Laws Regulating PII

My co-author Sasha Romanosky asks me to post the following:

I am involved in a research project that examines state laws affecting the flow of personal information in some way. This information could relate to patients, employees, financial or retail customers, or even just individuals. And by “flow” we are interested in laws that affect the collection, use, storage, sale, sharing, disclosure, or even destruction of this information.

For example, some state laws require that companies notify you when your personal information has been hacked, while other state laws require notice if the firm plans to sell your information. In addition, laws in other
states restrict the sale of personal health information; enable law enforcement to track cell phone usage without a warrant; or prohibit the collection of a customer’s zip code during a credit card purchase.

Given the huge variation among states in their information laws, we would like to ask readers of Concurring Opinions to help us collect examples of such laws. You are welcome to either post a response to this blog entry or
reply to me directly at sromanos at cmu dot edu.

Thank you!

Sasha is a good guy, and a really careful researcher. Let’s help him!

You may also like...

3 Responses

  1. From Massachusetts … see MGL c. 93H, s. 1, et seq., and the implementing regulations, 201 CMR 17.00, et. seq.

    http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93h
    http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

    There is also a generic right to privacy statute, MGL c. 214, s 1B, which has been considered in ways arguably relevant to your question. See, e.g., Ayash v. Dana-Farber Cancer Inst., 443 Mass. 367, 384 (2005) (suggesting that disclosure of peer review information might be interpreted as violative if doctor were not a public figure); Cort v. Bristol-Myers Co., 385 Mass. 300, 306-07 (1982) (dicta: “if the questionnaire sought to obtain information in circumstances that constituted an ‘unreasonable, substantial or serious interference with his privacy’ in violation of the principles expressed in G.L. c. 214, s 1B, the discharge of an employee for failure to provide such information could contravene public policy and warrant the imposition of liability on the employer for the discharge”) http://www.malegislature.gov/Laws/GeneralLaws/PartIII/TitleI/Chapter214/Section1B

    Although more limited, Mass. has a public records law (a FOIA parallel), which has some exceptions for some personal information of public employees and gun owners. See MGL c. 4, ss. 7(26)(c), 26(j), (o) and (p)

    http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleI/Chapter4/Section7

  2. Sasha says:

    Yes, thank you AndyK. MD already has a similar law, and I believe CA and IL are also trying to get bills passed.