State Laws Related to Digital Privacy (2024)

Children's Online Privacy

California

Calif. Bus. & Prof. Code §§ 22580-22582

California's Privacy Rights for California Minors in the Digital World Act, also called the "eraser" bill, permits minors to remove, or to request and obtain removal of, content or information posted on an Internet Web site, online service, online application, or mobile application. It also prohibits an operator of a Web site or online service directed to minors from marketing or advertising to minors specified products or services that minors are legally prohibited from buying. The law also prohibits marketing or advertising certain products based on personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so.

Delaware

Del. Code § 1204C

Prohibits operators of websites, online or cloud computing services, online applications, or mobile applications directed at children from marketing or advertising on its Internet service specified products or services inappropriate for children’s viewing, such as alcohol, tobacco, firearms, or p*rnography. When the marketing or advertising on an Internet service directed to children is provided by an advertising service, the operator of the Internet service is required to provide notice to the advertising service, after which time the prohibition on marketing and advertising the specified products or services applies to the advertising service directly. The law also prohibits an operator of an Internet service who has actual knowledge that a child is using the Internet service from using the child’s personally identifiable information to market or advertise the products or services to the child, and also prohibits disclosing a child’s personally identifiable information if it is known that the child’s personally identifiable information will be used for the purpose of marketing or advertising those products or services to the child.

e-Reader Privacy

Arizona

Ariz. Rev. Stat. § 41-151.22

Provides that a library or library system supported by public monies shall not allow disclosure of any record or other information, including e-books, that identifies a user of library services as requesting or obtaining specific materials or services or as otherwise using the library.

California

Cal. Govt. Code §§ 6254, 6267 and 6276.28

Protects a library patron's use records, such as written records or electronic transaction that identifies a patron's borrowing information or use of library information resources, including, but not limited to, database search records, borrowing records, class records, and any other personally identifiable uses of library resources information requests, or inquiries.

Cal. Civil Code § 1798.90

The California Reader Privacy Act protects information about the books Californians browse, read or purchase from electronic services and online booksellers, who may have access to detailed information about readers, such as specific pages browsed. Requires a search warrant, court order, or the user's affirmative consent before such a business can disclose the personal information of its users related to their use of a book, with specified exceptions, including an imminent danger of death or serious injury.

Delaware

Del. Code tit. 6, § 1206C

Protects the personal information of users of digital book services and technologies by prohibiting a commercial entity that provides a book service to the public from disclosing personal information regarding users of the book service to law enforcement entities, governmental entities, or other persons, except under specified circ*mstances. Allows immediate disclosure of a user’s book service information to law enforcement entities when there is an imminent danger of death or serious physical injury requiring disclosure of the book service information, and requires a book service provider to preserve a user’s book service information for a specified period of time when requested to do so by a law enforcement entity. Requires a book service provider to prepare and post online an annual report on its disclosures of personal information unless exempted from doing so. The Consumer Protection Unit of the Department of Justice has the authority to investigate and prosecute violations of the acts.

Missouri

Mo. Rev. Stat. §§ 182.815, 182.817

Defines "E-book" and "digital resource or material" and adds them to the items specified in the definition of "library material" that a library patron may use, borrow, or request. Provides that any third party contracted by a library that receives, transmits, maintains, or stores a library record may not release or disclose all or a portion of a library record to anyone except the person identified in the record or by a court order.

Privacy Policies and Practices for Websites or Online Services

California

Calif. Bus. & Prof. Code § 22575

Requires the operator of a commercial web site or online service to disclose in its privacy policy how it responds to a web browser 'Do Not Track' signal or similar mechanisms providing consumers with the ability to exercise choice about online tracking of their personal information across sites or services and over time. It also requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service.

Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)

California's Online Privacy Protection Act requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to post a conspicuous privacy policy on its Web site or online service (which may include mobile apps) and to comply with that policy. The law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator may share the information.

Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A)

Requires certain companies to disclose specified information in an online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website and update that information at least once every 12 months. Requires certain companies to include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in online privacy policies.

Cal. Ed. Code § 99122

Requires private nonprofit or for-profit postsecondary educational institutions to post a social media privacy policy on the institution's Internet Web site.

Connecticut

Conn. Gen. Stat. § 42-471

Requires any person who collects Social Security numbers in the course of business to create a privacy protection policy. The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Delaware

Del. Code Tit. 6 § 205C

Requires an operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator's commercial internet website, online or cloud computing service, online application, or mobile application to make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application. An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance. Specifies requirements for the policy.

Nevada

NRS § 603A.340

Requires operators of Internet websites or online services that collect personally identifiable information to identify the categories of information collected through its Internet website or online service about consumers who use or visit the site or service and the categories of third parties with whom the operator may share such information. Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her information that is collected through the Internet website or online service.

Oregon

ORS § 646.607

Makes it an unlawful trade practice if a person publishes on a website related to the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the person’s statement or representation.