The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

The Georgia Senate recently introduced an omnibus privacy bill modeled after (but significantly broader than) California’s Consumer Privacy Act (“CCPA”), titled the Georgia Computer Data Privacy Act (“GCDPA”).  The introduction of the GCDPA is surprising in a number of ways, including its sponsorship by Republican leadership.  It is also notable in the burdens it seeks to impose on businesses, surpassing even those in the CCPA and other recently enacted state privacy laws.  However, given that the leadership of the controlling party in the Georgia legislature supports it, it is likely to pass, though perhaps not in its current form.

Some of the most notable provisions of the GCDPA include:

  • Consumer consent required for collection of personal information. The GCDPA prohibits businesses from collecting personal information unless they have provided a notice and obtained the consumer’s consent.  This is more onerous than the CCPA, which generally permits businesses to collect personal information as long as they provide a sufficient notice at or before the point of collection.
  • Consumers must opt in to “sales” of personal information. The GCDPA prohibits businesses from “selling” data unless the consumer first opts in to the sale, which opt-in mechanism must be offered by a “clear and conspicuous link” on the business’s website.  Note that the definition of “sale” is the same as the CCPA’s; i.e., a transfer for “money or other valuable consideration.”  In addition, a business that sells personal information must provide a notice on its website that identifies the specific “persons” to whom data will be sold, and that discloses “the pro rata value of the consumer’s personal information.”
  • Very plaintiff-friendly private right of action. Unlike existing state privacy laws, the GCDPA expressly provides for a private right of action pursuant to which consumers may seek statutory damages.  Under most federal and state statutes that provide for statutory damages, a consumer can seek to recover their actual damages or a specified amount of statutory damages, whichever is higher. However, the GCDPA provides that consumers can recover their actual damages and statutory damages of up to $2,500 for each violation, or $7,500 for each intentional violation.  As with the other provisions described above, this is stricter than the CCPA, which only provides for a private right of action for certain types of data events—which could turn Georgia into the next jurisdiction focused on by the plaintiffs’ privacy bar.
  • No exemption for employee or business contact information. Unlike the CCPA and the privacy statutes enacted in Colorado and Virginia, the GCDPA does not contain a general exemption employee data or business contact information.

CPW is monitoring the Georgia bill and other state legislative developments this year.  For more, stay tuned.  We’ll be there to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.

CPW is pleased to announce that today David Oberly joins Squire Patton Boggs (US) LLP’s globally-recognized Data Privacy, Cybersecurity & Digital Assets Practice from Blank Rome, where he played an instrumental role in launching the firm’s Biometric Privacy Practice.  As a recognized thought leader in the biometric privacy space, David serves as a go-to expert for companies that utilize biometrics in their operations—counseling clients on the full range of regulatory compliance obligations applicable today, as well as on managing potential legal exposure and liability risks. David also regularly develops organization-wide biometric privacy compliance programs in connection with all types of biometric technologies.

In addition, David also serves as the trusted privacy advisor to companies across a wide variety of industries, providing compliance, risk management, and product guidance on a broad assortment of privacy, security, and data protection issues that companies face in today’s highly-digital world. David has particular expertise and experience in both counseling/advising and developing compliance programs in connection with consumer privacy laws, including the CCPA, CPRA, CDPA, and CPA. In this capacity, David routinely assists clients in understanding how consumer privacy laws impact their organizational data handling and security practices and has helped numerous companies operationalize compliance with today’s growing web of consumer privacy regulation. David also regularly provides guidance on compliance with a wide range of other state and federal privacy laws, including the New York SHIELD Act, NYDFS Part 500 Cybersecurity Regulation, Florida Security of Communications Act (FSCA), GLBA, HIPAA, and FCRA, among others.

David has deep experience in security incident response matters—both in terms of assisting clients in incident response and crisis management following data breach events and in counseling clients on concerns regarding potential security incidents. David’s expertise extends to a wide range of security incidents, including cloud data breaches, malware credit card breaches, employee phishing breaches, social media account takeover events, ransomware, and inadvertent data disclosure events. David is also experienced in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations, notifications to impacted individuals and privacy regulators, interacting with law enforcement and regulators, and implementing post-incident remediation plans.  David’s advisory work is informed by his significant experience in defending and litigating high-stakes, high-exposure biometric privacy class actions, particularly those brought under the Illinois Biometric Information Privacy Act (BIPA), as well as deep experience in defending other types of privacy and consumer protection class litigation.

Welcome, David!

Last week the Banning Surveillance Advertising Act was introduced in both the U.S. House (H.R.6416) and Senate (S.3520) by Congresswoman Anna G. Eshoo (D-CA), Congresswoman Jan Schakowsky (D-IL), and Senator Cory Booker (D-NJ).

The bill expressly prohibits advertising facilitators (e.g., publishers) from engaging in, or enabling an advertiser or third party from engaging in, targeted advertising using consumers’ personal information. However, the bill does permit advertising based on content the consumer is viewing, has searched, or is otherwise engaging with (e.g., contextual advertising). The bill also contains an exception for broad location targeting to a recognized place such as state or municipality.

Readers should note that the bill’s definition of personal information is broader than the California Consumer Privacy Act (CCPA) as it explicitly includes information that is linkable or reasonably linkable to individuals or devices. (The definition of “consumer” under CCPA, however, includes identification by “unique identifiers,” which includes device identifiers.) Further, it contains a private right of action in addition to enforcement by the FTC and State attorneys general offices.

This follows on the heels of recent state privacy laws that minimize the use of targeted and cross-contextual behavioral advertising through consumer opt-outs. Namely, the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), and Colorado’s Consumer Protection Act (CPA) are going into effect in 2023 and we expect additional state laws to be passed this year containing similar opt-out requirements. The California Attorney General has also been applying the CCPA’s “Do Not Sell My Personal Information” opt-out rights to interest-based advertising in multiple enforcement actions.

From an industry perspective, readers may recall that the ad tech community already has existing mechanisms for consumers to opt-out of interested-based advertising that function independent of legal requirements. Specifically, the Digital Advertising Alliance (DAA) and Network Advertising Initiative (NAI) both have well known interest-based advertising opt-out practices that are honored by industry participants.

Considering state legislators and the ad tech industry have embraced an opt-out regime rather than an outright prohibition, it is unclear how far these bills will progress through the federal legislative process. Additionally, given the private right of action and few co-sponsors to date, it is unlikely to make it out of committee in its current form.

The CPW team will continue to monitor the Banning Surveillance Advertising Act as it moves through the House and Senate.

Text of the introduced bill is available here.

Massachusetts is one of the many states considering enacting a state-level privacy law.  On October 13, 2021, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity, conducted a virtual public hearing during which it considered, among other things, an Act establishing the Massachusetts Information Privacy Act (“MIPA”), which was introduced as S.46 in the State Senate and as H.142 in the State House.  Read on to learn more about the MIPA’s scope and its impact if adopted on Massachusetts privacy litigation going forward.

Summary

  1. Similar to other state privacy laws, like the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act (“CDPA”); and the Colorado Privacy Act (“CPA”), MIPA would also apply to data qualifying as “personal information,” with exceptions.
  2. MIPA will affect certain business entities that conduct business in Massachusetts. It will also affect entities that qualify as “data processors” and certain third parties.  These business entities will have, among other things, duties of care, loyalty and confidentiality.
  3. As with other privacy laws, individuals would be granted, among other things, the right of access, correction, data portability, deletion; the right to know; and the right to limit disclosures of personal information.
  4. MIPA would be enforceable by the Massachusetts Information Privacy Commission (“MIPC”), a five-person commission that will have authority to conduct audits, investigate potential/alleged MIPA violations, rulemaking authority and enforcement authority.
  5. MIPA as currently draft contains a broad private right of action with liquidated damages of not less than 0.15 percent of the annual global revenue of the covered entity or $15,000 per violation, whichever is greater.

What Data is Affected?

MIPA would apply to “personal information,” which is information about an individual that is captured during a “covered interaction” and that may directly or indirectly, alone or in combination with other data points, be linked to an individual, household or device, regardless of whether a covered entity holds such additional information (e.g., name, data in a government-issued ID, vehicle license plate numbers, gender, etc.).  It also applies to “sensitive data,” which MIPA treats as a subset of personal information (e.g., data regarding race/ethnicity, location data, biometric information, medical and health information, financial data, information revealing political or religious opinions or beliefs, etc.).

An “individual” is a natural person who is a resident of Massachusetts, or who is located in the state.  A “covered interaction” means the instance when a covered entity provides an individual or its household information regarding the covered entity’s products or services and collects data about that individual (e.g., targeted advertising, offering a membership, setting up an account, etc.).

As with other data privacy laws, certain types of data are exempted from MIPA.  For example, MIPA does not apply to certain data maintained according to the Health Insurance Portability and Accountability Act of 1996.

What Entities Would be Affected and What Duties Would They Have?

If passed, MIPA will apply to “covered entities,” which are:

  1. Entities that conduct business in Massachusetts and that process personal information by itself or through a data processor; and
  2. Have earned/received $10 million or more in annual revenue through 300 or more transactions, or process/maintain the personal information of 10,000 unique individuals in a calendar year.

MIPA would also apply to “data processors,” which are persons or entities that process personal information on behalf of a covered entity; and “third parties,” which are persons or governmental entities that are not covered entities or data processors.

MIPA will impose certain obligations, such as, among other things:

  1. Duty of Care – A duty to reasonably safeguard the personal information of individuals;
  2. Duty of Loyalty – A duty not to use individuals’ personal information, or any information derived from that, in a manner that is (or reasonably foreseeable to be) detrimental to the individual or that would be unexpected or highly offensive to a reasonable individual; and
  3. Duty of Confidentiality – A covered entity or data processor shall not disclose or share individuals’ personal information with other parties, with exceptions.

What Rights Would Individuals Have?

Individuals would be granted rights under MIPA that are reminiscent of those available to consumers under other privacy laws, such as the:

  1. Rights of access, correction, data portability, and deletion;
  2. Right to know what data about them will be collected or processed;
  3. Right to consent to such collection and processing; and
  4. Right to limit the disclosure of personal information.

MIPA would require covered entities and data processors to provide meaningful notice regarding, among other things, what data will be collected or processed about the individual, at or before the point of sale, subscription, sign up, or account creation.

Enforcement Risk

MIPA would be enforced by a new entity, the Massachusetts Information Privacy Commission (“MIPC”), which will have authority to conduct audits, investigate potential/alleged MIPA violations, rulemaking authority and enforcement authority, including the ability to impose civil administrative penalties.  The MIPC will consist of five commissioners, including: (i) one commissioner appointed by the Governor; (ii) one commissioner appointed by the Secretary of the Commonwealth (the Secretary will also designate the Chair of the MIPC); (iii) one commissioner appointed by the Attorney General; and (iv) two commissioners appointed by a majority vote of the Governor, Attorney General and the Secretary of the Commonwealth.

Litigation Risk

MIPA if enacted as currently drafted would materially reshape data privacy litigations going forward.  MIPA has a private right of action, whereby “[a]ny individual alleging a violation of this chapter or a regulation promulgated under this chapter may bring a civil action in any court of competent jurisdiction.”  It also specifies that a plaintiff seeking relief under the civil remedy is not required to file an administrative complaint with the MIPC as a condition precedent to filing suit.  MIPA contains other extremely plaintiff-friendly provisions as it also explicitly prohibits arbitration of claims and “[a] violation of this chapter or a regulation promulgated under this chapter regarding an individual’s personal information constitutes a rebuttable presumption of harm to that individual.”

For any litigation involving alleging violation of the MIPA in which a plaintiff prevails, a court can award:

  1. Liquidated damages of not less than 0.15% of the annual global revenue of the covered entity or $15,000 per violation, whichever is greater;
  2. Punitive damages; and
  3. Any other relief, including but not limited to an injunction that the court deems to be appropriate.

Moreover, the MIPA also provides for the award of reasonable attorney’s fees and costs to any prevailing plaintiff.  Suffice to say, MIPA is already sending shockwaves as the bill would have consequences if enacted that would far surpass the impact of other state privacy laws (such as the CCPA and BIPA) and make Massachusetts the go-to jurisdiction for the class action plaintiffs bar.  For more on this, stay tuned.  CPW will be there to keep you in the loop.