encompasses copyright; trademark; trade dress; trade secret; brand protection; content creation, protection and distribution; and general corporate, organizational and business matters.