Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age

Privacy laws, state

by Tomasz Kolodziej

Privacy protections emanating from state constitutions, civil codes, and case law. All states recognize an implied right to privacy under their constitution, and the constitution of Alaska, Arizona, Illinois, Louisiana, South Carolina, and Washington expressly recognize a right of privacy.

State privacy law in the United States originated in a seminal article by Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” written in 1890. Brandeis and Warren articulated the foundations and limitations for the common law right of privacy. During the late 1890s and early 1900s, several states issued decisions that ultimately led to recognition of a tort-based claim arising from the publication of private information. In Pavesich v. New England Life Insurance Co., 50 S.E. 68 (GA, 1905), the Georgia Supreme Court recognized that “a violation of a right of privacy is a direct invasion of a legal right of the individual” and established invasion of privacy as a tort, leading the way for other states to follow. In New York, in Roberson v. Rochester Folding Box, 64 N.E. 442 (N.Y. Ct. App. 1902), the New York Court of Appeals found that the right of privacy had not yet been established and that doing so would be contrary to the settled legal principles; however, public uproar against this decision led the New York legislature to pass the first statutory protections of privacy in sections 50 and 51 of its civil rights law.

Another seminal work on privacy rights was a 1960 article by William Prosser in which he analyzed more than 300 tort cases that had been decided since the 1890s. Prosser identified four rights of protected interests: intrusion upon plaintiff's seclusion, public disclosure of embarrassing facts about an individual, publicity that unreasonably places one in a false light before the public, and appropriation of an individual's likeness or name. Following the publication of Prosser's article, these rights have been recognized in the American Law Institute's Restatement of the Law, Second, Torts 2d (1963–1977) and found their way into numerous state laws,.

On the constitutional level, three of the most significant decisions that led to the establishment of the right of privacy were Katz v. United States, 389 U.S. 347 (1967), which established the right of privacy in the context of search and seizure protections in the Fourth Amendment; Griswold v. Connecticut, 381 U.S. 479 (1965), in which the majority of the Supreme Court found the right of privacy in various constitutional protections of the Fifth, Ninth, and Fourteenth Amendments; and Roe v. Wade, 410 U.S. 113 (1973), in which the Supreme Court strongly reaffirmed the existence of the constitutional right of privacy.

These cases expanded the right of privacy from a traditional idea of privacy in one's home to a substantive right of privacy grounded in the U.S. Constitution. Several states in the late 1960s and the 1970s included the right of privacy into their constitutions,

The federal case law has allowed for the possibility that states would provide for more stringent privacy protections than the federal government.

Since it added the right to privacy to its constitution in 1972, California has been the trendsetter for privacy protections on the state level. Many California laws became models for other states' laws. In 2002 California passed the first data breach notification law in the United States, which required businesses to notify individuals who suffer an unauthorized breach into their personal information (CA SB 1386 (2002)).

Since then, forty-seven states have adopted data breach notifications laws that are widely based on the California standards. They require notifying affected individuals without undue delay if it is believed that their personal information has been accessed without proper authorization and when this breach likely would compromise the confidentiality of the personal information. These basic standards were also incorporated into the federal data breach notification law.

Following the California example, most of these laws define “personal information” as a resident's first name or initial and a last name, with one or more of the following elements: a Social Security number; a driver's license or state identification card number; or an account number, credit card number or debit card number, with security code, access code, or password.

California has protected Social Security numbers since 2001, when the state legislature enacted section 1798.85 of the California Civil Code. This provision imposed significant restrictions on the commercial use of Social Security numbers. Except for specified exemptions, California law prohibits businesses from publicly displaying Social Security numbers on the documents they send. For example, state law provides that customers may only send Social Security numbers over the Internet using a secured connection, prohibits Social Security numbers from being used to log onto websites, and forbids businesses to print Social Security Numbers on any mail they send to customers. Most states have adopted the California model, with some providing for broader exemptions. Michigan has enacted some of the most stringent standards protecting Social Security numbers in the United States. That state limits not only the entire Social Security number but also the last four digits of the number.

In 2003 California enacted its Online Privacy Protection Act, Cal. Bus. & Prof. Code §§ 22575–22579 (2004), which stipulated that all commercial websites that collect personal information on California residents must post a conspicuous online privacy policy that clearly identifies the type of personal information a website collects and with whom the website operator may share this information. While other states have enacted confidentiality requirements on Internet service providers, California is the only state that requires all website operators to publish and comply with privacy policies.

Another innovative California privacy law was the Shine the Light law, Cal. Civ. Code 1798.83 (2015). This was one of the first laws on the issue of information sharing and marketing. The act requires businesses to disclose to their customers, upon request and without charge, a list of types of personal information that the business shared with other businesses in the prior calendar year for marketing purposes and the names and addresses of the businesses to whom such information was provided. The law also has a notification requirement that obliges businesses to notify their customers of their privacy rights. This law applies to all businesses that operate in California, have more than twenty employees, and shared personal information about their customers with other businesses for marketing purposes.

California has also been a leader in protecting patient medical records. It enacted its Confidentiality of Medical Information Act in 1980 (Cal. Civ. Code 56–56.07 (2015)).

In 1996 Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), 110 Stat. 1936, which preempts state laws that are less stringent than the HIPAA. California law differs from HIPAA because it has provisions that apply directly to pharmaceutical companies. It requires companies, in their capacity as employers, to formulate procedures to protect the confidentiality of their employees' medical records. It also provides for private right of action for individuals to recover damages if their medical records are breached. California law also goes beyond the federal Genetic Information Nondiscrimination Act of 2008, 122 Stat. 881, in protecting genetic information of California residents. Texas is another state with more expansive health privacy law than the HIPAA. The definition of “covered entity” in the Texas Medical Privacy Act, S.B.11 (2001), goes far beyond that in the federal statute.

The California Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code §§ 22947 et seq. (2004) prohibits unauthorized individuals from willfully loading spyware onto computers of California residents and using spyware to collect personal information, manipulate computer software, or take control of computers belonging to California residents. This law also served as a model for anti-spyware laws in various other states. Some of these states expanded the reach of their anti-spyware legislation by providing enforcement provisions, which the California law lacks.

The California Financial Information Protection Act of 1990 (Cal. Fin. Code § 4050, et seq.) amended the Song-Beverly Credit Card Act of 1971 (Civil Code § 1747–1748.95). It serves as a model for protecting personal information in credit card transactions. It prohibits retailers from obtaining personal identification information as part of credit card transactions.

California is a trendsetter in various aspects of state privacy legislation, and the California Supreme Court, in Hill v. National Collegiate Athletic Association, 865 P.2d 633 (Cal. 1994) at 35–37, established an “invasion of privacy” standard that has served as a model for those states that recognize the invasion of privacy tort. In its decision, the court created a test for causes of action in invasion of privacy cases. This test contains three elements: identification of a specific privacy interest; reasonable expectation of privacy on the part of the plaintiff; and causes for action on “invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right” (865 P.2d 633 Cal. (1994)).

Further Reading

1 

Cooper, Scott P., and Kristen J. Mathews. “State Privacy Laws,” in Proskauer on Privacy, ed. Christopher Wolf. New York: Practicing Law Institute, 2006–.

2 

Hadjipetrova, Ganka, and Hannah G. Poteat. “States Are Coming to the Fore of Privacy in the Digital Era.” Landslide 6, no. 6 (July/August 2014).

3 

Prosser, William Lloyd. “Privacy.” California Law Review 48, no. 3 (1960): 383–423.

4 

Sotto, Lisa J. “Privacy and Data Security.” Privacy and Data Security Law Deskbook. Frederick, MD: Aspen, 2010–.

5 

Spears, Victoria Prussen. “The Case That Started It All: Roberson v. The Rochester Folding Box Company.” Privacy & Data Security Law Journal 3 (November 2008): 1048.

6 

Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (1890): 193–220.

See also: Brandeis, Louis Dembitz; Credit and debit Cards; Data breach notification laws; Griswold v. Connecticut; Health Insurance Portability and Accountability Act (HIPAA); Home, Privacy of the; Katz v. United States; Legal Evolution of Privacy Rights; Marketing; Medical Confidentiality; Privacy, Right of; Privacy torts; Prosser, William Lloyd; The Right to Privacy; Social Security Numbers; Spyware

Citation Types

MLA 9th
Kolodziej, Tomasz. "Privacy Laws, State." Privacy Rights in the Digital Age, edited by Christopher T. Anglim & JD, Salem Press, 2016. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA_0168.
APA 7th
Kolodziej, T. (2016). Privacy laws, state. In C. Anglim & JD (Ed.), Privacy Rights in the Digital Age. Salem Press. online.salempress.com.
CMOS 17th
Kolodziej, Tomasz. "Privacy Laws, State." Edited by Christopher T. Anglim & JD. Privacy Rights in the Digital Age. Hackensack: Salem Press, 2016. Accessed May 30, 2026. online.salempress.com.