Laws Regulating PII
posted by Dave Hoffman
My co-author Sasha Romanosky asks me to post the following:
I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.
For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.
Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.
Thank you!
Sasha is a good guy, and a really careful researcher. Let’s help him!
September 10, 2012 at 9:58 am
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)
Print This Post
Responses (3)
AndyK - September 10, 2012 at 10:39 am
My favorite recent example is this one: http://sd08.senate.ca.gov/news/2012-08-21-senate-sends-governor-social-media-privacy-legislation
James A.W. Shaw - September 10, 2012 at 11:18 am
From Massachusetts … see MGL c. 93H, s. 1, et seq., and the implementing regulations, 201 CMR 17.00, et. seq.
http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93h
http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
There is also a generic right to privacy statute, MGL c. 214, s 1B, which has been considered in ways arguably relevant to your question. See, e.g., Ayash v. Dana-Farber Cancer Inst., 443 Mass. 367, 384 (2005) (suggesting that disclosure of peer review information might be interpreted as violative if doctor were not a public figure); Cort v. Bristol-Myers Co., 385 Mass. 300, 306-07 (1982) (dicta: “if the questionnaire sought to obtain information in circumstances that constituted an ‘unreasonable, substantial or serious interference with his privacy’ in violation of the principles expressed in G.L. c. 214, s 1B, the discharge of an employee for failure to provide such information could contravene public policy and warrant the imposition of liability on the employer for the discharge”) http://www.malegislature.gov/Laws/GeneralLaws/PartIII/TitleI/Chapter214/Section1B
Although more limited, Mass. has a public records law (a FOIA parallel), which has some exceptions for some personal information of public employees and gun owners. See MGL c. 4, ss. 7(26)(c), 26(j), (o) and (p)
http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleI/Chapter4/Section7
Sasha - September 10, 2012 at 3:08 pm
Yes, thank you AndyK. MD already has a similar law, and I believe CA and IL are also trying to get bills passed.
Leave a Reply