Stateline Legislative Review 2016

© Peter Thomson/La Crosse Tribune via The Associated Press The police chief in West Salem, Wisconsin, flies the department’s new drone. Twelve states placed new restrictions on drone users this year.

With drones flying overhead, apps tracking our every move, and more personal data flowing into cyberspace every second, there is widespread concern about sensitive data and images ending up in the wrong hands.

In response, states this year enacted dozens of laws intended to give people greater control over who has access to their private activity and information, and where and how it is collected, stored, shared and used.

Many of the laws enacted this year focus on shielding the massive amounts of data that the government and private businesses are collecting — everything from a Medicaid user’s health information to information about a child’s reading level.

At least 11 states passed laws aimed at protecting student data.

At least four states passed laws restricting employers’ or colleges’ access to social media profiles.

At least six states passed laws further restricting how governments and companies store data or changing how they alert customers of breaches.

Many new laws are focused on restricting government’s use of electronic surveillance. Twelve states placed new restrictions on drone users this year, with two of the laws, in Oregon and Vermont, restricting law enforcement or government use.

Other new laws address recreational drone use, which is becoming more common. A new law in Kansas makes it illegal to stalk with a drone. In Arizona, Louisiana and Utah, drone operators are now restricted from flying drones near police or firefighter activity. And in Oklahoma and Tennessee operators can’t fly drones near some buildings, such as power plants.

The laws all attempt to control what Chad Marlow, advocacy and policy counsel of the American Civil Liberties Union, calls the Wild West of privacy law issues. When someone shares something privately or on social media, they have little control over where it goes, he said.

“It’s like people are in a car with an accelerator but no brake,” he said.

But the rush to protect privacy — which has seen support among legislatures regardless of party — has created some concerns. Companies that produce some of the new technologies, such as the makers of education software and drones, fear the restrictions will stifle innovation and commerce. Others, such as Justin Silverman, executive director of the New England First Amendment Coalition, say some of the restrictions, such as those on drones, body cameras and “revenge porn” — nude or sexually graphic images shared without consent — may infringe on free speech protections.

In Rhode Island every legislator but one voted this month for a revenge porn bill — although some were not present. Revenge porn laws exist in 34 states and D.C., according to the Cyber Civil Rights Initiative, a Florida-based nonprofit advocating against online abuse. But Democratic Gov. Gina Raimondo vetoed the bill, explaining that she supported the general idea but that the bill was too vague.

“As digital technology has come to pervade every aspect of our society, opportunities to harass, humiliate and threaten others have expanded considerably,” she wrote in a memo. But the breadth and lack of clarity of the bill, she said, “may have a chilling effect on free speech.”

The conversation about privacy should not be driven by new technology but rather by conduct, said Matt Waite, a journalism professor at the University of Nebraska-Lincoln. Waite is also the founder of the college’s Drone Journalism Lab, which explores how drones can be used for reporting. States already have laws in place that prohibit someone from intruding upon a place where you have a reasonable expectation of privacy, he said.

“If a reasonable person would find it offensive, then it’s a violation,” he said. “It all goes back to egregious conduct.”

Mobile Menace

The growing use of mobile phones, and the sheer quantity of data states are collecting now, has made it harder for states to protect privacy, said Amy Hille Glasscock of the National Association of State Chief Information Officers (NASCIO). States offer mobile apps now, where residents can process a Medicaid claim or use Department of Motor Vehicle services, she said.

Some states are hiring workers with the goal of protecting the information. Utah hired a state privacy officer this year, Glasscock said, adding to at least four other states with the role: Ohio, South Carolina, Washington and West Virginia.

West Virginia was one of the first to create a role for a privacy officer, in 2002. That officer, Sallie Milam, said her role at first was to help keep data safe under the Health Insurance Portability and Accountability Act but now she and her team are safeguarding all state data and making sure employees are trained to do the same.

“It just takes one person clicking on one of those phishing links to allow someone to intrude on your system,” Milam said.

South Carolina’s privacy officer has been on the job since 2015. The state had a rude awakening in 2012, when a hacker got into the state’s systems using a phishing email attack, stealing 74.7 gigabytes of data, including about 3.8 million taxpayer records.

Nationwide, at least 12.7 million records have potentially been exposed this year as of June 14, due to 473 data breaches of both government and private systems, according to the Identity Theft Resource Center.

“We tell states, ‘It’s not if you’re going to get attacked, it’s when you’re going to get attacked,’ ” said Meredith Ward, a senior policy analyst at NASCIO.

Laws tend to be triggered by an event that compromises privacy, said Caitriona Fitzgerald, state policy coordinator for the Electronic Privacy Information Center, a public interest research group based in Washington, D.C. That’s why the most common laws are those that require the government and businesses to notify consumers of data breaches, “because so many people are hit by ID theft,” Fitzgerald said.

At least 25 states considered bills or resolutions related to security breaches this year, focusing on expanding the definition of personal information or increasing requirements for notification or security, according to the National Conference of State Legislatures (NCSL).

Safeguarding Students

The amount of student data stored online is growing by the day, and includes everything from financial information (for free and reduced priced lunch programs, for example) to reading levels to children’s home addresses for bus routes, said Amelia Vance, director of education data and technology for the National Association of State Boards of Education.

More school systems are hiring private companies to better manage and utilize this data. As they do, states are moving to regulate third party use of student data. They are prohibiting the companies from using the data in certain ways, such as creating student profiles for marketing purposes.

“I think we are really at a crossroads,” Vance said. “How do we enable children to take advantage of all this new technology and data, and also ensure that their privacy is maintained?”

At least eleven states this year — Arizona, Colorado, Connecticut, Hawaii, Kansas, New Hampshire, North Carolina, Tennessee, Utah, Virginia and West Virginia — enacted new student data privacy laws. Part of the push for the laws came from a campaign started by the ACLU called Take CTRL.

Colorado’s law, which is among the most restrictive, aims to create a transparent system that allows parents and students to see where and how their data is being used, said Colorado state Rep. Paul Lundeen, who sponsored the bill.

Companies should not be able to access that information and assemble it in a way that tells them who the student is, said Lundeen, a Republican. “They lose their privacy that way.”

Other, broader privacy-related issues with students are arising as well, Marlow said. Virginia passed a law that will prohibit public and private colleges from requiring a student to disclose the username or password to any social media account.

The issue of access to social media accounts is coming up outside of the classroom as well. Illinois and West Virginia passed similar laws restricting employers from requiring employees to hand over account information, and Marlow sees the issue soon arising for landlord-tenant relationships.

Disturbed by Drones

Americans in rural areas are among the most avid drone users. Farmers in Kansas, for example, often use drones to check cattle and cropland, said state Rep. John Barker, a farmer who represents rural Clay County. After a recent tornado there, drones took flight to assess the damage.

State lawmakers approved a bill this year that specifies that flying a drone over or near any house, occupied vehicle or other place where one may reasonably expect to be safe from uninvited intrusion or surveillance is a form of harassment that could be considered stalking.

“We may live in the country, but we don’t live in the Stone Age,” said Barker, the Republican chairman of the House committee that considered the legislation.

Since 2013, 31 states have passed laws regulating drones, with 12 laws related to privacy protections from other residents, 21 laws imposing restrictions on law enforcement and 13 laws imposing criminal penalties on drone misuse, such as stalking, according to NCSL.

At the same time, the number of drones in use is skyrocketing, especially for personal use. As of last month, there were about 459,400 registered drones for hobbyists and about 8,400 registered drones for non-hobbyists in the U.S., according to the Federal Aviation Administration’s online database. That compares to 325,000 in February, when the FAA first released the data.

The agency, which regulates the nation’s airspace, released new rules this month on where and how drones can fly. But the rules don’t touch on privacy issues.

Waite, the University of Nebraska journalism professor, said many of the state laws regulating drone use are unnecessary. If a state already has a law that allows for a reasonable expectation of privacy, which many states do, it shouldn’t matter how the privacy was violated, he said. “There are legislators that are going to look for feel-good solutions that are going to make legitimate things illegal, and they are going to infringe upon First Amendment rights.”

As technology changes, with law enforcement often getting their hands on new technology first, privacy-related bills will keep coming. Bills were proposed in at least 18 states this year that would have restricted law enforcement’s use of license plate readers. And Illinois passed a law that will restrict law enforcement’s use of stingrays, cellphone surveillance devices that can be used to collect locations and identifying information of cellphones in the area.

Marlow of the ACLU says states realize that the speed of technology advances is eclipsing the protections for the people who use the technology. And there’s no way to avoid these issues, he said.

“To say, ‘you can protect your privacy, but you have to live off the grid’ — that’s not an acceptable resting point.”

— Stateline staff writer Sarah Breitenbach contributed to this report.