Privacy Legislation in the States

Most of the national media and industry press focus their coverage of new consumer privacy proposals on Congress — the nation’s Big Legislative Kahuna. But privacy experts inside and outside business know that new legislative rules for consumer privacy are first conceived and born in the states and often "grow up" to become federal adoptees.

States Often Set the Regulatory Agenda
Consumer protection has historically been the primary domain of state law — what constitutional lawyers call the "police power" function. In the 20th century, the role of the states as "little laboratories" of social policy legislation has been a basic dynamic of our modern federal system. This explains why state legislators feel no obligation either to await enactment of consumer privacy legislation by Congress or even to accept the "federal minimums" that may be enacted if more robust protections are seen by state legislators as good public policy — and good politics.

It is also true that, for companies operating national information systems for their consumer transactions, new privacy regulations adopted in key states — such as California, New York, Michigan or Texas — often wind up dictating policy changes for such companies nationwide.

This operation of the American federal system explains why P&AB has sifted through more than 2,000 privacy bills introduced in state legislatures annually and published an analysis of state legislative trends in our 1995 and 1996-97 Special State Consumer Privacy Issues. And, it is why we are pleased to publish this 1998 report.

An Overall Snapshot of 1998 State Actions
As before, our State report covers six main consumer privacy sectors: financial services, insurance, health care, telecommunications, direct marketing and online/Internet services. We also analyze developments affecting public records and the creation of state privacy commissions or task forces.

This year continued to see a bumper crop of state consumer privacy bills introduced and enacted. In 1998, 2,367 bills were introduced (or carried over from 1997), and 786 were enacted into law (as of November 1). This compares to 2,370 consumer privacy bills introduced in 1997 with 474 enacted.

In 1997, 34 of the 50 states passed one or more consumer privacy laws and in 1998, it was 42 of the 50 states. (See maps on page __ for details). As the box on page __ details, the largest number of consumer privacy laws enacted in 1998 focused health care, followed by online/Internet, financial services and telecommunications.

Six Trends Continued in 1998
In previous State Issues, we noted a series of major trends at work in the consumer privacy area and we find six of these carried forward strongly in 1998.

• Consumer privacy continues to be a high-visibility public issue at the local and national level, usually evoking pro-consumer privacy media coverage which makes this a highly-attractive issue for state legislators. This often makes consumer privacy a bi-partisan issue and one that can generate unusual liberal-conservative coalitions. This flows from the realities that consumer privacy legislation typically requires no new taxes, does not usually create new government agencies and empowers individual consumers to sue directly or bring complaints to state consumer protection agencies.

• As the results of several national surveys confirm, women are even more concerned about consumer privacy issues than men and more strongly support legislative action to protect consumer privacy interests in areas such as health, financial services and direct marketing. Since women, especially suburban women, are typically a swing electoral vote in state and national elections, addressing consumer privacy issues of high concern to female voters, is very smart state politics.

• Financial services and health care remain the two most active areas of state legislative initiatives. This reflects two facts: first, surveys find that financial and medical information are consistently rated the most sensitive types of consumer information and; second, virtually every American today is affected by the new ways that financial and medical information are being collected and used by businesses.

• Reflecting this outlook, state legislators register strong concern about how genetic information produced by revolutionary advances in biotechnology might be used in making insurance or employment decisions about consumers. Even though the concern is largely anticipative rather than a reaction to any significant adoption of genetic-test utilization thus far by insurers or employers, state legislators are responding to consumer apprehensions by continuing to pass either moratorium or prohibitory legislation.

• Efforts to redefine the "public-ness" of public government records grows even more intense, as state legislators attempt to preserve the American "open records" and First Amendment-based public access system but give consumers some individual choice in business access to privacy-sensitive personal records held by state government agencies.

• California continues to be the state to watch for new trends in state consumer privacy protection laws. This was true in our 1995-97 reports and operated even more strongly in 1998. In addition to creating a state privacy commission to re-examine the entire field of consumer privacy, California enacted more than a dozen important and innovative new consumer privacy laws this year, covering genetic and medical privacy, online privacy, identity fraud and access to public records. The famous early-20th-century American journalist Lincoln Steffins said that he went to the Soviet Union in the 1920’s "to see the future." Today, business privacy staffs should rent hotel rooms in Sacremento. New Trends in 1998 While these six themes represent continuations of consumer privacy legislative trends since our first State report in 1995, several new patterns emerged in 1998. Five of these deserve mentioning in this opening essay (and are further discussed in our sector reports and industry-association commentaries).

• 1998 was the year that online privacy broke into the state legislative enactments column and gives every promise of becoming an area of widening state attention in 1999-2000. State laws attempting to control spam were the opening salvo, with protections of children’s privacy and controls over harvesting online user transaction information as areas identified for debates in 1999-2000.

• 1998 saw a flurry of enacted laws authorizing digital signatures and promoting the security of online transactions. These actions were seen as both promotive of e-commerce and supportive of privacy interests.

• Strengthening confidentiality rules for pharmacy and prescription records emerged onto the state consumer privacy agenda as a new topic. This was prompted by widespread media stories about use of individual prescription records for promoting prescription regimens, monitoring drug utilization or marketing new pharmaceutical products.

• There were few telecommunications privacy laws debated or enacted in 1998, a shift from mid-1990’s trends. As a result of de-regulation and also the prime role of the Federal Communications Commission (FCC) in issuing its Customer Proprietary Network Information (CPNI) rules in 1998, state attention was limited to laws addressing suppression of Caller-ID identification by telemarketers and the "slamming" practice (changing a subscriber’s telephone carrier without permission).

• Sharing consumer profiles for marketing by affiliates of the company with which the consumer has a business relationship, received attention in 1998. While this had been focus of some bills introduced before 1998, consumer-privacy-oriented state legislators condemned the 1996 Fair Credit Reporting Act’s rules of affiliate sharing as "too permissive," and have introduced bills to require notice and at least an opt-out choice for consumers in these situations.

• A major development of 1998 was the spread of laws creating state government databases of consumers who do not want to receive telemarketing calls or direct mail. Up to this point, such "do not call" or "do not mail" lists were maintained by individual companies or industry associations (such as the DMA). The new trend is to establish such databases in state consumer protection or commerce agencies and to require businesses to obtain such lists and purge the listed consumers from their marketing files.

With these opening observations, we proceed to a sector-by-sector presentation of state legislative activities on consumer privacy in 1998 and predictions of the hot button issues for 1999-2000.