"It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country."
--New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting).
Introduction
EPIC's State Policy project, launched in the Spring of 2015, provides expertise to shape strong state privacy and open government laws.
Issue areas
State Policy News
- California Enacts Genetic Information Privacy Act: This week, Governor Gavin Newsom signed the California Genetic Information Privacy Act, which had been passed unanimously by the California Senate and Assembly in September. The Act requires direct-to-consumer genetic testing companies to provide consumers with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. The law imposes civil penalties for a violations, enforced by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor. EPIC tracks state genetic privacy laws through its State Policy Project. (Oct. 8, 2021)
- Florida House of Representatives Passes Florida Privacy Protection Act: The Florida House of Representatives today passed the Florida Privacy Protection Act, HB 969, on a 118-1 vote. The bill gives Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. EPIC and a coalition of privacy and consumer organizations had previously sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action the bill. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined." The Senate Rules Committee removed the private right of action provisions from the Senate bill, but the Senate could restore the crucial enforcement provision on the floor this week. (Apr. 21, 2021)
More top news
- EPIC Urges Florida Lawmakers to Pass Strong Privacy Law (Apr. 14, 2021) +
As the Florida Legislature considers pending privacy bills,
HB 969 and
SB 1734, EPIC is
urging lawmakers to enact strong privacy protections for all Floridians. The House Commerce Committee is today
hearing HB969, would give Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. In
written testimony, EPIC urged committee members to further strengthen the bill to prohibit discriminatory uses of data, remove the "right to cure" provision, require data minimization, support global opt-out mechanisms, ban pay-for-privacy schemes, and provide enhanced safeguards for sensitive uses of data. EPIC had previously led a coalition of groups
urging Florida lawmakers to preserve the private right of action in the bills.
- EPIC, Coalition Urge Florida Lawmakers to Preserve Private Right of Action (Apr. 5, 2021) +
EPIC and a coalition of privacy and consumer organizations today sent
letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action in two pending privacy bills,
SB 1734 and
HB 969. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined."
- Virginia Governor Signs Consumer Data Protection Act (Mar. 3, 2021) +
Virginia Governor Ralph Northam has signed the
Virginia Consumer Data Protection Act into law. "It is good to see Virginia and other states taking action to protect the privacy of their residents. States have always played a key role in establishing privacy protections," EPIC Policy Director Caitriona Fitzgerald said. "But in 2021 we need a more comprehensive and proactive approach to privacy than what Virginia adopted. We need privacy laws in the United States that address current business practices and protect individuals from all forms of corporate surveillance, algorithmic unfairness, manipulative design, and discrimination. We need privacy laws that minimize the data collected about us and encourage innovation in privacy enhancing technologies. And we need robust enforcement of these rules to make sure that the underlying business practices actually change."
- EPIC to Maryland Legislators: Security Questions Need Upgrade (Feb. 9, 2021) +
EPIC Interim Associate Director and Policy DIrector Caitriona Fitzgerald will
testify today before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers.
Senate Bill 185 requires financial institutions who choose to use security questions as a authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions truly should no longer be using basic security questions. "The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet’s name," EPIC told the Committee. But, EPIC said, if security questions are going to be used, institutions should ensure that multiple question options are given, and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic answers.
- Tech Companies Block Washington State Privacy Law (Mar. 13, 2020) +
Last minute lobbying by big tech companies blocked passage of the
Washington Privacy Act. The state privacy law have given consumers the right to access, correct and delete their personal data held by tech firms. EPIC and a broad
coalition of privacy groups backed a comprehensive bill that would include, as
privacy laws typically do, the right of consumers to bring legal action but that was opposed by industry groups. The Washington legislature did pass a modest
bill limiting the government use of facial recognition technology. EPIC has long supported federal baseline legislation and the creation of a
data protection agency. EPIC has also called for a
moratorium on face surveillance. The
EPIC State Policy Project monitors privacy bills nationwide.
- EPIC, Coalition Recommend Changes to Pending Washington Privacy Law (Mar. 5, 2020) +
EPIC along with a
coalition of groups proposed changes to the Washington Privacy Act, a bill now pending in the Washington legislature.
The Washington Privacy Act would give consumers the right to access, correct and delete personal data held by companies, and it wold require companies to uphold privacy obligations, including transparency, purpose specification, data minimization, security, and nondiscrimination. But the bill lacks an effective mechanism for enforcement, permits the deployment of facial recognition, and contains many loopholes. EPIC and the coalition urged the Washington legislature to establish a private right of action, narrow the exemptions, make risk assessments publicly accessible, and remove the provisions permitting facial recognition. At the federal level, EPIC supports H.R. 4978, the Online Privacy Act, and S. 3300, to establish a US Data Protection Agency. EPIC has also called for a
moratorium on face surveillance. The
EPIC State Policy Project monitors privacy bills nationwide.
- EPIC Advises New York Senate on Privacy Legislation (Nov. 21, 2019) +
EPIC has sent a
statement to the New York State Senate recommending passage of legislation modeled on
Fair Information Practices and creation of a Data Protection Agency. The NY Senate will hold a
hearing this week on
Senate Bill 5642, concerting oversight of personal data. EPIC's recent report,
Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a privacy law. "A strong state privacy law would establish an independent state-level Data Protection Agency with resources, technical expertise, rulemaking authority and effective enforcement powers," EPIC told the New York Senate. EPIC's
State Policy Project tracks privacy developments at the state level.
- Pew: States Battle Big Tech Over Data Privacy Laws (Jul. 31, 2019) +
The Pew Charitable Trusts
reports that of the 24 states legislatures that considered data privacy legislation in 2019, only a few have passed new laws. Last year, California passed the
California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. This month, New York state passed the
Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. According to the National Conference on State Legislatures, more than
100 privacy bills are currently pending in the states. The
EPIC State Policy Project monitors privacy bills nationwide
- Utah Becomes First State to Require Warrant for Data Held by Third-parties (Apr. 1, 2019) +
The State of Utah has become the first state in the nation to require law enforcement to obtain a warrant to obtain electronic data held by third parties such as wireless providers, email providers, search engines, or social media companies.
House Bill 57, sponsored by State Representative Craig Hall (R) was signed by Governor Gary Herbert last week. Last year, the Supreme Court ruled in
Carpenter v. United States that the Fourth Amendment protects location records generated by mobile phones. Recognizing that other types of data were in equal need of protections, Chief Justice John Roberts, writing for the Court, said "legislation is much preferable to the development of an entirely new body of Fourth Amendment case law." Utah took that advice and passed broad protections for essentially all data held by third-parties, with exceptions in emergency circumstances. EPIC filed an
amicus brief in the Carpenter case, has recommended
updates to the Electronic Communications Privacy Act, and recently proposed a
comprehensive strategy for Congress to update federal law after the Carpenter decision.
- Idaho Enacts Law Requiring Transparency in Pre-Trial Risk Assessments (Mar. 28, 2019) +
Idaho became the first state to pass
a law specifically promoting transparency, accountability, and explainability in pre-trial risk assessment tools. Pre-trial risk assessments are algorithms that help inform sentencing and bail decisions for defendants. The law prevents a trade secrecy or IP defense, requires public availability of “all documents, data, records, and information used by the builder to build or validate the pretrial risk assessment tool,” and empowers defendants to review all calculations and data that went into their risk score. The law became effective on July 1, 2019. EPIC has consistently advocated for Algorithmic Transparency and urges jurisdictions to use the Universal Guidelines for Artificial Intelligence as a guideline for AI policy.
- EPIC to Senate Committee: Privacy Rules Can Help Level Playing Field for Small Business (Mar. 26, 2019) +
In advance of a
hearing on "Small Business Perspectives on a Federal Data Privacy Framework," EPIC has sent a
statement to the the Senate committee on consumer protection. EPIC said that over the last two decades, an absence of privacy regulation has led to a growing concentration of internet services. "Privacy rules could help level the playing field," EPIC said. EPIC also warmed against
preempting state laws, citing California's data breach legislation as an example. "A federal law that preempted California's ability to respond to new threats would have placed consumers and businesses at risk," EPIC said.
- California AG Proposes Stronger Enforcement for State Privacy Law (Feb. 28, 2019) +
The attorney general of California has
unveiled legislation that would strengthen the California Consumer Privacy Act. The new
bill would enable consumers to enforce their rights in court. The proposal comes as California seeks to
implement the Consumer Privacy Act. In
testimony for the US Congress, EPIC has explained that the “most effective way to improve data security is to establish a private right of action.” At present, there are hundreds, perhaps thousands, of substantial privacy complaints pending before the Federal Trade Commission. The EPIC
State Policy Project monitors privacy bills nationwide.
- State Consumer Protection Report Highlights Privacy Cases (Feb. 12, 2019) +
A recent
report by the Center for State Enforcement of Antitrust and Consumer Protection Laws highlighted major privacy actions by state attorneys general, including New York's
lawsuit against Apple for the FaceTime bug and California's
settlement with Aetna for sending letters that revealed, through an oversized clear window, that the recipient was taking HIV-related medication. Several Attorneys General, including the
DC attorney general, have sued Facebook over the Cambridge Analytica scandal. EPIC opposes federal preemption of state law, has
defended the enforcement powers of state attorneys general, and established the
EPIC State Policy Project to highlight model state privacy law.
- New Hampshire Voters Establish Constitutional Right to Informational Privacy (Nov. 8, 2018) +
New Hampshire voters overwhelmingly approved a
ballot measure that guarantees a constitutional right to information privacy in the state. The measure, which received 80% of the vote, amends Article 2 in the
New Hampshire Bill of Rights providing that "an individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent." New Hampshire joins a
growing number of states with constitutional privacy protections. EPIC Advisory Board member
David Flaherty has
written about the development of constitutional privacy protections. EPIC regularly files
amicus briefs supporting
state privacy rights. In a recent
amicus brief concerning the
OPM data breach, EPIC argued that the right to information privacy exists in the federal Constitution.
- California Bans Anonymous Bots, Regulates Internet of Things (Oct. 2, 2018) +
California Governor Jerry Brown recently signed two modern privacy laws, including a first in the nation law governing the security of the
Internet of Things.
SB327 sets baseline security standards for IoT devices. EPIC recently submitted
comments to the Consumer Product Safety Commission recommending similar action. Governor Brown also signed a
bill banning anonymous bots. The law makes it illegal to use a bot, or automated account, to mislead California residents or communicate without disclosing the identity of the actual operator. EPIC President Marc Rotenberg had earlier
proposed that Asimov's Laws of Robotics be updated to require that robots reveal the basis of their decisions (
Algorithmic Transparency) and that robots reveal their actual identity.
- California Passes Milestone Privacy Law (Jun. 28, 2018) +
The State of California has enacted the
California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. The Act will establish the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; to access their information held by others; and to obtain equal service and price, even if they exercise their privacy rights. The Act will allow individuals to delete their data and it will establish opt-in consent for those under 16. The Consumer Privacy Act provides for enforcement by the Attorney General, a private right of action, and will establish a Consumer Privacy Fund to support the purposes of Act. The California Consumer Privacy Act of 2018 follows a
California ballot initiative that gathered over 600,000 signatures. After the Equifax data breach, EPIC testified in the
U.S. Senate that comprehensive privacy legislation was long overdue. The EPIC
State Policy Project also provides expertise to the states to help shape strong privacy laws.
- Secret Ballot At Risk in Colorado As Governor Considers "Ballot Selfie" Bill (Mar. 16, 2017) +
The Colorado General Assembly recently passed a
bill that allows "ballot selfies," threatening voter privacy. Ballot selfies allow campaigns, employers, unions, and others to verify how an individual voted. But EPIC explained in "
The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. The secret ballot allows people to vote without fear of intimidation or retaliation. EPIC has a long history of working to protect
voter privacy and
election integrity. In a 2010 Supreme Court case, EPIC
argued that disregard for voter privacy may unconstitutionally burden the right to vote.
- EPIC Urges Massachusetts High Court to Protect Email Privacy (Oct. 24, 2016) +
EPIC has filed an
amicus brief in the Massachusetts Supreme Judicial Court regarding
email privacy. At issue is Google's scanning of the email of non-Gmail users. EPIC argued that this is prohibited by the Massachusetts Wiretap Act. EPIC described Google's complex scanning and analysis of private communications, concluding that it was far more invasive than the interception of a telephone communications, prohibited by state law. A federal court in California recently
ruled that non-Gmail users may sue Google for violation of the state wiretap law. EPIC has filed many
amicus briefs in federal and state courts and participated in the
successful litigation of a cellphone privacy case before the Massachusetts Judicial Court. The
EPIC State Policy Project is based in Somerville, Massachusetts.
- Massachusetts Court Upholds Privacy Rights of Cell Phone Users (Sep. 28, 2016) +
The Massachusetts Supreme Judicial Court
ruled today in
Commonwealth v. White that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer’s suspicion that a cell phone may be used in a crime, finding that a warrant must be obtained prior to the seizure of the phone. EPIC filed an
amicus brief in the case, arguing that "digital is different," and therefore the legal standard for warrantless searches of contraband in schools does not apply to cell phones. EPIC also explained the significance of
Riley v. California, the recent Supreme Court that established a warrant requirement for searches of cell phones. The
EPIC State Policy Project coordinated the EPIC amicus brief in the case.
- Secret Ballot At Risk in Maryland After Election Board Vote (Sep. 27, 2016) +
The
Maryland State Board of Elections has voted to certify Maryland’s online ballot-marking system for general use, threatening voter privacy. Voters using the online-ballot marking system would receive and fill out their ballot online, risking third party access their vote. Previously online ballot-marking was permitted only to enable participation by voters with disabilities. EPIC, Verified Voting, and Common Cause recently released
The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. EPIC has a long history of working to protect
voter privacy and
election integrity.
- EPIC, Verified Voting, Common Cause Release Report on Ballot Secrecy (Aug. 18, 2016) +
EPIC, Verified Voting, and Common Cause today released
The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. All 50 states recognize ballot secrecy as a core value. Despite this, 32 states and DC are promoting Internet voting, typically for overseas and military voters, and are asking those voters to waive their right to a secret ballot. That threatens voting freedom and election integrity. The report recommends actions voters can take to protect the secrecy of their ballot, and encourages states to do more to safeguard voter privacy. EPIC has a long history of working to protect
voter privacy and
election integrity.
- EPIC Urges Wisconsin Legislature to Safeguard Student Privacy (Aug. 17, 2016) +
In
testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Wisconsin adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. EPIC's State Policy Project is monitoring privacy bills nationwide.
- States Adopt New Student Privacy Safeguards (Jun. 21, 2016) +
Several states have recently enacted new
student privacy laws.
Colorado and
Connecticut’s laws impose strict requirements on those who collect student data. Connecticut also requires that parents are notified each time a school district enters into a contract that involves student data. North Carolina enacted a student privacy
law modeled after California's
Student Online Personal Information Protection Act. The National Association of State Boards of Education
reported that 38 states considered student privacy legislation in 2016. Ten of those states passed student privacy laws. EPIC has urged the enactment of a comprehensive
student privacy bill of rights.
EPIC's State Policy Project is monitoring privacy bills nationwide.
- Amendment Would Overturn Model Facial Recognition Privacy Law (May. 27, 2016) +
The Illinois
Biometric Information Privacy Act is one of the strongest
facial recognition laws in the country. Enacted in 2008, the law prohibits the use of biometric recognition technologies without consent and provides for meaningful enforcement. But a proposed
amendment would undercut legal protections, exempting facial recognition software from the law. A pending
lawsuit against Facebook alleges that the company violates the law by amassing a database of users’ faceprints “without even informing its users — let alone obtaining their informed written consent.” EPIC has urged a
moratorium for such surveillance techniques, pending the enactment of strong privacy laws such as those in Illinois. In much of the world, facial recognition software is
illegal.
- NY Attorney General Reports 40% Increase in Data Breaches (May. 5, 2016) +
New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
- Privacy in the States: Data Breach Notification in TN, Drone Surveillance in OR (Apr. 15, 2016) +
Tennessee has become to the first state to expand
data breach notification requirements to encrypted data.
Public Chapter Number 692 requires any information holder to notify Tennessee residents of a data breach even if the data was encrypted. Information holders include anyone who conducts business in the state or state agencies that own or license personal information. The new law also requires that the notice be made within 45 days of discovering the breach.
Oregon further strengthened protections against
drone surveillance last month when Governor Kate Brown signed
HB 4066. Existing
Oregon law already provided a civil action against drone operators who fly over private property after receiving notice from the property owner. The new legislation adds a provision to the state's criminal laws which would make the recording of photos, motion picture video, or other visual recording through the use of a drone an invasion of personal privacy, which is a Class A misdemeanor. The law also requires that any public body that operates a drone establish policies for the "use, storage, accessing, sharing and retention of data" resulting from the operation of drones. EPIC's
State Policy Project monitors state privacy issues nationwide.
- EPIC to Testify before Pennsylvania Senate on Domestic Drone Surveillance (Mar. 14, 2016) +
EPIC
Domestic Surveillance Project Director Jeramie Scot will testify at a
hearing on before the Pennsylvania Senate Majority on
"Unmanned Aerial Vehicles." The hearing will
address the private and public sector use of drones. In a
prepared statement, EPIC’s Scott urges the Pennsylvania Senate to enact legislation to limit both law enforcement and commercial drone surveillance. EPIC states, “The increased use of drones to conduct various forms of surveillance must be accompanied by increased privacy protections.” EPIC previously sued the FAA for failing to establish federal privacy rules for
commercial drones.
EPIC v. FAA is pending before the D.C. Circuit.
- EPIC FOIA - Information about Controversial DNA Forensic Technique Released (Feb. 23, 2016) +
In response to EPIC's FOIA
request, the California Department of Justice has released
records on a controversial forensic technique. The records
show that in 2014, the state agency spent more than $300,000 on STRMix, a secret technique for matching DNA. Investigators in Australia subsequently
found an error in the STRMix code that produced incorrect results in 60 criminal cases, including a high-profile murder case. STRMix
promises prosecutors the ability to "[c]arry out familial searches against a database, searching for close relatives of contributors to mixed DNA profiles" but the algorithm remains secret. EPIC is
pursuing FOIA requests on the secret DNA matching algorithms with state agencies across the U.S.
- California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable (Feb. 18, 2016) +
A new
report from California Attorney General
Kamala Harris examines
data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris
stated. The Attorney General received a
2015 EPIC Champion of Freedom Award. EPIC recently launched
"Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
- In Court: EPIC Urges Massachusetts to Protect Student Privacy (Nov. 23, 2015) +
EPIC has filed an
amicus brief in the Massachusetts Supreme Judicial Court regarding a
student privacy case. EPIC said that the police should obtain a warrant before seizing a student's cell phone. Citing a recent Supreme Court case, EPIC explained "Modern cell phones . . . implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. In
Riley v. California, a unanimous Supreme Court held that a search of cell phone required a warrant. EPIC previously filed an amicus brief in
Commonwealth v. Connolly, a Massachusetts case concerning GPS tracking. The
EPIC State Policy Project is based in Cambridge, Massachusetts.
- EPIC Obtains Documents on Secret DNA Forensic Source Code (Nov. 10, 2015) +
In response to
EPIC's state public records requests, Virginia and Pennsylvania have both released documents about "TrueAllele," a proprietary technique used in DNA forensic analysis. Virginia released to EPIC a
validation study and
validation summary prepared by the Virginia Department of Forensic Science. Pennsylvania produced
purchase and service contracts, technical specifications, and user manuals for TrueAllele. Agencies in California, Louisiana, Pennsylvania, and Virginia have stated that they do not have access to the TrueAllele source code that they are using to produce evidence against defendants. EPIC's open government requests cited the importance of
algorithmic transparency in the criminal justice system.
- New Mexico Supreme Court Finds Warrantless Aerial Surveillance Violates Fourth Amendment (Oct. 19, 2015) +
The Supreme Court of New Mexico
ruled in
State v. Davis that the Fourth Amendment prohibits the warrantless aerial surveillance of, and interference with, a person's private property. Specifically, the court found that "prolonged hovering close enough to the ground to cause interference with Davis' property transformed this surveillance from a lawful observation of an area left open to public view to an unconstitutional intrusion into Davis' expectation of privacy." EPIC filed a
friend of the court brief and presented oral argument before the Court. EPIC said that aerial surveillance threatens privacy and property interests and that surveillance in the airspace close to a home violates the Fourth Amendment. The New Mexico Supreme Court agreed. EPIC frequently
amicus briefs on emerging privacy and civil liberties issues.
- EPIC Pursues Public Release of Secret DNA Forensic Source Code (Oct. 14, 2015) +
EPIC has filed public records requests in six states to obtain the source code of "TrueAllele," a software product used in
DNA forensic analysis. According to recent
news reports, law enforcement officials use TrueAllele test results to establish guilt, but individuals accused of crimes are denied access to the source code that produces the results. A similar program used by New Zealand prosecutors was
recently found to have a coding error that provided incorrect results in 60 cases, including a high-profile murder case. EPIC has
previously urged the US Supreme Court to carefully consider the reliability of new investigative techniques and
argued a federal appeals case against DNA dragnet surveillance. Citing the importance of
algorithmic transparency in the criminal justice system, EPIC filed requests in
California,
Louisiana,
New York,
Ohio,
Pennsylvania, and
Virginia.
- California Rejects Warrantless Surveillance, Enacts "CalECPA" (Oct. 9, 2015) +
California Governor Jerry Brown has signed the
California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made
several recommendations regarding updates to the
federal ECPA. EPIC has also
obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill.
- California Enacts Innovative Privacy Protections for Drones and SmartTVs (Oct. 9, 2015) +
California Governor Jerry Brown has signed laws that provide California residents with privacy protections against drones and SmartTVs.
AB856 prohibits
drone flight in the airspace above private property with the intent of taking photos, video, or a sound recording of a person.
AB1116 prohibits the use of voice recognition on SmartTVs unless consumers are "prominently inform[ed]" during the initial setup of the TV. The new California law also prohibits the use of voice recording for advertising purposes. Earlier this year, EPIC filed a
complaint to the Federal Trade Commission about Samsung's SmartTVs and recommended new consumer safeguards. EPIC has also recommended drone privacy safeguards to the
US Congress,
the FAA, and
State courts.
- EPIC Urges Wisconsin to Protect SSNs of Job Seekers (Sep. 15, 2015) +
In
testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect the privacy of SSNs for job seekers. EPIC expressed support for a
bill that prohibits the Department of Workforce Development from requiring
SSNs from those who are trying to obtain employment information from the state. EPIC explained that other states do not require SSN collection for job seekers and urged the development of a "context-dependent" identifier. EPIC has previously
warned Congress about the link between SSN misuse and identity theft. EPIC's
State Policy Project is monitoring privacy bills nationwide.
- In the States: California Governor Vetoes Drone Privacy Bill (Sep. 14, 2015) +
Following lobbying by several tech companies, California Governor Jerry Brown has
vetoed a bill that would have prohibited drone trespass over private property. Neighboring Oregon
provides a civil action against drone operators who fly lower than 400 feet over private property. EPIC has
testified in Congress in support of comprehensive drone privacy legislation,
argued before the New Mexico Supreme Court in support of a warrant requirement for low altitude aerial surveillance, and
sued the FAA for failing to establish drone privacy safeguards.
- In the States: Delaware Enacts Several Privacy Laws (Aug. 10, 2015) +
Delaware has recently passed four privacy laws. Under the
Delaware Online Privacy and Protection Act, websites and apps must disclose
the personally identifiable information they collect and how they use this information. The
Student Data Privacy Protection Act enhances
student privacy protections, banning companies from selling student data or using student data for targeted advertising. The
Victim Online Privacy Act protects domestic violence survivors against having certain contact information posted online. The
Employee/Applicant Protection for Social Media Act bars employers from demanding access to their
employees' or prospective employees' social media accounts. EPIC's
State Policy Project is monitoring privacy bills nationwide.
- In the States: NH Adopts Location Privacy Law (Jul. 28, 2015) +
New Hampshire has enacted a strong
location privacy law that requires a judicial warrant for access to
cell phone location data. New Hampshire joins several other states that protect the privacy of cell phone location records, by
public law or
court decision. EPIC has filed amicus curiae briefs in the
U.S. Supreme Court and the
Supreme Court of New Jersey arguing that location tracking by the government is a search under the Fourth Amendment and should be conducted only with a judicial warrant.
- States Adopt Privacy Laws for Student Data, Breach Notification, License Plate Readers, and Drones (Jul. 2, 2015) +
Several states have recently enacted new privacy laws.
New Hampshire and
Oregon passed
student privacy legislation modeled after California's
Student Online Personal Information Protection Act.
Rhode Island and
Connecticut enacted new
consumer privacy and
data breach notification laws. A
new Minnesota law limits the data police may capture using
automated license plate readers and requires the deletion of all data not relevant to an investigation. And the
Freedom from Unwanted Surveillance Act, a law in Florida regulating the commercial use of drones, went into force this week.
EPIC's State Policy Project is monitoring privacy bills nationwide.
- EPIC Urges California Supreme Court to Protect Open Records Law (Jun. 25, 2015) +
EPIC has
asked the Supreme Court of California to review a
lower court decision that prevented public release of information about
"automated license plate readers." The lower court held that information about the system to gather license plate date on all motorists was an "investigative record." In the
amicus letter EPIC stated, "as the government's ability to collect information about individuals has expanded, open record laws have become an important tool for government oversight."
Documents obtained by EPIC about the
FBI's use of license plate readers showed the agency failed to address the system's privacy implications.
- South Carolina Requires Police Body Cameras, But Blocks Public Access to Footage (Jun. 12, 2015) +
South Carolina has become the first state to require law enforcement agencies to deploy body cameras. However, the
law exempts police body camera footage from public records law, which appears contrary to the stated goal of promoting police accountability. Many states are considering similar legislation and
EPIC's State Policy Project is monitoring bills nationwide. EPIC has submitted testimony to
Congress and the
D.C. City Council opposing the deployment of body cameras. But where body-worn cameras are deployed, EPIC recommends that the police agencies comply with open government laws.
- Florida Blocks Public Access to Police Body Camera Footage (May. 27, 2015) +
Florida, a state with very broad open government laws, has
exempted police body camera footage obtained inside a private residence, a health care, mental health care or social services facility or is taken in a place that a reasonable person would expect to be private from public records law. Many states are considering similar legislation and
EPIC's State Policy Project is monitoring bills nationwide. EPIC has submitted testimony to
Congress and the
D.C. City Council in opposition to the deployment of body cameras. But, where body-worn cameras are deployed, EPIC recommends no exemptions from open government laws.
- California AG Urges Congress to Reform Data Breach Notification Bill (May. 21, 2015) +
California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed
Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's
Constitution guarantees the right to privacy, and California passed the first ever
state data breach notification law. EPIC has also
warned that the House bill would preempt stronger state laws and strip the FCC of its
authority to defend consumer privacy.
- New Drone Privacy Law Signed by Florida Governor (May. 17, 2015) +
Florida has a new
law prohibiting the use of drones to intentionally record images of people on private property if a reasonable expectation of privacy exists. The law applies to law enforcement and private individuals, and provides for civil damages and injunctive relief. The law follows Florida's
2013 law requiring that police obtain a warrant to use drones to collect evidence. Many states are considering similar legislation and
EPIC's State Policy Project is monitoring bills nationwide. EPIC has also
testified in Congress in support of comprehensive drone privacy legislation,
argued before the New Mexico Supreme Court in support of the warrant requirement, and
sued the FAA for failing to establish drone privacy safeguards.
- EPIC Launches State Policy Project (May. 5, 2015) +
EPIC has launched the
EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on
student privacy,
drones,
consumer data security,
data breach notification,
location privacy,
genetic privacy,
the right to be forgotten, and
auto black boxes.
- EPIC Comments on Maryland Drone Bill (Mar. 17, 2015) +
In a
prepared statement for a
hearing on a
bill to limit drone surveillance, EPIC urged Maryland state legislatures to add additional privacy protections. The bill prohibits
drone surveillance of "specifically targeted individuals or private property," except where a valid search warrant is obtained or explicit consent is given. EPIC recommended that the bill specifically limit police drone surveillance of First Amendment protected activities, require use and data limitations, and include additional transparency and accountability measures. EPIC previously
petitioned the FAA to establish clear privacy guidelines for commercial drones and
urged Congress to establish privacy safeguards to limit drone surveillance.
Resources
- EPIC: Privacy Issues A-Z
- Privacy Journal: Compilation of State and Federal Privacy Laws
- National Conference of State Legislatures (NCSL): NCSL provides research and tools for state legislatures and others interested in state-level policy on a wide range of topics, including telecommunications and information technology.
- Council of State Governments (SGA): CSG is a region-based forum that fosters the exchange of insights and ideas to help state officials shape public policy.
- National Governor's Association (NGA): The NGA is the bipartisan organization of the nation’s governors.
- National Association of Attorneys General (NAAG): The NAAG is the bipartisan organization of the nation’s attorneys general.
- National League of Cities (NLC): The NLC is a resource for idea-sharing among cities nationwide.
- The United States Conference of Mayors (UCSM): USCM is the official non-partisan organization of cities with populations of 30,000 or more.
- OpenStates.org: OpenStates.org, a project of the Sunlight Foundation, is a collection of tools that make it possible for citizens to track what is happening in state legislatures by aggregating information from all 50 states, Washington D.C., and Puerto Rico.
- LegiNation: LegiNation is a legislative tracking resource which provides great tools for creating bill sheets and receiving updates on tracked bills via e-mail.
- GovTrack: GovTrack now provides tracking services of state bills in addition to bills filed in Congress. It uses a combination of data from LegiNation, and LegiScan, Inc, as well as some information from Open States.
- Danielle Citron, "The Privacy Policymaking of State Attorneys General" (February 2016)
Preemption
About Preemption
In the context of legislation, preemption refers to whether a law restricts the authority of states, counties, or cities to enact or enforce their own policies. Preemption is an issue of legislative power--if the federal government preempts the states on a field of law, that action effectively expands the jurisdiction of Congress to the detriment of states and local governments. Congress' power to preempt state and local laws stems from the Supremacy Clause of the U.S. Constitution.
Federal preemption can take two forms--federal floor and federal ceiling preemption. In most consumer and civil rights legislation, federal law serves as a floor of protections. This "federal floor preemption" only supersedes weaker state laws, and it allows states, counties, and local governments to pass stronger laws. Under federal floor preemption, federal law only supersedes state and local law that conflicts with or is contrary to federal law.
Historically Privacy Law Allows States to Provide Greater Protections
In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.
Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle communications to privacy), and medical records.
The National Association of Attorneys General Privacy Subcommittee has also argued that the states have a traditional role in regulating privacy:
Consumer protection has traditionally been an area where the states' power to ensure fair competition and informed consumer choice has been preserved, not eliminated. This structure has worked well for many years and no need to alter it in the area of privacy has been demonstrated. Preemption of state law will only undermine consumer confidence in their dealings with the financial institutions, e-tailers and other on and offline businesses. This conclusion is especially powerful with respect to financial information, where Congress has already recognized the utility of privacy protections enacted at the state level.
There is a presumption in American law that state and local governments are primarily responsible for matters of health and safety. Hillsborough County v. Automated Medical Laboratories, 471 U.S. 707 (1985) (there is a "presumption that state or local regulation of matters related to health and safety is not invalidated under the Supremacy Clause"). Privacy is included in the category of health and safety issues as an area of regulation historically left to the states. For instance, in Hill v. Colorado, the Supreme Court upheld a law protecting the privacy and autonomy of individuals seeking medical care, as the law was intended to serve the "traditional exercise of the States' 'police power to protect the health and safety of their citizens.'" 530 U.S. 703 (2000).
EPIC's previous work on preemption
EPIC has previously argued against federal ceiling preemption. EPIC has testified before Congress that, particularly in the rapidly changing world of information security, the states must be given room to innovate:
"Because states enjoy a unique perspective that allows them to craft innovative programs to protect consumers, they should be permitted to continue to operate as "laboratories of democracy" in the privacy and data security arena. State legislatures are closer to their constituents and the entities they regulate; they are the first to see trends and problems, and are well-suited to address new challenges and opportunities that arise from evolving technologies and business practices. This is why privacy bills have typically created a federal baseline and allowed the states to adopt more stringent safeguards if they wish.
There is an additional reason that we believe weighs against preemption in the information security field: these problems are rapidly changing and the states need the ability to respond as new challenges emerge." (Source)
EPIC has also argued against preemption in federal court. In ABA v. Brown (formerly ABA v. Lockyer), financial services companies sued to invalidate the California Financial Information Privacy Act, the strongest financial privacy protection in the nation at the time, arguing that the law was preempted by the federal Fair Credit Reporting Act. EPIC and a coalition of groups representing 41 million individuals argued in an amicus brief that preemption of state law weakens protections against identity theft and consumer privacy. The Supreme Court ultimately upheld the California law.
Additional EPIC statements on preemption:
- EPIC's testimony on the SAFE Data Act before the U.S. House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. (2011)
- EPIC's testimony on Identity Theft: A Victim's Bill of Rights before the U.S. House Committee on Oversight and Government Reform, Information Policy, Census and National Archives Subcommittee. (2009)
- EPIC's comments to the FCC opposing preemption of junk fax laws. (2006)
- EPIC's comments urging the FCC not to preempt strong anti-telemarketing laws. (2005)
- EPIC's ABA v. Brown Amicus brief opposing preemption. (2004)
- EPIC comments to the Office of the Comptroller of the Currency on Rules, Policies, and Procedures for Corporate Activities; Bank Activities and Operations; Real Estate Lending and Appraisals, Docket No. 03-02. (2003).
- EPIC's testimony, Consumer Privacy Protection Act of 2002, HR 4678, before the Subcommittee on Commerce, Trade and Consumer Protection, House Committee on Energy and Commerce. (2002).
- EPIC's testimony, Hearing on Privacy in the Commercial World, before the Subcommittee on Commerce, Trade, and Consumer Protection Committee on Energy and Commerce U.S. House of Representatives. (2001).
Contact
If you have questions, please contact EPIC's State Policy Coordinator.
