This 1999 country report on the status of privacy throughout the 50 states of the US was prepared for the Second Asia Pacific Forum on Privacy and Data Protection, held in the Hong Kong SAR, China, on September 12, 1999.

Introduction

The 50 states have dealt with the issues of privacy as they pertain to both the government and private sectors on a piecemeal basis. For example, many states have made wiretapping and other forms of eavesdropping illegal unless exempted for law enforcement purposes. Many states also statutorily provide their citizens with a right of publicity, meaning their photograph or other likeness cannot be used in a commercial way without consent. There are also state laws prohibiting specific types of businesses, from bookkeeping to video rental services, from disclosing records that contain personal information without express written consent. However, no states protect privacy through a comprehensive scheme with regard to collecting and use of personal information about individuals.

Efforts toward omnibus privacy laws

The four states that are actively attempting to enact omnibus privacy legislation all have or have recently had separate governmental offices dedicated to overseeing freedom of information laws. Governmental offices of this type in the US seem to be taking the initiative in seeking the best balance between individual privacy rights and information exchange in this era of rapid technological advancement. Similarly, government regulators in the privacy area may see a trend toward melding privacy with the freedom of information jurisdiction, as may be the case in England.

Hawaii

In January 1999, the Hawaii Legislature considered House Bill 1232 and Senate Bill 991, companion Bills that would have created the Hawaii Information Privacy Act. The Bills were intended to effect an individual’s right to privacy under the Hawaii Constitution, while providing for the reasonable exchange of information with adequate safeguards to assure its appropriate use. The Bills would have:

established certain principles and limitations on the collection of personal data by private sector enterprises;
assured individuals the right of advance consent to the collection and dissemination of personal information;
required private enterprises collecting personal data to inform the person of the purpose of the collection, who will have access to the data, where the data will be kept, and the individual’s right of access and ability to correct the information;
required every private enterprise that collects, uses, or disseminates personal data to establish reasonable safeguards to ensure its confidentiality and protect it from loss, theft, and misuse;
prohibited dissemination of personal data to third parties unless authorised by law, or consented to by the individual. If consent is given by the individual, the third party must have provided the same level of protection as the enterprise which obtained the information originally; and
provided for civil and criminal penalties for knowing violations of the Act.

Although the Bills enjoyed the general support of local and international privacy advocates, concerns were voiced, mainly by business interests, that caused both Bills to be held in committee.

However, the Legislature did pass House Concurrent Resolution 196, which requests the State Office of Information Practices (OIP) to co-ordinate a comprehensive study involving government agencies and concerned private businesses and individuals. The study will examine ways in which personal information is currently used, what protections are desirable, and proposals which address the concerns of consumers, law enforcement and businesses. The OIP is to submit a report, including proposed legislation, to the Legislature prior to the January 2000 session.

Massachusetts

Massachusetts House Bill 4483 was introduced, on behalf of Governor Paul Cellucci, by Lieutenant Governor Jane Swift on 23 June 1999 and is currently being heard in various House committees. The Bill amends existing laws. Among other things, this Bill would:

prohibit collection and dissemination of information that could be used to identify children without their parents’ express consent, and give parents the right to review all information about their children contained in an information broker’s files and find out who has received that information;
require firms that collect and sell personal information for marketing or other purposes to notify consumers when profiles about them are distributed, allow consumers access to those profiles, and add a new civil penalty of $1000 per violation;
allow consumers to require credit reporting agencies to block information placed in their files by an identity thief, and allow consumers to block access to their credit report until they can resolve the problems the theft has created;
allow consumers to require information brokers to delete non-public record information from their files and to place themselves on ‘opt-out’ lists maintained by the Secretary of State to prevent future collection of non-public information;
prohibit the sale or lease of information about consumers by any retailer or credit card issuer without the consumer’s express consent (this ‘opt-in’ provision would place the burden of taking action on the retailer or card issuer that wishes to sell the information); and
regulate the use of biometric identifier information (for example, so that it cannot be collected without notice to and the consent of the person giving the information, or be sold or leased without further notice and consent). This would require entities that collect biometric identifiers to use them only for identification purposes, and to employ reasonable security measures to guard against unauthorised access. It would also prohibit the use of DNA as an identifier, except as provided (for the purposes of law enforcement and so on).

The Bill would exempt law enforcement from most of its provisions.

Significantly, the Bill creates an arbitration board for resolving disputes between consumers, credit bureaus and ‘individual reference service providers’ and requires the Office of Consumer Affairs and Business Regulation to promulgate rules and regulations to implement many of its provisions.

Perhaps most interestingly, the Bill creates a special commission to conduct an investigation and make a recommendation on the feasibility, ramifications, benefits and disadvantages of creating a property interest in personal information. The commission is to consider whether changes are desirable in the present laws, regulations, and practices governing property rights in order to better protect the personal information of the residents of Massachusetts.

California

California Senate Bill 129 was introduced by State Senator Steven Peace on 22 December 1998, and is currently in the Assembly Committee on Approp-riations. As introduced, this Bill would impose restrictions on the collection and disclosure of personal information by governmental, business, or not-for-profit organisations, superceding existing laws to the extent they conflict. The Bill would:

allow organisations to collect personal information about an individual only with consent, require them to give individuals an opportunity to choose whether and how personal information they provide will be used, and provide clear, conspicuous, readily available and affordable mechanisms to exercise this option;
require organisations to inform individuals of the purpose for which the information is being collected and the types of organisations to which it may be disclosed, to take reasonable measures to ensure reliability of the information and protect it from loss, misuse, or unauthorised access, and to allow individuals reasonable access to information about themselves and permit them to correct inaccurate information;
require of any third party the same level of privacy protection as that given by the initial gatherer of information;
authorise organisations to keep only personal data that is relevant to the purpose for which it was gathered;
allow for sharing of personal information with law enforcement agencies pursuant to a search warrant or subpoena;
make violations of the Bill a misdemeanor (up to $5000 per violation), and prescribe civil penalties (injunctive relief, attorney fees, up to $5000 per violation, and other civil penalties provided by law); and
require the Ombudsman to track information relating to privacy complaints, submit annual reports to the legislature, and assist individuals with privacy complaints regarding a state governmental agency.

The Bill was amended in committee and is now currently weaker than described above. However, Senator Peace and other supporters of the Bill hope to bring back most of the original language as the legislative process plays out.

Texas

Texas House Bill 611 was introduced by State Representative Kyle Janek on 16 February 1999, and was left pending in the House Committee on Business and Industry. To protect certain personal information provided by a customer to a business, this Bill would have:

provided that a business may not disclose personal information if the customer requests that the business keep the information confidential, and that a customer may request confidentiality by using an approved form or any other written request, and rescind a request for confidentiality by providing the business with written permission to disclose personal information;
required businesses to include with any bill sent or application provided to a customer a notice of the customer’s right to request confidentiality of personal information and a form by which the customer may request confidentiality by marking an appropriate box on the form and returning it to the business;
not prohibited a business from disclosing personal information in a customer’s account records to the state or federal government, a consumer reporting agency, a person for whom the customer has contractually waived confidentiality for personal information, or a person to whom the disclosure of the information is required by law;
provided that a consumer reporting agency may not disclose confidential personal information under this subchapter for a purpose unrelated to the furnishing of a consumer report to a third party unless disclosure of the information is made as described above; and
made the disclosure of confidential personal information in violation of the subchapter a Class B misdemeanor.

An interim committee, chaired by Representative Janek, has been assigned to study privacy issues, including the effects privacy legislation would have on sharing of information between affiliates of large corporations. The interim committee is to work with all interested parties and attempt to reach a consensus on what type of privacy protections are reasonable. The committee will begin work in January 2000, and Representative Janek hopes that new privacy legislation will be introduced at the next session in January 2001.

Sector legislation

Medical records

Other than Hawaii, Rhode Island, and Wisconsin, there are no states which have a comprehensive statute dealing with medical records privacy. Many states have many laws in the area, but they deal with the issue on a piecemeal basis. For example, they may have a statute that makes HIV information private, another that deals with immunisation records, and another general law requiring maintenance of confidentiality of medical records by physicians. Some of the most notable statutes are discussed below.

Hawaii

In 1998 the Office of Information Practices (OIP) was asked to facilitate a group of representatives from the health industry, which included both private sector and government members. The goal of the task force was to reach consensus on contentious issues and to draft comprehensive legislation to protect medical records. Both goals were accomplished and House Bill 351 was introduced in the 1999 legislative session. After intense discussions by members of the public in committee hearings, the legislature passed out a compromise Bill and on 23 June 1999, the Bill was signed into law as Act 87. The Act will go into effect on 1 July 2000. The law:

gives patient-consumers rights of access to their information, including a right to append information to the medical record;
creates a zone in which medical record information can flow freely under limited circumstances (for treatment, payment and certain qualified health care operations);
requires clear consent for use of medical record information beyond this zone;
creates very strong sanctions for violations of the law, including jail sentences;
requires that patient-consumers be educated of their rights through an annual notice provision;
prohibits use of medical record information for research unless there is a clear plan of confidentiality which is acceptable to the IRB;
allows for restricted use of information for other public policy purposes (such as for emergencies, public health purposes, litigation or other law enforcement purposes, and health oversight);
provides remedies, currently limited to criminal and civil actions taken by the patient-consumer; and
gives the OIP rule-making authority over the private sector records.

Rhode Island: Confidentiality of Health Care Communications and Information Act

Rhode Island General Laws Chapter 5-37.3 provides that a patient’s confidential health information shall not be released or transferred without the written consent of the patient. The law exempts transfers of information by some parties in certain instances, including law enforcement and public health authorities. It also exempts transfers to ‘qualified personnel’ for the purpose of conducting research, management or financial audits, insurance underwriting, or similar studies, provided that no individual patient can be identified directly or indirectly in any report of the research or evaluation. The law also provides that anyone who knowingly violates its provisions and is convicted shall be fined up to $1000 and imprisoned for up to six months.

Wisconsin

Wisconsin Statutes Chapter 146 provides that patient health care records may be released only to persons designated in the statute or to other persons with the informed consent of the patient or of a person authorised by the patient. Those permitted to receive records without the consent of the patient include law enforcement authorities, certain governmental agencies for statistical and public health purposes, and to researchers affiliated with a health care provider, provided the final product of the research will not reveal information that may serve to identify the patient whose records are being released without the informed consent of the patient. The law also provides for civil damages and criminal penalties up to $1000 fine or six months imprisonment or both.

New Hampshire

New Hampshire Revised Statutes Title 30 Chapter 332I:1 prohibits patient-identifiable medical information from being released for sales or marketing purposes without written authorisation.

Idaho: Patient Freedom of Information Act

The Idaho Code Title 54 Chapter 45 allows patients to make more informed health care decisions when selecting a provider by requiring patient access to provider profile information.

California

In addition to these existing statutes, California’s State Senate has passed a medical privacy Bill — Senate Bill 19, introduced by Senator Liz Figueroa — intended to prevent health care plans and their contractors from disclosing medical records without patient permission. Most of the debate was in favor of the Bill, but critics argued that fines for violations are too large.

Identity theft

The increasing incidence of identity theft crime has spurred several states to enact laws that specifically address the problem. Typically, these laws make it a misdemeanor or a felony for a person to willfully misappropriate and use personal identifying information of another to obtain or attempt to obtain credit, goods, services, or other information. Among the states that have enacted such laws are California, Georgia, Mississippi, West Virginia and Wisconsin.

Miscellaneous privacy provisions

Hawaii’s Uniform Information Practices Act (UIPA) provides a balancing mechanism to determine when the public’s interest overrides a person’s privacy interest in information held by government. In addition, the UIPA applies fair information practices to government records, giving the OIP authority over all government records except for the non-administrative records of the judiciary.

A Virginia law prohibits a merchant, without giving notice to the purchaser, from selling to any third person information which concerns the purchaser and which is gathered in conjunction with the sale, rental or exchange of tangible personal property to the purchaser. A recent amendment to the same chapter prohibits electronic mail or message service providers from selling or otherwise releasing the names or email addresses of any subscriber without prior consent. The chapter makes violators liable for damages in the amount of $100 to the person whose information was released, as well as reasonable attorney fees and costs; Va Code Ann §§ 59.1-442, 59.1-442.1 and 59.1-444.

The California and Wisconsin legislatures are considering measures that would prohibit their departments of motor vehicles from selling photos or physical descriptions of drivers to vendors without consent. This follows an incident in which one state sold thousands of drivers licence photos to a private company for use in a fraud deterrent database that would have been available to retailers to verify the identity of customers.

Many states, including California and Washington, have statutes requiring that marketing businesses provide a way for consumers to opt-out of their inclusion on mailing lists and similar mass marketing databases.

Moya T Davenport Gray, is Director, and John E. Cole, Staff Attorney, in the OIP of the State of Hawaii.

Statutes

Hawaii Sess Laws 87;
Rhode Island Gen Laws § 5-37.3-1 et seq;
Wisconsin Stat § 146-82;
New Hampshire Rev Stat § 30-32I:1;
Idaho Code § 54-4501 et seq; and
Virginia Code Ann §§59.1-442 et seq.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1999/51.html