The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws

This blog post is a bonus supplement to our quarterly Artificial Intelligence and Biometric Privacy Quarterly Review Newsletter. Be on the lookout for our Q3 Newsletter!

We are quickly approaching the Jan. 1, 2023 operative date of most of the provisions of the California Privacy Rights Act (“CPRA), which, as most of us know by now, substantially amends the CCPA. Under the CPRA, the California Privacy Protection Agency (“CPPA” or “Agency”) has a mandate to issue regulations on a number of specific topics. With just fewer than three months to go until January 1, regulations are not even close to being finalized.  The Agency released the first draft of proposed regulations on May 24, and the first public comment period ended on August 23. In a meeting held by the CPPA on Friday, September 23, the Agency gave no concrete sense of timing or any comments on topics, such as those discussed in this post, for which regulations have not even been issued. This has left many businesses feeling left in the lurch, uncertain of what to do. Continue Reading Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations

Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature.  Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA. Continue Reading Connecticut General Assembly Passes Comprehensive Privacy Bill

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

JUST RELEASED: 2022 Q1 AI/Biometric Litigation Trends | Consumer Privacy World

Registration Open: March 30 Webinar on International Data Transfers | Consumer Privacy World

France Updates its Whistleblower Protection to Transpose the EU Whistleblower Directive | Consumer Privacy World

Federal Court Dismisses Litigation Challenging U.S. Postal Service’s Use of Facial Recognition and Related Technologies | Consumer Privacy World

United States and European Commission Announce Trans-Atlantic Data Privacy Framework: Setting the Scene for Schrems III? | Consumer Privacy World

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

The Georgia Senate recently introduced an omnibus privacy bill modeled after (but significantly broader than) California’s Consumer Privacy Act (“CCPA”), titled the Georgia Computer Data Privacy Act (“GCDPA”).  The introduction of the GCDPA is surprising in a number of ways, including its sponsorship by Republican leadership.  It is also notable in the burdens it seeks to impose on businesses, surpassing even those in the CCPA and other recently enacted state privacy laws.  However, given that the leadership of the controlling party in the Georgia legislature supports it, it is likely to pass, though perhaps not in its current form.

Some of the most notable provisions of the GCDPA include:

  • Consumer consent required for collection of personal information. The GCDPA prohibits businesses from collecting personal information unless they have provided a notice and obtained the consumer’s consent.  This is more onerous than the CCPA, which generally permits businesses to collect personal information as long as they provide a sufficient notice at or before the point of collection.
  • Consumers must opt in to “sales” of personal information. The GCDPA prohibits businesses from “selling” data unless the consumer first opts in to the sale, which opt-in mechanism must be offered by a “clear and conspicuous link” on the business’s website.  Note that the definition of “sale” is the same as the CCPA’s; i.e., a transfer for “money or other valuable consideration.”  In addition, a business that sells personal information must provide a notice on its website that identifies the specific “persons” to whom data will be sold, and that discloses “the pro rata value of the consumer’s personal information.”
  • Very plaintiff-friendly private right of action. Unlike existing state privacy laws, the GCDPA expressly provides for a private right of action pursuant to which consumers may seek statutory damages.  Under most federal and state statutes that provide for statutory damages, a consumer can seek to recover their actual damages or a specified amount of statutory damages, whichever is higher. However, the GCDPA provides that consumers can recover their actual damages and statutory damages of up to $2,500 for each violation, or $7,500 for each intentional violation.  As with the other provisions described above, this is stricter than the CCPA, which only provides for a private right of action for certain types of data events—which could turn Georgia into the next jurisdiction focused on by the plaintiffs’ privacy bar.
  • No exemption for employee or business contact information. Unlike the CCPA and the privacy statutes enacted in Colorado and Virginia, the GCDPA does not contain a general exemption employee data or business contact information.

CPW is monitoring the Georgia bill and other state legislative developments this year.  For more, stay tuned.  We’ll be there to keep you in the loop.