Surveillance is pervasive: Yes, you are being watched, even if no one is looking for you

The Constitution includes 4,400 words, and not one of them is the word “privacy.” In an effort to contextualize the changes in American thinking about privacy in the digital age, Stacker investigated the way the idea of privacy has changed in the U.S. during the last two decades using a variety of news and government sources.

The concept of privacy has been part of the American consciousness since the first steps of the colonial revolution. When the inhabitants of the 13 colonies first began organizing, they needed a way to communicate outside of the watchful eye of the British Royal Post. As a result, they began what would eventually be the foundation of the U.S. Postal Service on the principle that no mail carrier had the right to read the letters being sent, unlike the British Post.

Since the 1700s, privacy in the U.S. has been a hotly debated issue. Depending on the specific decision, excerpts of the First, Third, Fourth, Fifth, Ninth, and 14th amendments of the Constitution have been used to justify various levels and types of privacy. Beyond the Constitution, a variety of privacy legislation has been passed at the federal level, protecting specific types of personal information and activities.

“[American privacy legislation] does tend to be very sectoral,” said Hayley Tsukayama, the senior legislative activist for the Electronic Frontier Foundation. “[Legislators] are still really looking at data weaponization. When there’s an incident, they’re willing to react legislatively, but it’s very difficult to get them to react [with protections] for all data.”

When examining federal privacy legislation, Tsukayama’s point about sectoral regulation becomes apparent. Six laws explicitly protect various privacy rights, covering financial information collected by credit agencies, personal information collected by the government, data collected during the act of a computer software hack, information collected online from children under 13 years old, the disclosure of information sold by financial institutions, and health information possessed by a health care provider.

Each of these laws not only specifies a narrow type of data that must remain private, but also only protects that data when it’s possessed by a particular person or organization.

As technology has developed by leaps and bounds since the advent of the internet, more data is produced daily than can be fathomed, reaching an estimated 463 exabytes, or 463 billion gigabytes globally each day by 2025.

Framed by historic turning points in public conversations, explore how privacy has evolved in the collective U.S. consciousness.

You may also like: 50 inventions you might not know were funded by the US government

On Oct. 21, 1998, the Government Paperwork Elimination Act was passed in an effort to streamline federal government processes that require significant paperwork. This was both in response to bureaucratic backups and the increased use of “electronic communications and internet usage.”

Many states followed suit, and what much of the American public didn’t realize until the law took full effect, was this digitization of processes also allowed for online public records requests to become prevalent.

Whereas previously an individual would be required to go in-person to a federal building to request public records, they could now potentially complete that process entirely online from anywhere they had internet access. This shift brought the possibility of personal information disclosures to the forefront of public conversations about privacy, though they remained siloed to specific sections of Americans who dealt with public records either directly or tangentially.

Before internet-enabled devices became portable, it was more difficult to collect individual data en masse. When devices like the iPhone hit American markets, it set off a bonanza of developing technological add-ons, including phone applications.

With a supercomputer in everyone’s back pocket, these applications could not only function as advertised—as a game, organizational tool, information source, or something else—but also begin hoarding data about the device owner’s usage of other applications, their internet search history on the device, location throughout the day based on cell tower pings, and much more.

This onset of data quantity prompted enough conversations about privacy that a group of U.S. senators proposed the Personal Data Privacy and Security Act of 2007.

Although the bill was never passed into law, it was intended to be a wide-reaching piece of legislation “to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.”

Throughout the next decade, privacy-related stories popped up in the news and caused a momentary uproar, but no substantive change. In 2009, internal documents from Wal-Mart were released, indicating it had suffered a data breach from a foreign actor in 2004 and 2005. According to reports, the hackers were trying to obtain credit card information from shoppers at brick-and-mortar stores.

Just one year later, Google announced that during the creation of its new tool Street View, it had “mistakenly collected” information sent via unencrypted WiFi networks using Street View cars. The event caused the appointment of Alma Whitten as Google’s director of privacy.

Perhaps one of the more disturbing data privacy stories during this time period was not a hack or mistake, but instead the intentional personalization of advertising material by Target.

Based on her buying history at Target, a Minneapolis high schooler began receiving personalized coupons in the mail for maternity and newborn items. Her father angrily complained to his local Target store, only to have his daughter announce her pregnancy soon thereafter. The idea a company may know about your most personal information without you informing it became a prescient fear in the collective American psyche.

When the breach of credit report company and data broker Equifax occurred, much of the American public was unaware of just how much data the company collected and stored.

The hackers, who were allegedly members of the Chinese military, took advantage of a small flaw in the software used for credit report appeals.  Equifax had neglected to update its security software as advised by the Apache Foundation.

This event not only revealed to Americans the sheer quantity of data being hoarded by Equifax, but it also highlighted the fact the company was using data to target customers and it was selling personalized data to other companies without customers’ knowledge. Massive media coverage of the Equifax scandal raged for days and, even within the last few years, experts still discuss the circumstances and repercussions of the breach.

In another instance of a private entity purposefully using supposedly secure personal data to influence individuals, the political consulting firm Cambridge Analytica leveraged vast swaths of Facebook data to sway voters in favor of then-presidential candidate Donald Trump. Soon after the scandal broke, Cambridge Analytica lost massive amounts of customers and ultimately shut down entirely.

Although Cambridge Analytica no longer uses social media data to influence elections, this scandal jump-started the beginning of Facebook’s (now Meta’s) difficulties with data privacy and user security. People have become increasingly wary of Meta because it uses advanced and potentially biased algorithms to predict the content with which users will most likely engage.

Yet, it’s difficult to escape the conglomerate’s data-hoarding clutches—Meta owns 94 companies, including Instagram, WhatsApp, and Oculus VR.

You may also like: Iconic presidential photos from the year you were born

On May 24, 2022, the U.S. Supreme Court overturned Roe v. Wade, a 50-year precedent that codified the right to receive an abortion. The case was originally decided in 1973 on the basis of a right to privacy implied in the 14th Amendment. This justification has been used for a variety of other Supreme Court rulings, including protecting the rights to contraception, and same-sex relationships and marriage.

Not only has the overturning of Roe v. Wade launched the issue of the right to privacy into conversations in newsrooms and American homes alike, it has also turned a spotlight on the role of technology companies and their obligation (or lack thereof) to protect user privacy—especially when it comes to reproductive health information.

Though many people may cite the Health Insurance Portability and Accountability Act of 1996 as proof that companies must protect health data, HIPAA only applies to health information possessed by a health care provider. Because Google, Meta, and other tech companies do not provide health care services, they are under no legal obligation to protect data such as an individual’s search history, social media affiliations, or message data.

Moving forward, the future of privacy rights in the U.S. are uncertain at best. At the time Roe v. Wade was originally decided, the issues of data tracking via the internet weren’t even plausible considerations. Whatever happens, Hayley Tsukayama said she sees hope in the awareness being spread about data privacy issues.

“I think that the tide has turned against online advertising. People are getting annoyed [with targeted ads] again, like in the pop-ups area era, especially on mobile devices, so I do think we are seeing a shift against data brokers.”

You may also like: Interstate highways with the most fatalities

Consumer privacy feels more vital than ever, but very few states have laws on the books that protect consumer privacy in a relatable way. Following the 2018 passage of the California Consumer Privacy Act, other states rushed to draft their own versions of this wide-ranging consumer protection law. The singular goal of almost all these pieces of legislation is to increase consumer awareness and empowerment in the face of data collection and sales.

Referencing data from the International Association of Privacy Professionals (IAPP) and the National Conference for State Legislatures (NSCL), Zapproved compiled laws and bills relating to data privacy across the United States. Bills that failed or were delayed indefinitely are not included in this list. The bills are quite similar but have some small variations and differences, from their scope to whom is exempt—such as organizations that handle medical data subject to HIPAA and those who report credit information for financial institutions.

If your state is among those on this list, take heart that you may soon be protected from the unwitting sale of your data to third parties you’re unaware of. Many of these bills have experienced bipartisan support because of the evergreen popularity of the American ideal of privacy, along with rights like the Bill of Rights' first and fifth amendments.

Keep reading to discover if your state is among those considering this legislation.

- SB 1121: California Consumer Privacy Act of 2018

- Proposition 24: California Privacy Rights Act of 2020

- Status: Signed

The California Consumer Privacy Act of 2018 enacts several important privacy goalposts, including limiting companies in how much data they can gather and save about website visitors. If a company violates children’s privacy, in particular, that business can be fined. The law further created a new agency to oversee privacy.

There is one catch: The law’s language specifies only companies that buy or sell 100,000 households’ worth of data each year must comply.

- SB 190

- Status: Signed

Colorado’s 2021 law is similar to California’s, including its protections on consumer data as well as the ability to delete your data from company records. But Colorado’s SB 190 law goes a step further, allowing consumers to change the data that companies keep. It also allows consumers to request copies of their saved data.

The law further dictates that companies aren’t able to “profile” consumers. This is, for example, how Twitter forms a marketable “guess” about facts like a person's age, interests, health, income, and more based on their online activity.

- LD 946: An Act To Protect the Privacy of Online Customer Information

- Status: Signed

Like the similar laws of California and Colorado, Maine’s 2019 privacy law focuses on allowing consumers to make informed decisions about how companies use their data. The law, which was approved unanimously by Maine’s Senate, very specifically applies to internet service providers (ISPs) barring them from keeping or selling data related to consumer information. The law also prohibits ISPs from incentivizing customers to offer their data for sale, effectively restricting discounts or other savings in exchange for giving over data rights.

- SD 1726: Massachusetts Information Privacy Act

- Status: In committee

Massachusetts’ comprehensive privacy law act, filed in March 2021, goes a step further than most of the similar legislation in the works. The law extends privacy into the workplace, preventing employers from recording or monitoring employee data, except when it makes sense to do for reasons like safety. It further bars employers from monitoring employees outside of work.

Some state privacy laws make exemptions for institutions that monitor and report consumer credit, but Massachusetts’ law doesn’t make those exceptions. This could present some thorny situations for those in the credit business.

- HF 1492: Minnesota Consumer Data Privacy Act

- Status: In committee

Minnesota’s consumer privacy omnibus law, introduced in February 2021, includes many of the same provisions seen in those of other states. The law applies to specific companies, though, which could create a loophole-like situation for many other businesses. For the law to apply, companies must handle the data of at least 100,000 consumers each year. They also must earn at least 25% of their overall revenue from the sale or use of data. As in Maine, consumers will be able to request and correct their information in addition to deleting it.

- SB 220

- Status: Signed

Where some states are reaching further into people’s lives in order to extend privacy rights, Nevada’s consumer privacy law, signed into law in 2019, is a bit more reserved. Consumers may request the removal of their information from company data, and companies must comply within 60 days. There’s a wrinkle, though: The companies must have actual plans to sell that data in order to be subject to the law. This could lead to workarounds or loopholes where companies do things like “trade” rather than sell data.

- A 680: New York Privacy Act

- S 6701: New York Privacy Act

- A 6042: Digital Fairness Act

- SB 567

- Status: In committee

New York’s consumer privacy laws, still in committee, would allow consumers to see what data companies have saved about them. Companies would be required to inform consumers of these rights so they can opt out if they wish, and would be barred from retaliating against customers who choose to opt out of data collection. A 680 would additionally require express written permission from customers before data can be sold. That’s true even for those who don’t opt out of the collection of data in the first place.

- SB 569: Consumer Privacy Act

- Status: In committee

North Carolina’s consumer privacy law seeks to expand on the state’s existing body of law protecting consumers from data and identity theft. With the new legislation, consumers will be able to know who is holding their data—and it will be possible to correct or delete data companies keep. Consumers will additionally be able to totally opt out of data gathering for applicable companies and have the right to bring civil lawsuits against companies that don’t comply with the law.

- SB 376: Ohio Personal Privacy Act

- Status: Introduced

Ohio’s consumer protection law, introduced in July 2021, affords consumers the opportunity to access and even request deletion of their personal data from applicable companies. They may also opt out of the sale of their data altogether. However, there are many exemptions and exceptions in this law. For example, business-to-business (B2B) transactions are not subject to the law—ironic since this is where many data sales take place.

- HB 1126

- Status: In committee

Under Pennsylvania’s proposed consumer privacy law, consumers would be given certain rights as far as disclosure and approval of what happens to their data. The law also makes the state attorney general responsible for enforcing the law, meaning consumers would be able to sue in civil court and potentially cause companies to be fined for violating the law. The passage of this kind of law typically leads to a huge increase in lawsuits that could start immediately upon the bill’s adoption.

- SB 1392: Consumer Data Protection Act

- Status: Signed

Virginia’s consumer data law, passed unanimously by the state senate in February 2021, follows the passage of California’s similar law and hopes to enact many of the same ideas for Virginia. The legislation allows consumers to confirm their data is being held and potentially sold. They will also be able to correct that data, which must be available to them in a portable format that can be carried and passed on to another provider readily. Think of this like closing your bank account: You leave the bank with your money, ready to carry to a different bank.

This story originally appeared on Zapproved and was produced and distributed in partnership with Stacker Studio.