California, Delaware and Utah are the states that best protect users' online privacy in 2019, according to an annual ranking by privacy and cybersecurity research firm Comparitech.

The report ranks state privacy on a range of criteria, reviewing laws governing companies' use and disclosure of customer data and those aimed at protecting children.

California took the top spot in the report, as it has enacted many laws for specific privacy issues that other states ignore. California is the only state to mention an inalienable right to privacy in its state constitution. It’s also the only state to enact a law that specifically protects data gathered from the internet-of-things.

In addition, says the report, California introduced a new law in September 2018 that protects internet-of-things data by ensuring manufacturers equip devices with appropriate security features. This law goes into effect in January 2020.

On June 26, 2018, California passed one of the toughest privacy laws in the United States, the Consumer Privacy Act of 2018. Effective in 2020, this bill empowers consumers with the right to know what information any company has collected about them and whom that information is shared with. Furthermore, consumers can demand that a company delete their personal data, and companies must provide equal service to customers no matter what information they’ve collected.

Delaware scored highest in the evaluation in 2017, but slipped below California in 2018. Laws that require the government to dispose of customer data after a set period of time, protect the privacy of e-reader and library data, and protect employee privacy helped the state to stand out.

The state’s most recently passed privacy law addresses advertising to children, inconspicuous privacy policies, and enhancing privacy protections for ebook readers. If those sound familiar to you, it’s because they are similar in many ways to privacy laws passed in California, which is next on our list.

Utah is just one of two states in the entire country that bars internet service providers from sharing customer data with third parties without consent. Utah requires all non-financial businesses to tell customers the types of personal information the business shares with or sells to a third party for the purpose of direct marketing or compensation. The state also requires companies to dispose of customer data after a set period of time.

A 2013 law prohibits employers from asking employees and applicants from divulging their passwords or usernames for social media accounts.

Honorable mentions went to Illinois, Arkansas, New Hampshire and Vermont.

The worst states for online privacy, according to the report, are Wyoming, Mississippi, Idaho, Pennsylvania and Iowa.

In Wyoming, companies are not required to dispose of users’ personal data after a set period of time, and employers are not barred from forcing employees to hand over passwords to social media accounts.

Mississippi lacks laws that protect employee personal accounts and communications from employers. Companies are not required to dispose of users’ personal data. K-12 student information has no explicit protection under law.

Idaho does not require companies nor the government dispose of any data they’ve collected. It lacks a shield law to protect journalists and their sources. Social media privacy is not protected from employers or educational institutions.

Companies and the government can retain personal data about users indefinitely without consequence in Pennsylvania. There are no laws on the books that protect grade school student info. Social media profiles are not protected from employers or schools under the law.

The government and companies in Iowa are not required to dispose of personal data that they’ve collected. Iowa lacks a shield law to protect journalists, and does not protect social media privacy when it comes to schools and employers.

According to the report, a few key points stood out that exemplify new privacy law trends in the U.S:

  • Maine introduced a new data protection act in 2019 that stipulates internet service providers cannot “use, disclose, sell, or permit access to customer personal information” without customer consent, save for certain exemptions such as complying with a court order
  • Nevada passed an act on October 1, 2019 that allows customers to opt out of online data sharing
  • South Dakota passed a shield law to protect journalists in March
  • Utah passed a bill in 2019 that prevents a wide range of providers from handing over user data to law enforcement without a warrant
  • State scores moderately correlate (r = 0.4) with how they voted in the 2016 presidential election. Those that voted for Clinton tended to have higher privacy scores.