Search results for: Drivers Privacy Protection Act

Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.

The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.

Continue Reading The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

Last week, a federal court in California dismissed a complaint concerning allegations that Otonomo, a data broker that partnered with car manufacturers, “used electronic devices in [drivers’] cars to send real-time GPS location data directly to [defendant],” allowing Otonomo to track drivers’ location in real-time.  Read on to learn more about what this means for limiting CIPA litigation exposure for geolocation tracking going forward.

Plaintiff in the case was a resident of California who alleged that her data was being “tracked and exploited by Otonomo.”  The core allegations in the Complaint concern Plaintiff’s contention that Otonomo “is a data broker that secretly collects and sells real-time GPS location information from more than 50 million cars throughout the world, including from tens of thousands in California.”  More specifically, Plaintiff asserted that Otonomo collaborates with its clients, who are automobile manufacturers that install electronic devices in the vehicles they manufacture.  Plaintiff alleged that Otonomo partnered with car manufacturers “to use electronic devices in their cars to send real-time GPS location data directly to Otonomo through a secret ‘always on’ cellular data connection.”

Plaintiff asserted that “[b]y secretly tracking the locations of consumers in their cars, Otonomo has violated and continues to violate the California Invasion of Privacy Act (‘CIPA’), which specifically prohibits the use of an “electronic tracking device to determine the location or movement of a person” without consent.”  The Complaint pled a single claim under CIPA for violation of Section 637.7.  Plaintiff sought to represent a putative class comprised of “[a]ll California residents who own or lease a vehicle and whose GPS data has been collected by Otonomo”.

By way of reference, Section 637.7 provides that:

(a) No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person.

(b) This section shall not apply when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.

(c) This section shall not apply to the lawful use of an electronic tracking device by a law enforcement agency.

(d) As used in this section, “electronic tracking device” means any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.

Cal. Penal Code § 637.7 (West 2022).  CIPA is a heavily litigated statute that has been relied upon recently by plaintiffs in privacy class actions involving a number of recent tracking-related claims and technologies.  However, Plaintiff’s application of CIPA Section 637.7 to a built-in component of a vehicle (as opposed to a standalone device) was one of first impression.

Otonomo moved to dismiss the Complaint, raising three purported fundamental deficiencies with Plaintiff’s claim.  First, Plaintiff did not allege an “electronic tracking device” “attached to” his car as the terms are used in CIPA.  Second, Plaintiff did not allege that Otonomo “determine[s] the location or movement of” Plaintiff.  And finally, Plaintiff did not allege that he did not consent to be tracked.  The Court found Otonomo’s arguments persuasive, dismissing the Complaint with prejudice.

In regard to Otonomo’s first argument, violation of CIPA Section 637.7 requires that the location or movement of a person be determined by an “electronic tracking device.”  Cal. Penal Code § 637.7(a).  Additionally, an “electronic tracking device” is defined as a device “attached to a vehicle . . . that reveals its location or movement.” Cal. Penal Code § 637.7(d).  The Court took notice of other CIPA precedent which examined the statue’s legislative history to find that “the statute governs electronic tracking devices placed on vehicles or other movable things.”  As such, the Court ruled, “that the ‘device’ must be a separate device that is attached, or placed, onto an automobile by the alleged wrongdoer.”  On this basis, Plaintiff’s CIPA claim had to be dismissed.  The Court observed that this result was consistent with concessions made by Plaintiff’s counsel at oral argument, which included that the device at issue “is a component part of Plaintiff’s vehicle that is not removable by Plaintiff, nor was the Plaintiff able to obtain his vehicle without [it].”

The Court was also persuaded by Otonomo’s argument that, at most, Otonomo merely received data about the location of vehicles.  This was insufficient under Section 637.7 of CIPA which prohibits the use of “an electronic tracking device to determine the location or movement of a person.” Cal Penal Code § 637.7(a).  This was because, the Court explained, “[t]he wording of the statute explicitly prohibits tracking the location or movement of a person, not a vehicle.”  In this instance, the complaint was devoid of allegations that Otonomo obtained personal information of the drivers of these vehicles.  Furthermore, Plaintiff did not allege that Otonomo received Plaintiff’s personal information from manufacturers, that would possess this information.  On this basis as well Plaintiff’s claim independently failed.

Finally, the Court also adopted Otonomo’s argument regarding Paintiff’s failure to allege that he did not consent to the device installed in his car being used to track him.  Notably, Section 637.7 is not violated “when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.” Cal. Penal Code § 637.7(b).

In this case, the Complaint did not include an allegation that Plaintiff did not consent to being tracked by his vehicle’s manufacturer.  This was a fundamental deficiency also requiring the Complaint’s dismiss because CIPA Section 637.7 “is not violated if any consent is given to the vehicle being tracked,” (emphasis supplied).  This required that, in order to plead a cognizable claim, Plaintiff had to allege the lack of consent with respect to both Otonomo and his vehicle manufacturer—which he did not.  In so ruling, the Court dismissed Plaintiff’s contention that consent did not need to be pled, as it was an affirmative defense, ruling instead that consent was “an element of the statute.”

Because the Court found that Plaintiff could not plausibly allege other facts that the device at issue was an electronic tracking device within the meaning of CIPA, Plaintiff’s claim was dismissed with prejudice.  Had Plaintiff’s interpretation of CIPA been adopted by the Court in this case, it would have dramatically expanded the scope of the statute.  Additionally, it could have also potentially limited the services provided to drivers on a daily basis due to perceived litigation risk.

As Otonomo’s motion pointed out, “Otonomo’s receiving vehicle GPS data through its contracts with car manufacturers and fleet managers. . .[was] used for things like roadside assistance, emergency location, vehicle theft protection, real-time weather and hazard notifications, and traffic flow management.”  At bottom, Plaintiff in this case sought to create liability under CIPA for any entity that receives GPS data from car manufacturers derived from features the car manufacturers themselves built into the vehicles.  The Court was prudent in this case to reject such an expansion of CIPA.  It remains to be seen, however, how similar claims brought in future filed cases are treated and if this first ruling is adopted in other litigations.

For more on this, and the latest developments concerning privacy, security and innovation, stay tuned.  Privacy World will be there to keep you in the loop.

Welcome to the 2022 Q3 edition of the Artificial Intelligence & Biometric Privacy Report, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team.

Also, we are extremely pleased to announce that our own Kristin Bryan was named as a 2022 Law360 Cybersecurity & Privacy MVP. As Law360 notes, “[t]he attorneys chosen as Law360’s 2022 MVPs have distinguished themselves from their peers by securing hard-earned successes in high-stakes litigation, complex global matters and record-breaking deals.” You can read more about Kristin’s Law360 award here: Law360 MVP Awards Go to 188 Attorneys From 78 Firms.

Continue Reading 2022 Q3 Artificial Intelligence & Biometric Privacy Report

The Fourth Circuit recently affirmed the Middle District of North Carolina’s grant of summary judgment in favor of the Defendants in a Driver’s Privacy Protection Act (“DPPA”) case, Garey v. Farrin, Case Nos. 21-1478, 21-1480.  In its opinion, the Fourth Circuit agreed with the district court’s ruling that the Plaintiffs had standing to assert their damages claims.  However, the Court held that summary judgment in favor of defendants was appropriate because Plaintiffs’ personal information were not obtained from drivers’ licenses or DMV databases—putting it outside the scope of the DPPA.

The Defendants—a number of personal injury lawyers—obtained car accident reports from North Carolina law enforcement agencies and private data brokers.  The reports included the names and addresses of the drivers involved in those accidents.  The Defendants then purportedly used that information to mail unsolicited attorney advertising materials to some of the drivers.  The Plaintiffs—the drivers who received advertising materials from the Defendants—filed suit and asserted violations of the DPPA.  The district court held that the Plaintiffs had standing to bring suit for damages, but rejected the Plaintiffs’ claims on the merits, granting summary judgment to the Defendants.  On appeal, the Fourth Circuit affirmed, albeit on narrower grounds than those on which the district court relied.

The Fourth Circuit agreed with the district court’s assessment that the Plaintiffs lacked standing to assert claims for injunctive relief.  The Plaintiffs alleged that the Defendants had obtained their driver’s information in violation of the DPPA.  They did not, however, plead that the Defendants continued to wrongfully obtain their driver’s license information after the filing of the lawsuit or otherwise allege that any wrongful conduct by the Defendants was ongoing or imminent.  Thus, the Plaintiffs lacked standing to assert claims for injunctive relief because they did not allege any non-speculative, imminent danger.  The Court noted this outcome was consistent with the Supreme Court’s ruling in Ramirez last year (which the Fourth Circuit was previously instructed to use a basis for reconsidering another Article III decision, as covered by CPW).  [Note: the Court found Article III satisfied on other grounds]

The parties also sought to present several issues of first impression in the Fourth Circuit including whether a driver’s license is a “motor vehicle record,” whether the DPPA applies to records outside the possession of a state DMV, and whether the DPPA’s restrictions on the obtaining, use, and dissemination of records impinge on the First Amendment.  Instead, the Fourth Circuit affirmed the district court on a much narrower ground.

The Fourth Circuit determined that, under the DPPA’s private right of action, the plaintiff must allege and prove that the defendant obtained the plaintiff’s personal information from a motor vehicle record.  As you may recall, to fall within the DPPA’s narrow private right of action, a defendant must have obtained a plaintiff’s personal information “from a motor vehicle record.”  18 U.S.C. § 2724(a) (emphasis supplied).  In this case, the Plaintiffs did not dispute that none of the Defendants obtained any information “from” a motor vehicle record.  Rather, the Plaintiffs alleged that the Defendants obtained their personal information that was derived from a motor vehicle record—which the Fourth Circuit explained was insufficient to prove a DPPA claim.

In reaching this conclusion, the Fourth Circuit analyzed the legislative history of the DPPA, and noted that the words “derived from” were intentionally removed by Congress in the process of drafting the language of the DPPA.  Thus, the legislative history clarified the plain text: the DPPA imposes civil liability only on a defendant who obtains personal information from a motor vehicle record, but not on a defendant who merely obtains personal information that can be linked back to (i.e., derived from) such a record.  Accordingly, the Fourth Circuit expressly disagreed with courts in other circuits that have found violations of the DPPA so long as the personal information at issue could be traced back to a motor vehicle record.

The Fourth Circuit’s holding was narrow and straightforward: a DPPA plaintiff must allege and prove that the defendant obtained the plaintiff’s personal information from a motor vehicle record.  Because the Defendants obtained the Plaintiffs’ personal information from accident reports—and not expressly from motor vehicle records—the Defendants were entitled to summary judgment on the Plaintiffs’ DPPA claims.

The French data protection authority, the CNIL, has published its annual report for 2021 (in French)  which contains some useful information and figures notably on complaints, investigations and sanctions as well as standards of references issued by the CNIL in relation to specific processing activities.

  1. Complaints, Investigations and Sanctions

Complaints

In 2021, the CNIL received 14,143 complaints (an increase of 7% compared to 2020 but similar to 2019) out of which:

    • 1,436 relate to access rights (28% of which are employee requests);
    • 1,906 relate to a request to delete names of corporate officers from online directories;
    • 973 relate to commercial, associative and political solicitation, by email (38 %), by SMS (29 %), by mail (20 %) and by phone (13 %); and
    • Several complaints related to CCTV in the work place.

Some complaints have been transferred to another lead authority under the one stop shop and cooperation rules.

The CNIL has also received 5,882 indirect data subject action requests (the indirect action is the only one available for certain data basis such as the one for the police or secret services).

The CNIL reports that many complaints have been made about organizations that are established outside of the EU (UK, Switzerland, United States of America, Canada, Russia, Australia, South Korea and China) mainly in relation to the publication of data on the Internet.

Investigations

It carried out 384 investigations, 31% of which followed from complaints or reports.

The CNIL highlights:

    • Cookie

Cookie compliance has been one of the priority themes set by the CNIL for 2021 and the CNIL has launched an unprecedented control campaign.

    • Health data

The CNIL also continued its control activities on the security of health data by investigating 30 medical analysis laboratories, hospitals, service providers and data brokers, notably in relation to COVID-19 pandemic related data. Some of these procedures are still ongoing.

    • Cybersecurity

It controlled 22 organizations, 15 of which are public with respect to the level of internet security. The investigations revealed obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient means with regard to current security issues.

Sanctions

The CNIL issued:

    • 135 formal notices; and
    • 18 sanctions for a record total amount of fines exceeding 214 million euros.

Out of the 18 sanctions,

    • 12 have been made public;
    • 15 consist of fines (5 with injunctions under penalty per day of delay);
    • 2 consist of calls to order with injunctions; and
    • 4 are decisions taken by the CNIL as a lead authority.

The most frequent breaches include:

    • Lack of information and excessive retention;
    • Lack of security; and
    • Cookies: 89 formal notices and 4 sanctions for the most serious cases of noncompliance which concerned actors who did not allow millions of internet users to refuse cookies as simply as to accept them.

The CNIL also issued two public sanctions against the Ministry of the Interior, concerning the illicit use of drones and poor management of the automated fingerprint file (FAED).

Investigation program for 2022

In February, the CNIL published  its priority focuses for investigation in 2022 investigation program, which accounts for around one third of its investigations, on the following three major topics:

    • Marketing activities/commercial solicitation

This follows the numerous complaints received on this topic and the publication in February 2022, a new “commercial management” reference framework, in particular framing the carrying out of commercial prospecting. The CNIL intends to investigate data brokers and other intermediaries.

    • Monitoring tools in the context of telework

The significant shift to teleworking has led to the development of specific tools, including tools allowing employers to ensure closer monitoring of the daily tasks and activities of employees. The CNIL considers it necessary to check the employers’ practices in this field.

    • Cloud

The CNIL intends to explore issues relating to data transfers and the management of contractual relations between data controllers and cloud solution provider subcontractors.

  1. Data breach notifications

The CNIL has received 5,037 data breach notifications (a 79% increase compared to 2020) out of which, 63% were due to an external cause (accident or malicious act). The CNIL considers that this figure is still too low compared to actual data breaches which may have occurred.

  1. Support to public authorities the legislator

The CNIL responded to 22 parliamentary hearings and issued 121 opinions on bills and decrees. 16 of these opinions concerned how data processing was implemented in the context of the fight against the COVID-19 pandemic.

  1. Decisions

The CNIL also handled 576 health authorization applications in 2021 and issued 54 research authorizations on COVID-19.

  1. Soft law and support to businesses

In 2021, the CNIL adopted several standards of reference and sectorial recommendations. These included:

    • Standards of reference relating to care, accommodation, social and medico-social support of disabled elderly persons;
    • Standards of reference relating to the designation of drivers who have committed a traffic violation;
    • Standards of reference relating to rental management;
    • Standards of reference for health data warehouses;
    • Recommendation on the exercise of data subject rights through a representative;
    • Interim recommendations for the quality control of clinical trials during the health crisis;
    • Recommendation on logging measures;
    • Draft standards of reference for the management of pharmacies; and
    • Practical recommendation in the insurance sector completing a 2014 compliance pack.

It has also developed tools to enable the development of virtuous digital innovation, in particular through its “start-up” strategy deployed in 2017. This year, this has resulted in the implementation of a first personal data sandbox for health. As a result, 12 projects have been supported by the CNIL, including 4 in a reinforced way.

  1. New sanction procedure for 2022

As of January 2022, the law has created a simplified sanction procedure that allows, most notably, the CNIL to handle a higher number of complaints. The sanctions that can be issued by the CNIL under this procedure are limited to a call to order, a fine of a maximum amount of €20,000 and an injunction with a penalty capped at €100 per day of delay. These sanctions cannot be made public.

  1. Focus for 2022-2024

The CNIL has identified three areas in which it intends to establish a position and elaborate tools before including them in the investigation program:

    • Augmented cameras and their uses

The accelerated development in the field of so-called “augmented” cameras, often coupled with predictive algorithms, raises the question of the necessary and proportionate nature of these devices and runs the risk of large-scale monitoring of people.

    • Data transfers in cloud computing
    • Collection of data collections by smartphone apps

Faced with the opacity of technologies and the heterogeneity of practices, the objective of the CNIL is to make visible the data flows and strengthen the compliance of mobile apps and their ecosystems, to better protect the privacy of smartphone users.

If you need assistance in France on data protection issues, contact stephanie.faber@squirepb.com

As CPW previously covered, the Fifth Circuit Court of Appeals, in a published decision, affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022. In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded USD $69.9 billion in liquidated damages.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals. The first three cases were filed in the District of Colorado, Northern District of Texas, and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than USD $69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed, or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted. On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit. The Fifth Circuit, however, affirmed the district court’s dismissal.

In the wake of this impressive win for Vertafore and the SPB Team, Bloomberg Law reached out to CPW’s Rafael Langer-Osuna and Kristin Bryan to get their insight on the impact this ruling will have on DPPA litigation going forward for a recently published article.

Kristin Bryan was quoted in the article as saying, “[t]he Driver’s Privacy Protection Act, enacted in 1994, prohibits the disclosure of personal information without consent, with some exceptions. It was passed to safeguard people’s privacy and safety and to regulate the disclosure of personal information by state Departments of Motor Vehicles—not to penalize companies in the wake of a data event, as is the case here. To successfully bring claims under the statute, plaintiffs must allege a knowing disclosure. The Fifth Circuit rightly recognized that a purported mismanagement of information—such as storing driver’s license data on unprotected servers—doesn’t clear that bar.”

In the article, Rafael Langer-Osuna notably states that “[t]he law has been attractive to plaintiffs because of the potential for high fees. It provides for liquidated damages of at least [USD]$2,500 per violation. Plaintiffs have been making this reach for a long time. Now they’ll be forced to rely on statutes that actually relate to the data breach context.”

For the full scoop, click here to see the news article by Bloomberg Law.

We again want to congratulate the SPB Vertafore team for successfully defeating this high-stakes data privacy case and subsequently paving the way for future DPPA litigation to come. 

As reported in Law360, last week the Fifth Circuit Court of Appeals in a published decision affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022.  In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded $69.9 billion USD in liquidated damages.

CPW is proud to highlight Squire Patton Boggs (US) LLP’s representation of defendant Vertafore in this high-stakes data privacy case, including in particular the leadership of SPB Senior Partner Damond Mace and Partners (and regular CPW contributors) Kristin Bryan and Rafael Langer-Osuna.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals.  The first three cases were filed in the District of Colorado, Northern District of Texas and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than US$69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted.  On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit.   The Fifth Circuit, however, affirmed the district court’s dismissal.

In its ruling, the Fifth Circuit commented that “[t]he [DPPA] ‘regulates the disclosure of personal information contained in the records of state motor vehicle departments.’”  (quotation omitted).  The statute “was enacted in 1994 to respond to at least two concerns: ‘The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs.  The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.’”  To put it otherwise, the DPPA predated modern developments concerning data events and cyberattacks—notwithstanding its frequent use by plaintiffs in data breach-type litigations.

The Fifth Circuit affirmed dismissal of the Complaint for Plaintiffs’ failure to allege a “disclosure” of their information as required to state a cognizable DPPA claim.  As the Court reasoned:

[T]he only facts alleged in Plaintiffs’ complaint are that Vertafore stored personal information on “unsecured external servers” and that unauthorized users accessed that information.  Without more, these facts do not plausibly state a “disclosure” consistent with the plain meaning of that word.  Nothing about the words “unsecured” or “external” implies exposure to public view, and the mere fact that unauthorized users managed to access the information does not imply that Vertafore granted or facilitated that access.  After all, we would hardly say that personal information was “disclosed” if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility.

Though at this stage of the proceedings we draw all reasonable inferences in Plaintiffs’ favor, the inference Plaintiffs ask us to draw—from “stored on unsecured external servers” to “disclosed”—is not reasonable. Because Plaintiffs have not alleged a disclosure within the meaning of the DPPA, their complaint fails to state a plausible claim for relief.

(citations omitted).  Additionally, the Fifth Circuit also noted in a footnote that “Plaintiffs cite no case in which insufficiently secure data storage constituted a ‘disclosure’ within the meaning of the DPPA.”

Moving forward, the Fifth Circuit’s ruling will have a significant impact on cases brought under the DPPA and similar statutes.  Simply put, such statutes, with their large statutory damages provisions, are not meant to support claims for data breaches.  The Court’s definition of “disclosure”—that it requires that the defendant take action to expose the data to the public—will materially undermine future data breach-based DPPA claims.  This is a significant win for defendants as the DPPA claims carry a minimum of $2,500 in statutory liquidated damages per plaintiff and therefore have become attractive claims for plaintiffs’ attorneys bringing putative class actions in data privacy litigations.

The SPB Vertafore team consists of partners Damond Mace, Rafael Langer-Osuna, Kristin Bryan, and Brent Owen, of-counsel Bobby Hawkins, principal Amanda Dodds Price, and associate Marissa Black.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.