State privacy laws to watch

A Massachusetts court ruled this week that obtaining real-time cell phone location data requires a warrant.

Utah has passed a law that goes into effect next month that goes further. Police in Utah will need a warrant to obtain location data or to search someone’s electronic files. (Surely electronic files are the contemporary equivalent of one’s “papers” under the Fourth Amendment.)

Vermont passed the nation’s first data broker law. It requires data brokers to register with the state and to implement security measures, but as far as I have read it doesn’t put much restriction what they can do.

Texas law expands HIPAA‘s notation of a “covered entity” so that it applies to basically anyone handling PHI (protected health information).

California’s CCPA law goes into effect on January 1, 2020. In some ways it’s analogous to GDPR. It will be interesting to see what the law ultimately means in practice. It’s expected that the state legislature will amend the law, and we’ll have to wait on precedents to find out in detail what the law prohibits and allows.

Update: Nevada passed a CCPA-like law May 23, 2019 which takes effect October 1, 2019, i.e. before the CCPA.

Update: Maine passed a bill May 30, 2019 that prohibits ISPs from selling browsing data without consent.

Update: More state laws

• California Consumer Privacy Act
• California Privacy Rights Act
• Colorado Privacy Act
• Connecticut Personal Data Privacy and Online Monitoring Act
• Delaware Personal Data Privacy Act
• Indiana Consumer Data Protection Act
• Iowa Consumer Data Protection Act
• Montana Consumer Data Privacy Act
• Oregon Consumer Privacy Act
• Tennessee Information Protection Act
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act
• Virginia Consumer Data Protection Act

Related privacy posts

• Offshore PHI processing rules
• Data privacy consulting