Privacy Journal

CURRENT AS OF 2007:
California ranks highest in protecting its citizens against invasions of privacy, according to a ranking issued by Privacy Journal, the nation’s leading publication on privacy.

California finished at the top because its legislature passed a raft of new protections in the last two years; also, its courts and its constitution provide the strongest privacy protection in the nation.

In 1999, when the Providence, R.I.-based monthly newsletter announced its first ranking of the states, California and Minnesota tied for first. In 2002, after Privacy Journal considered laws and practices since 1999, California finished first and Minnesota finished second, both with numerical rankings 33 percent higher than the next ranked state. This updated ranking in 2007 is the latest.

The top ten states, according to the Providence R.I.-based monthly newsletter, are, in alphabetical order: California, Connecticut, Florida, Hawaii, Illinois, Massachusetts, Minnesota, New York, Washington, and Wisconsin. There was little change among the top ten states from Privacy Journal’s original ranking of the states, in 1999. California and Minnesota tied in 1999. California, Minnesota, and Hawaii – alone among the states – have state offices assigned to protect personal privacy.

In the “second tier” – better than average – are Alaska, Arizona, Colorado, Georgia, Maine, New Hampshire [added in 2007 and not reflected in the map above], Oklahoma, Rhode Island, Utah, and Vermont. Rhode Island was close to the top ten.

The ten states in the “third tier” – below average – are Indiana, Louisiana, Maryland, Michigan, Montana, New Jersey, Nevada, Ohio, Oregon, and Virginia. Below that, in the “fourth tier,” are Alabama, North Dakota, Nebraska, New Mexico, Pennsylvania, South Carolina, Tennessee, and West Virginia.

Privacy Journal judged 12 states at the bottom in protecting its citizens: Arkansas, Delaware, Idaho, Iowa, Kansas, Kentucky, Missouri, Mississippi, North Carolina, South Dakota, Texas, and Wyoming.

The most significant strides in protecting privacy were made by Vermont, whose courts and attorney general are vigorous in protecting privacy, and California and Minnesota, plus five states that have enacted laws protecting medical confidentiality. They are Arizona, Hawaii, Maine, New Hampshire, and Washington State.

There was some movement in Texas, one of four states adjudged “not on the radar screen” in 1999. The state legislature there enacted laws on use of genetic information by insurance companies and employers and use of automatic dialers by telemarketers and now requires telemarketers to consult a state do-not-call list.

"If the federal government had been ranked like a state it would have placed in the fourth tier," said Privacy Journal Publisher Robert Ellis Smith, who conducted the survey. Federal laws do not protect medical records nor provide access to them, they do not protect library records at all, and federal law has only partial protection for financial records. Protections against electronic surveillance were weakened in 2001 with the passage of anti-terrorism legislation. On the other hand, federal protection for personal information in government files exceeds the protections in nearly all states.

The ranking is based on the 2002 edition (and subsequent supplements) of Privacy Journal’s “Compilation of State and Federal Privacy Laws,” a 106-page reference book available for $35 from Privacy Journal, PO Box 28577, Providence RI 02908, 401/274-7861, fax 401/274-4747, email us

The 2002 book includes the current Supplement.

"Surprises?" asked Smith, a lawyer and journalist who has been monitoring the states' actions on privacy protection since he launched his popular newsletter in 1974. "Based on my experience, I would have said that Michigan, Pennsylvania, Oregon, and New Jersey had stronger recognition of their residents' privacy rights. As for the Top Ten, there were no surprises at all. Our systematic survey revealed what most privacy experts agree are the strongest states when it comes to privacy protection."

Privacy Journal rates the states on several factors, including whether they protect privacy in their constitutions, have laws protecting financial, medical, library, and government files, and have fair credit reporting laws stronger than the federal law. Points are added when the highest court in the state has a strong record on privacy and deducted for anti-privacy actions by state agencies or the state legislature.

Alphabetical within tiers

First Tier – 10 states
California
Minnesota

Connecticut
Florida
Hawaii
Illinois
Massachusetts
New York
Washington
Wisconsin

Second Tier - 10 states (RI was close to the top ten)
Alaska
Arizona
Colorado
Georgia
Maine
New Hampshire
Oklahoma
Rhode Island
Utah
Vermont

Third Tier 10 states
Indiana
Louisiana
Maryland
Michigan
Montana
New Jersey
Nevada
Ohio
Oregon
Virginia

Fourth Tier 8 states plus DC
Alabama
District of Columbia
North Dakota
Nebraska
New Mexico
Pennsylvania
South Carolina
Tennessee
West Virginia

Last tier 12 states
Arkansas
Delaware
Idaho
Iowa
Kansas
Kentucky
Missouri
Mississippi
North Carolina
South Dakota
Texas
Wyoming

CRITERIA
Does the state include a right to privacy in its constitution?

Does the state protect the right to privacy by statute?

Does the state permit access to a patient's own medical file by law?

Does the state protect medical records by law?

Does the state make the records of library patrons confidential by law?

Does the state either limit disclosure of personal information held by state agencies or permit a citizen to access and correct such information?

Does the state have a law on credit records stronger than federal law?

Does the state recognize the confidentiality of bank records by law or court decision?

Does the state have a law permitting erasure of arrest records of innocent persons or limiting their use by employers?

Did the state enact significant privacy protections since the last ranking?

Double credit is awarded to states with constitutional protection, and slightly less weight is given to library-records protection than to the other protections. Bonus points are awarded for an attentive legislature, assertive administrative enforcement, protective actions by the highest court in the state, or additional legal protections in a state's laws. Points are deducted for anti-privacy actions in the past two years.

Six Ethical Principles
For Information Brokers

1. Require of employees: If you are going to report
information on individuals, you owe it to them to be accurate, to use more than one source of information, to confirm information.

2. Devote an appropriate percentage of organizational resources to procedures for assuring accuracy.

3. Contact a portion of the persons in your database to confirm information on file about them.

4. Eliminate data from your systems that were gathered from illicit sources or by illicit means.

5. Accurately describe the nature of the information you sell. Information about adoptions, custody, Social Security numbers, and financial affairs is not “public record” information, even if it comes from government files.

6. Do not use fear about terrorism to hustle contracts from the federal government.

7. Regard your organization as a fiduciary with a duty of trust and confidentiality owed to the persons who are identified in your databases. A data bank should function like a monetary bank.

- From remarks by Robert Ellis Smith,
Publisher of Privacy Journal,
at Tuck School of Business,
Dartmouth College, N.H. Jan. 17, 2007.

All of us have to know that ID theft is a recent phenomenon. It has not always been with us and need not always be with us. It began in 1991 with a Federal Trade Commission decision permitting credit bureaus to disclose and rent Social Security numbers (as "header" information). To diminish (not totally eliminate) ID theft we have to work to reverse the decisions that created it.

The solution: Build on the "Andrews" court decision and amend the Fair Credit Reporting Act to (1) prohibit a credit bureau from basing a credit-inquiry match on a Social Security Number, (2) prohibit the disclosure of SSNs as "header information," and (3) require a credit bureau and credit grantor to send a notice of an address change to the consumer's old address (and prohibit the approval of any credit application for a ten-day period during which a consumer who has been victimized may respond).

On its own, with no Congressional action, the FTC can do Step (2); it can encourage Step (3), and it can cease ENCOURAGING credit bureaus to use the SSN to verify the identity of a consumer seeking a copy of her or her own credit report.

Most important, each of us must decline to provide Social Security numbers for transactions that raise no tax consequences or that do not involve state licenses. There is no need to provide Social Security numbers on applications for employment, insurance, credit, housing, and similar commercial transactions. If you do, you increase your risk of theft of identity.

An employer must articulate in advance in writing the purpose of the monitoring.

An employer must provide general notice at least once a year of the existence of monitoring, its type, and its general location.

Any tapes or electronic media that show no evidence of wrongdoing (as described in the employer’s written statement of purpose) must be destroyed or erased within six months. The names and job positions of any persons viewing or listening to the tapes or reading the electronic media should be documented and preserved.

Any viewing or listening must be only for the purpose stated in the original rationale. When the original rationale for the monitoring ceases, the monitoring should be discontinued.

An employee should have a right to sue for invasion of privacy for any monitoring that is contrary to the purpose as originally stated. The governing principles of the right of action will be the case law on the common law right to privacy in the state of the occurrence.

An employee should have a right to sue an employer or individual who uses or stores videotapes in violation of these principles.

Any monitoring in showers, dressing rooms, or other places where employees might disrobe may be installed only if the stated purpose is to document suspected criminal activity. The suspected criminal activity must be named with specificity. Any tapes that show no evidence of the specific criminal activity must be destroyed or erased within seven days and employees must then be notified of the monitoring, including the times and places.

PRIVACY JOURNAL Publisher Robert Ellis Smith is frequently asked by government officials how they can protect the privacy of individuals named in agency files when open-records laws require the disclosure of most information. "The law has always recognized that court documents were public, and theoretically they were, but the practical difficulty of reviewing those documents kept them effectively private," noted John Greacen, former director of New Mexico's courts. "Technology now makes those documents 'in fact' public." This is Smith’s response:

It is possible to reconcile the legal mandate for open disclosure of public documents with the demand for personal privacy, by:
1. Realizing that open access exempts from mandatory disclosure "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy."
2. Crafting exemptions that are narrowly drawn, yet scrupulously enforced.
3. Realizing that privacy principles protect information about natural persons, not "legal persons" or entities.
4. Realizing that privacy principles protect information that is individually identifiable, that is, information that can be traced to the identity of an individual person or that can be retrieved from a data system by way of some personal identifier, like a name, a number, or a collection of demographic categories. Privacy principles do not protect cumulative information that does not identify individuals. However, it is important to take precautions against "inferential disclosure" [see PJ May 98]. That is the disclosure of anonymous cumulative information that can still identify an individual by inference.
5. Recognizing that simply because information is collected and maintained by a public entity does not make it "public information." Governmental entities treat medical conditions, collect family information, counsel students, keep financial data on individuals, store information about adoptions, abortions, and heart disease. This sensitive data is not public information even though it is gathered by public entities.
Even within a public-disclosure environment mandated by law, there are precautions an agency can take to protect privacy:
A. Where possible, notify data subjects simultaneously of a disclosure of sensitive information. Where possible, get the consent of data subjects in advance.
B. Keep a record of requesters and their addresses.
C. Delete exempted information before a whole document is disclosed. Make some exemptions mandatory, not discretionary.
D. Gather less information in the first place, and destroy unnecessary data (before requests for disclosure are made, of course).
E. Notify requesters of the sensitivity of information and negotiate special precautions.
F. If possible within the law, negotiate voluntary agreements to prevent the further disclosure of information by a requester receiving it.
G. Agree on a third-party intermediary (a buffer, an inspector general, an auditor, a proxy) who will review sensitive personal information as a stand-in for the requester (like a news organization) and provide the specific analysis sought by the requester.
H. Take special care to protect records concerning children or other vulnerable populations.
I. Permit registrants, litigating parties, and others to provide "buffer addresses" on court documents - like a post office box, a landlord's office, an attorney's office, a next-of-kin, as California's law on motor-vehicle registration and licensing does.
J. Think twice before posting personal information in World Wide Web sites. There is a major difference between releasing information upon request in manual form and releasing it globally on a World Wide Web site where it can be downloaded, manipulated, or distorted though cutting and pasting, or where it will inevitably fall into the hands of illicit users. CERTAIN SENSITIVE PERSONAL INFORMATION, EVEN IF PART OF A PUBLIC RECORD, SHOULD NOT BE POSTED ON AN UNPROTECTED WEB SITE.