US data privacy: “stark imbalance” of protection across States

When it comes to data privacy protection, the US isn’t exactly a super power. The American Data Privacy and Protection Act (ADPPA) could be the first comprehensive federal privacy legislation that citizens, experts, and digital rights activists have been calling for. Unfortunately, the Act is under review and nowhere near to be implemented anytime soon.

Americans enjoy vastly different privacy protections based on where they live. This creates opportunities for data breaches and unscrupulous companies to exploit customers’ most personal and confidential information. Especially now, one year after Roe vs Wade fell, people in the US need to know how protect the privacy of their digital lives.   

That’s why Private Internet Access (PIA), one of the best VPN services out there, decided to look closely at how digital privacy legislations compare around the country. They found that there is a “stark imbalance” of protection between States. Let’s dig into the results.

Digital privacy protections: regulation across the US compared

“In an increasingly digital era where so much information about our lives is now online, it is vital that all states recognize the importance of digital privacy for their citizens,” said Charlotte Scott, Digital Rights Advocate at PIA.

Scott and the team believe that comparing the level of protection across US States could push lawmakers to act quicker. In the 2nd annual report, researchers looked closely at all the privacy-related laws already passed (privacy, data security, data broker, companies’ data collection policies and children’s privacy) as well as investments to strengthen the cybersecurity sector at large for each of the 50 US States. 

Unsurprisingly, California secured its spot as the best State for privacy protection legislations and substantial investments in digital privacy and cybersecurity. It was, in fact, the first State to implement a comprehensive privacy law—the California Consumer Privacy Act (CCPA)—in 2020. 

The CCPA was then strengthened by the California Privacy Rights Act (CPRA), which came into effect in January 2023, by adding more obligations for businesses to protect consumers’ rights. People in California also benefit from the protection of further legislations that regulates data handling, mandatory notifications in the event of breaches, marketing-related issues, and more.

Image 1 of 2

PIA's ranking of US states according the digital privacy protection in place

Utah’s ranking is expected to improve once the Consumer Privacy Act (UCPA) takes effect from December 31 2023. The Texas Data Privacy and Security Act will take effect in July 2024, too, improving Texas’s position in the rankings. (Image credit: Private Internet Access)
Image 2 of 2

PIA's boxout about California privacy law

(Image credit: Private Internet Access)

Connecticut, Colorado and Virginia follow suit thanks to their clear data-sharing policies, proactive approach to data breaches and investment in digital security.

Scott also praised Massachusetts’ proposal to ban buying and selling of location data as a positive step forward for better digital privacy in the State. At the moment, the burden is on users to prevent location sharing using tools such a virtual private network (VPN) when browsing and disabling location data collection from apps that don’t need this information to function.

She said: “Better regulation, such as [Massachusetts’] Location Shield Act, to limit the buying and selling of location data is much needed.”

At the bottom of the rankings with the worst privacy protection in all the US are Arkansas, Mississippi, and Louisiana. Researchers observed a lack of progress in enacting new laws to protect citizen data and privacy.

The situation here gets even worse considering that these States have also enforced measures that further curb people’s digital privacy rights, such as mandatory age verification for access to adult content online. Other concerning proposed laws include the TikTok ban In Montana, which, once enforced, will also affect citizens’ freedom of speech.

According to PIA experts, “these ill-conceived measures expose citizens to extensive data collection and heightened privacy risks.”

“Pressing need” for comprehensive online privacy protection across the US

Overall, PIA’s report found relevant and concerning gaps in privacy safeguards across the US, underscoring a “pressing need” for a federal comprehensive privacy law.

According to Scott, the ADPPA could be a critical step for addressing this urgent need and establishing a “brighter digital future, one where privacy is respected and individuals can trust in the security of their digital lives in the United States,” she said.

In an ideal world, we would see a pathway to all States having the level of protection offered by the California Consumer Privacy Act.

Charlotte Scott, Private Internet Access

Yet, as often happens in these cases, the ADPPA is anything but perfect. 

So-called pre-emption principle is a concern as imposing a federal law could undermine more comprehensive privacy protection already in place like those in California or Colorado.

“Given the stark imbalance of digital privacy regulation across the US, we would encourage lawmakers to find a way to move forward with the bill that doesn’t take away from the larger protections already in place in some States,” Scott told TechRadar. 

“In an ideal world, we would see a pathway to all States having the level of protection offered by the California Consumer Privacy Act.”

With the ADPPA still passing through Congress, what’s certain now is that Americans living in the States are lagging behind when it comes to digital protections and must take the matter into their own hands to secure their privacy online—hopefully not for too long, though.