Data, drones and apps: States debate privacy protections as technology speeds ahead

 

Connecting state and local government leaders

This year, states have enacted dozens of laws intended to give people greater control over who has access to their private activity and information, including where and how it is collected, stored, shared and used.

This article originally appeared in Stateline, an initiative of the Pew Charitable Trusts.

With drones flying overhead, apps tracking our every move and more personal data flowing into cyberspace every second, there is widespread concern about sensitive data and images ending up in the wrong hands.

In response, states this year enacted dozens of laws intended to give people greater control over who has access to their private activity and information and where and how it is collected, stored, shared and used.

Many of the laws enacted this year focus on shielding the massive amounts of data that the government and private businesses are collecting -- everything from a Medicaid user’s health information to information about a child’s reading level.

  • At least 11 states passed laws aimed at protecting student data.
  • At least four states passed laws restricting employers’ or colleges’ access to social media profiles.
  • At least six states passed laws further restricting how governments and companies store data or changing how they alert customers of breaches.

Many new laws are focused on restricting government’s use of electronic surveillance. Twelve states placed new restrictions on drone users this year, with two of the laws, in Oregon and Vermont, restricting law enforcement or government use.

Other new laws address recreational drone use, which is becoming more common. A new law in Kansas makes it illegal to stalk with a drone. In Arizona, Louisiana and Utah, drone operators are now restricted from flying drones near police or firefighter activity. And in Oklahoma and Tennessee operators can’t fly drones near some buildings, such as power plants.

The laws all attempt to control what Chad Marlow, advocacy and policy counsel of the American Civil Liberties Union, calls the Wild West of privacy law issues. When someone shares something privately or on social media, they have little control over where it goes, he said.

“It’s like people are in a car with an accelerator but no brake,” he said.

But the rush to protect privacy -- which has seen support among legislatures regardless of party -- has created some concerns. Companies that produce some of the new technologies, such as the makers of education software and drones, fear the restrictions will stifle innovation and commerce. Others, such as Justin Silverman, executive director of the New England First Amendment Coalition, say some of the restrictions, such as those on drones, body cameras and “revenge porn” -- nude or sexually graphic images shared without consent -- may infringe on free speech protections.

In Rhode Island every legislator but one voted this month for a revenge porn bill -- although some were not present. Revenge porn laws exist in 34 states and D.C., according to the Cyber Civil Rights Initiative, a Florida-based nonprofit advocating against online abuse. But Democratic Gov. Gina Raimondo vetoed the bill, explaining that she supported the general idea but that the bill was too vague.

“As digital technology has come to pervade every aspect of our society, opportunities to harass, humiliate and threaten others have expanded considerably,” she wrote in a memo. But the breadth and lack of clarity of the bill, she said, “may have a chilling effect on free speech.”

The conversation about privacy should not be driven by new technology but rather by conduct, said Matt Waite, a journalism professor at the University of Nebraska-Lincoln. Waite is also the founder of the college’s Drone Journalism Lab, which explores how drones can be used for reporting. States already have laws in place that prohibit someone from intruding upon a place where you have a reasonable expectation of privacy, he said.

“If a reasonable person would find it offensive, then it’s a violation,” he said. “It all goes back to egregious conduct.”

Mobile menace

The growing use of mobile phones, and the sheer quantity of data states are collecting now, has made it harder for states to protect privacy, said Amy Hille Glasscock of the National Association of State Chief Information Officers (NASCIO). States offer mobile apps now, where residents can process a Medicaid claim or use Department of Motor Vehicle services, she said.

Some states are hiring workers with the goal of protecting the information. Utah hired a state privacy officer this year, Glasscock said, adding to at least four other states with the role: Ohio, South Carolina, Washington and West Virginia.

West Virginia was one of the first to create a role for a privacy officer, in 2002. That officer, Sallie Milam, said her role at first was to help keep data safe under the Health Insurance Portability and Accountability Act, but now she and her team are safeguarding all state data and making sure employees are trained to do the same.

“It just takes one person clicking on one of those phishing links to allow someone to intrude on your system,” Milam said.

South Carolina’s privacy officer has been on the job since 2015. The state had a rude awakening in 2012, when a hacker got into the state’s systems using a phishing email attack, stealing 74.7 gigabytes of data, including about 3.8 million taxpayer records.

Nationwide, at least 12.7 million records have potentially been exposed this year as of June 14, due to 473 data breaches of both government and private systems, according to the Identity Theft Resource Center.

“We tell states, ‘It’s not if you’re going to get attacked, it’s when you’re going to get attacked,’ ” said Meredith Ward, a senior policy analyst at NASCIO.

Data breaches

Laws tend to be triggered by an event that compromises privacy, said Caitriona Fitzgerald, state policy coordinator for the Electronic Privacy Information Center, a public interest research group based in Washington, D.C. That’s why the most common laws are those that require the government and businesses to notify consumers of data breaches, “because so many people are hit by ID theft,” Fitzgerald said.

At least 25 states considered bills or resolutions related to security breaches this year, focusing on expanding the definition of personal information or increasing requirements for notification or security, according to the National Conference of State Legislatures (NCSL).

Safeguarding students

The amount of student data stored online is growing by the day, and it includes everything from financial information (for free and reduced priced lunch programs, for example) to reading levels to children’s home addresses for bus routes, said Amelia Vance, director of education data and technology for the National Association of State Boards of Education.

More school systems are hiring private companies to better manage and utilize this data. As they do, states are moving to regulate third-party use of student data. They are prohibiting the companies from using the data in certain ways, such as creating student profiles for marketing purposes.

“I think we are really at a crossroads,” Vance said. “How do we enable children to take advantage of all this new technology and data -- and also ensure that their privacy is maintained?”

At least eleven states this year -- Arizona, Colorado, Connecticut, Hawaii, Kansas, New Hampshire, North Carolina, Tennessee, Utah, Virginia and West Virginia -- enacted new student data privacy laws. Part of the push for the laws came from a campaign started by the ACLU called Take CTRL.

Colorado’s law, which is among the most restrictive, aims to create a transparent system that allows parents and students to see where and how their data is being used, said Colorado state Rep. Paul Lundeen, who sponsored the bill.

Companies should not be able to access that information and assemble it in a way that tells them who the student is, said Lundeen, a Republican. “They lose their privacy that way.”

Other, broader privacy-related issues with students are arising as well, Marlow said. Virginia passed a law that will prohibit public and private colleges from requiring a student to disclose the username or password to any social media account.

The issue of access to social media accounts is coming up outside of the classroom as well. Illinois and West Virginia passed similar laws restricting employers from requiring employees to hand over account information, and Marlow sees the issue soon arising for landlord-tenant relationships.

Disturbed by drones

Americans in rural areas are among the most avid drone users. Farmers in Kansas, for example, often use drones to check cattle and cropland, said state Rep. John Barker, a farmer who represents rural Clay County. After a recent tornado there, drones took flight to assess the damage.

State lawmakers approved a bill this year that specifies that flying a drone over or near any house, occupied vehicle or other place where one may reasonably expect to be safe from uninvited intrusion or surveillance is a form of harassment that could be considered stalking.

“We may live in the country, but we don’t live in the Stone Age,” said Barker, the Republican chairman of the House committee that considered the legislation.

Since 2013, 31 states have passed laws regulating drones, with 12 laws related to privacy protections from other residents, 21 laws imposing restrictions on law enforcement and 13 laws imposing criminal penalties on drone misuse, such as stalking, according to NCSL.

At the same time, the number of drones in use is skyrocketing, especially for personal use. As of last month, there were about 459,400 registered drones for hobbyists and about 8,400 registered drones for non-hobbyists in the United States, according to the Federal Aviation Administration’s online database. That compares to 325,000 in February, when the FAA first released the data.

The agency, which regulates the nation’s airspace, released new rules this month on where and how drones can fly. But the rules don’t touch on privacy issues.

Waite, the University of Nebraska journalism professor, said many of the state laws regulating drone use are unnecessary. If a state already has a law that allows for a reasonable expectation of privacy, which many states do, it shouldn’t matter how the privacy was violated, he said. “There are legislators that are going to look for feel-good solutions that are going to make legitimate things illegal, and they are going to infringe upon First Amendment rights.”

As technology changes, with law enforcement often getting its hands on new technology first, privacy-related bills will keep coming. Bills were proposed in at least 18 states this year that would have restricted law enforcement’s use of license plate readers. And Illinois passed a law that will restrict law enforcement’s use of stingrays, cellphone surveillance devices that can be used to collect locations and identifying information of cellphones in the area.

Marlow of the ACLU said states realize that the speed of technology advances is eclipsing the protections for the people who use the technology. And there’s no way to avoid these issues, he said.

“To say, ‘you can protect your privacy, but you have to live off the grid’ — that’s not an acceptable resting point.”

— Stateline staff writer Sarah Breitenbach contributed to this report.

NEXT STORY: Hackers turn our tools against us

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.