Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah. Continue Reading Iowa is the Latest State to Pass Comprehensive Privacy Legislation
Key Takeaway: Organizations must conduct a fact-based analysis to determine whether health data collection and tracking technology deployed on their websites and mobile apps complies with the federal Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable laws and guidance.
Cookies, web beacons, and similar technology are used to collect and analyze data about how users, browsers and devices interact with websites and mobile apps across the Internet (“Tracking Technology”). Tracking Technology is the subject of numerous regulatory actions, including by regulators in the European Union and California, and through private lawsuits (also in the EU and U.S.). These actions and complaints typically focus on the lack of transparency about how Tracking Technology collect data about individuals as they traverse the Internet and the lack of individual choice about how that data is shared with third parties and used to build profiles for targeted advertising. On December 1, 2022, another regulator joined the fray: the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”). OCR, the primary enforcement authority for the federal Health Insurance Affordability and Accountably Acy (“HIPAA”), published a Bulletin cautioning HIPAA-regulated entities that their use of Tracking Technology may result in disclosures and uses of protected health information (“PHI”) that violate HIPAA.[1]
Many U.S. consumers mistakenly believe that all of their health information—including health information collected by online tracking technology—is protected by HIPAA. HIPAA’s requirements, however, apply only to “covered entities” (i.e., health plans, most health care providers and health care clearinghouses) and “business associates” (i.e., the service providers and other third parties that support covered entities) that receive or create individually-identifiable health information (“IIHI”) and that engage in certain covered transactions (e.g., referrals and authorizations, coordination of benefits, etc.). IIHI becomes PHI in the hands of covered entities and business associates, but that same information is not PHI when in the hands of any other organization or when used for purposes not related to treatment, or health-related payment or operations. OCR’s Bulletin helps to fill that gap but, in doing so, adds some new operational challenges for HIPAA-regulated entities.
The Bulletin states that the IIHI collected by Tracking Technology running on a website or mobile app operated by a covered entity or business associate “generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.” The Bulletin states that this IIHI is PHI because it “connects the individual to the regulated entity” and is “indicative that the individual has received or will receive health care services or benefits from the covered entity.”
The Bulletin then lays out three Tracking Technology use cases that illustrate its position: (1) use on user-authenticated webpages, i.e., “webpages that users can access only after they log in to the webpage, such as by entering a unique user ID and password or other credentials”; (2) use on unauthenticated webpages, which are “webpages that are publicly accessible without first requiring a user to log in to such webpage”; and (3) use with mobile apps “offered to individuals by regulated entities to allow the individuals to, for example, find providers, access or manage their health information or health care, or pay bills.” (See Bulletin Footnotes 11, 12 and 13, respectively.)
The Bulletin’s second use case (Tracking Technology used on unauthenticated webpages) presents the most difficult operational challenge. Many of these HIPAA-regulated entities have historically operated on the basis that information collected from unknown visitors to their websites is not PHI because the regulated entity cannot necessarily link it to an identified or identifiable individual or even if the individual is identifiable, to the provision health care services to that individual.
According to the Bulletin’s second use case, however, data collected during a search of a provider directory on a public webpage – such as “an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider” – is a disclosure of PHI when third-party Tracking Technology is used on the website. Because the disclosure of PHI to the Tracking Technology vendor is outside the scope of treatment, payment or health care operations, a valid HIPAA authorization is required.[2] Obtaining a HIPAA authorization prior to allowing access to an unauthenticated webpage is, however, often impractical; for example, an individual likely would not view its provider name search as the provision of health care and accordingly may be disinclined to grant a HIPAA authorization until selecting a provider and scheduling an appointment.
Considered in the context of other concerns about the protection of health information expressed by other regulators, OCR’s position is not particularly surprising. Over the summer, the Federal Trade Commission (“FTC”) wrote about what the data collected from wearable fitness devices can reveal about personal reproductive health choices, creating “a new frontier of potential harms to consumers.” Earlier in December, the FTC updated its interactive tool intended to help businesses that create and market mobile health apps to determine which federal privacy and security laws apply and also updated its best practices guidance for developers of mobile health apps. The California Attorney General’s settlement agreement with health app, Glow, Inc., followed an investigation in which Glow was alleged to have violated California consumer and health privacy laws by failing to preserve the confidentiality of medical information, including by disclosing app users’ health-related information without first obtaining the user’s authorization.
Next Steps
Whether Tracking Technology collects and discloses PHI in violation of HIPAA or consumer protection laws requires a fact-based analysis.
Document all Tracking Technology used for websites and mobile apps handling health information. Document the vendor of the Tracking Technology, the categories of data collected, from whom the data are collected, where on the website or mobile app the collection occurs, whether and how the data are shared and whether the data collected and shared includes PHI within the scope of the Bulletin’s requirements.
Execute a business associate agreement (“BAA”) with Tracking Technology vendors. Whether a vendor is the business associate of a covered entity does not depend on the existence of a BAA between the parties or whether the covered entity perceives a vendor to be its business associate. HIPAA enumerates functions that qualify a vendor as a business associate, including providing data analysis services.[3] In the Bulletin, OCR explained that when a Tracking Technology vendor is a covered entity’s business associate, a valid HIPAA authorization is not required. Accordingly, a BAA helps demonstrate the Tracking Technology vendor is allowed to use and disclose PHI to the extent permitted by HIPAA.
Evaluate obligations under consumer protection and state privacy laws. Even when the data disclosed by a covered entity or business associate to a Tracking Technology is not PHI, a covered entity may have obligations under consumer protection laws and state privacy laws to (inter alia) make certain public disclosures about privacy practices (e.g., in a privacy policy) and implement mechanisms that allow covered individuals to exercise their privacy rights in addition to those available under HIPAA. Non-compliance with the state privacy and consumer protection laws may result in civil and, in some instances, criminal penalties that are separate from HIPAA civil money penalties.
[2] 45 C.F.R. § 164.508
[3] 45 C.F.R. 160.103
Last month a California appellate court affirmed (for the first time among any state appellate courts to consider the issue) the lower court’s denial of class certification for claims brought under the Confidentiality of Medical Information Act (“CMIA”) in the wake of a data breach. Vigil v. Muir Medical Group IPA, Inc., 2022 Cal. App. LEXIS 860 (Cal. App. Ct. Sep. 26, 2022). Given the general receptiveness of California courts to similar claims, this decision is notable in several respects, outlined in additional detail below.
Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature. Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA. Continue Reading Connecticut General Assembly Passes Comprehensive Privacy Bill
Recently, a federal court in Kansas joined a number of other courts in finding that allegations of future, speculative harm unadorned with actual theft or misuse of personal information are insufficient to establish Article III standing.
In Ex rel Situated v. Med-Data Inc., Case No. 21-2301-DDC-GEB, 2022 U.S. Dist. LEXIS 60555 (D. Kan. Mar. 31, 2022), Plaintiff C.C. (“Plaintiff”) filed a class action lawsuit against Defendant Med-Data (“Med-Data”), a health care provider, arising out of a data event in which Plaintiff’s and tens of thousands of others’ patient protected health information (“PHI”) and personally identifiable information (“PII”) was disclosed. Plaintiff was a patient of one of Med-Data’s “business associates” and provided her PII and PHI to Med-Data as a result. On or around March 31, 2021, Plaintiff received a notice of the data event, notifying her that her PII and PHI were “uploaded to a public facing website” and the data “was stolen, compromised, and wrongfully disseminated without authorization.” The impacted information included names, social security numbers, physical addresses, dates of birth, telephone numbers, medical conditions, and diagnoses.
Based on the data event, Plaintiff asserted seven claims against Med-Data: outrageous conduct, breach of implied contract, negligence, invasion of privacy by public disclosure of private facts, breach of fiduciary duty, negligent training and supervision, and negligence per se. Plaintiff filed suit in a district court in Kansas, but Med-Data removed the case to federal court under the Class Action Fairness Act (CAFA). Med-Data filed a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6), but the court held that it was required to address Plaintiff’s Article III standing before resolving the motion to dismiss. The court ultimately dismissed the case for lack of standing.
Article III standing is required to establish a federal court’s subject matter jurisdiction over a particular dispute. This requires three things: “(1) an ‘injury in fact—an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical[;]’ (2) ‘a causal connection between the injury and the conduct complained of—the injury has to be fairly . . . trace[able] to the challenged action of the defendant, and not . . . th[e] result [of] the independent action of some third party not before the court[;]’ and (3) that it is ‘likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.'” At the pleadings stage, a plaintiff need only generally allege facts demonstrating each element of Article III standing.
In addressing whether the Plaintiff had standing, the court noted that “[d]ata breach cases present unique standing issues,” surveying the circuit split on the issue. Whereas the Fourth, Sixth, Seventh, Ninth, and D.C. Circuits found that plaintiffs suffer an injury in fact for purposes of Article III standing by virtue of having been a victim of a data breach that resulted in an increased likelihood that their data would actually be misused, the Second, Third, Eighth, and Eleventh Circuits require plaintiffs to allege that their data was actually misused or intentionally taken by an unauthorized third party.
Ultimately, the court found that Plaintiff’s allegations had failed to establish Article III standing. In so holding, it noted that the Tenth Circuit has yet to address the issue, and thus, the court “predict[ed] that the Tenth Circuit, if presented with the facts alleged in [the] case, would follow the line of cases where outcome depends on whether plaintiffs have alleged misuse of their data.” The court relied upon the Supreme Court’s precedents in Clapper and TransUnion, concluding that a risk of future harm is insufficient to confer standing. Notably, however, the court emphasized that “a data breach plaintiff may establish standing on the basis of an increased risk of identity theft or identity fraud,” but that a plaintiff must nevertheless allege sufficient facts to show that the risk is “concrete, particularized, and imminent.”
Here, Plaintiff alleged six forms of damages, all of which the court found to be insufficient:
As an initial matter, the court held that HIPAA cannot be the basis for standing, as it does not create a private right of action. The court then noted that the risk of identity theft or fraud was insufficient, as a “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of identity theft” and, at best, alleged a risk of future harm.
The court likewise held that the mitigation costs were insufficient, as “plaintiff cannot ‘manufacture standing merely by inflicting harm on [herself] based on [her] fears of hypothetical future harm that is not certainly impending.'” Critically, the court explained that “while it may have been reasonable to take some steps to mitigate the risks associated with the data breach, those actions cannot create a concrete injury where there is no imminent threat of harm.”
Plaintiff’s benefit-of-the-bargain theory was also rejected on the grounds that she failed to allege what part of her payment to Med-Data’s business associates were for data security purposes, and thus, “[s]uch a claim is too flimsy to support standing.'”
Finally, the court held that Plaintiff’s loss-of-privacy allegations in support of her invasion of privacy tort were insufficient to establish standing because “plaintiff hasn’t alleged a concrete harm resulted from this publicity [of her PII and PHI]” and “[s]he hasn’t alleged any harm to her reputation from the alleged breach.” “In sum, Plaintiff’s standing problem here is a familiar one: she hasn’t alleged any concrete or particularized harm from her alleged loss of privacy. Her loss of privacy, in and of itself, is not a concrete harm that can provide the basis for Article III standing.” Finding that Plaintiffs lacked standing, the court remanded the case to the state court rather than dismissing it outright.
This case is yet another example where courts have held that allegations of harm based on generalized, speculative injury and speculative harm will not suffice for purposes of Article III. Federal courts have, and continue to, show their willingness to dismiss (or, for cases removed from state court, remand) data privacy cases at the pleadings stage for lack of standing. This most recent ruling is another example of this trend.
For more developments, stay tuned. CPW will be there to keep you in the loop.
Shortly after Senator Bradley introduced Florida SB 1864, Representative Fiona McFarland (R-Dist. 72) introduced its House counterpart, Florida House Bill 9, on January 12, 2022. While SB 1864 stalled in the Senate, Florida HB 9 passed the House on March 2 and was sent to the Senate on that date, where it has not advanced since. Given that the legislative session ends this Friday, March 11 and the lack of obvious movement in the Senate, some have speculated recently that HB 9 may not make it to the finish line in time, raising the prospect of a special session later this year. Notably, Florida Governor DeSantis has previously voiced his support of a comprehensive privacy bill, leading some to believe that Florida might finally pass a comprehensive privacy bill after almost passing one last year. However, Gov. DeSantis did not specifically voice support for HB 9 and the presence of a private right of action in the bill, much like the one that failed last year, may be a sticking point. Nonetheless, because legislation can advance quickly, many remain on the edge of their seats waiting for March 11 legislative deadline to pass.
Florida HB 9 has some important differences as compared to Florida HB 969, the bill considered last year (which was also introduced by Representative McFarland) that failed over a disagreement on inclusion of a broad private right of action. These differences include that Florida HB 9 has a more limited private right of action, applicable only to companies meeting certain revenue thresholds that have committed specifically enumerated violations. Additionally, among other things, HB 9 requires annual reports from the Attorney General to the Legislature and provides changes to data retention rules. Below, we analyze HB 9, which is certainly inspired by other omnibus privacy laws and notably includes a number of concepts that closely mirror the CCPA. That said, like other privacy laws on the books and introduced by various state legislatures, there are material differences that may make it difficult to apply a single, least common denominator approach across different jurisdictions. If HB 9 passes, it would become effective on January 1, 2023, providing companies a short runway for coming into compliance.
I. Definitions.
Florida HB 9 defines “personal information” broadly to include “information that is linked or reasonably linkable to an identified or identifiable consumer or household, including biometric information, genetic information, and unique identifiers to the consumer.” Section 501.173(2)(l). Personal information specifically does not include:
Under Section 501.173(2)(b), “‘biometric information’ means an individual’s physiological, biological, or behavioral characteristics that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. The term includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystrokes patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data containing identifying information.”
Florida HB 9 uses other familiar terms such as “controller,” “processor,” and defines “sell” in a similar manner as the CCPA.
II. Scope.
Most of the key terms between Florida HB 9 and Florida SB 1864 are similar. A significant difference, however, is the threshold for determining whether the proposed law applies to a particular business. Florida HB 9 defines a controller as a for-profit business that does business in Florida, collects personal information about consumers, determines the purposes and means of processing personal information, and meets at least two of the following criteria:
Thus, smaller companies may prefer Florida HB 9 since it does not apply to companies earning less than $50 million globally per year unless they engage in significant targeted advertising and earn the majority of their global revenue from selling or sharing personal information.
III. Exceptions.
Section 501.173(1) of Florida HB 9 outlines 27 categories of companies or information to which the bill would not apply, including:
IV. Obligations.
Florida HB 9 creates many of the same obligations on controllers and processors that are included in other comprehensive privacy laws. These include:
This requirement may create challenges for companies who have not previously needed to track their last interactions with consumers. Florida HB 9’s private right of action, fortunately, does not apply to this retention requirement. In a further nod to the CCPA, controllers “may charge a consumer who exercised any of the consumer’s rights . . . a different price or rate, or provide a different level or quality of goods or services to the consumer, only if that difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program.” Section 501.173(8)(a). Controllers may also offer financial incentives to consumers, “if the consumer givers the controller prior consent that clearly describes the material terms of the financial incentive program.” Section 501.173(8)(b). There are also specific contractual requirements mandated by HB 9, similar to what we have seen in some of the other comprehensive privacy bills.
V. Consumer Rights.
Under Florida HB 9, consumers have a right to request that a controller disclose the following information: (1) the consumer’s personal information that the controller has collected; (2) the sources from which the consumer’s personal information was collected; (3) the specific pieces of personal information about the consumer that have been sold or shared; (3) the third parties to which the personal information about the consumer was sold or shared; and (5) the categories of personal information about the consumer that were disclosed to a processor. Controllers must act on these requests, free of charge, within 45 days, although there is a 45 day extension available after informing the consumer. Controllers are not required to provide personal information to a consumer more than twice in a 12-month period.
Consumers also have the right to request that a controller delete their personal information. After receiving a verifiable consumer request to delete the consumer’s personal information, a controller would have 90 days to comply with the request, with ten delineated exceptions. Controllers do not have to comply with consumer deletion requests if it is reasonably necessary for the controller or processor to maintain the consumer’s personal information to do any of the following:
Florida HB 9 also contains a right to correct inaccurate personal information and requires controllers to use commercially reasonable efforts to correct personal information, and direct processors to do the same, within 90 days of receiving a verifiable consumer request. The bill is not clear on what a controller is supposed to do in the event it thinks that the information provided by the consumer is inaccurate. Nine of the ten right to delete exceptions apply to the right to correct. Controllers cannot rely on the peer-reviewed scientific research exception to deny a right to correct.
Finally, Florida HB 9 includes a right to opt out of the sale or sharing of personal information and requires an opt-in for personal information relating to minors. A controller that receives an opt-out is prohibited from selling or sharing the consumer’s personal information beginning 4 calendar days after receipt of the opt-out. If the bill passes, companies will be required to add another link to their homepages, this time entitled “Do Not Sell or Share My Personal Information.” Controllers may also accept opt-out through global privacy controls. Once a consumer opts-out, a controller must wait 12 months before requesting the consumer authorize the sale or sharing of the consumer’s personal information.
VI. Enforcement.
Florida HB 9 grants the Florida Department of Legal Affairs (the “Department”) with enforcement authority by making violations of the bill an automatic violation of the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”) for purposes of regulatory enforcement. FDUTPA provides for civil penalties of up to $10,000 per violation of the act (and up to $15,000 in certain situations). These penalties may be tripled if the violation:
After being notified of the violation, the Department has discretion to grant the controller or processor a 45-day period to cure the violation. This cure period, however, does not apply if the controller, processor, or third party failed to delete or correct a consumer’s personal information after receiving a verifiable consumer request or directions to delete or correct from the controller. The Department may only bring actions on behalf of a Florida consumer. The Department is also obligated to report to the President of the Senate and Speaker of the House with the number of complaints received each year and their dispositions.
VII. Private Right of Action.
Unlike its Senate equivalent, Florida HB 9 contains a private right of action for some consumers. Florida HB 9’s private right of action would allow consumers to sue companies for $100-$750 per person, per incident, or actual damages, where the company:
Florida HB 9 also permits a consumer to seek declaratory or injunctive relief for violations. The bill does not create a private right of action for data breaches, which is prohibited by Florida’s current data breach law, Section 501.171(10).
Importantly, HB 9 places some restraints on Florida consumers bringing a civil action. According to Section 501.173(10)(a)(1), a private civil action against companies with global annual gross revenues of less than $50 million is barred. Controllers, processors, or third parties with global annual gross revenues between $50 million to $500 million as subject to private claims, but the prevailing Florida consumer may not be awarded attorney fees or costs. If the controller, processor, or third party has global annual gross revenues of more than $500 million, the prevailing consumer shall recover reasonable attorney fees and costs. A prevailing defendant, however, may only recover attorney fees “if the court finds that there was a complete absence of a justiciable issue of either law or fact raised by the consumer or if the court finds bad faith on the part of the consumer, including if the consumer is not a Florida consumer.” Section 501.173(10)(d). Accordingly, if passed, Florida HB 9 would be the first comprehensive U.S. privacy law that creates a private right of action for violation of the privacy provisions of the law. For example, California’s private right of action is limited to data breaches of sensitive personal information. Florida HB 9’s proposed private right of action will incentivize lawsuits from professional plaintiffs who will make mass deletion, correct, or opt-out requests in the hopes of catching companies off-guard and unable to respond within the time provided by the law. The consumer will receive between $100-$750 per alleged violation or actual damages, while the consumer’s lawyer will be able to recoup their fees and costs only in certain situations.
As written, the current private right of action does not contain a cure provision. That is, companies are not given the ability to fix whatever violation is alleged before having to defend against a lawsuit.
VIII. Next Steps.
Florida HB 9 is currently in the Senate, having passed the House 103 to 8. After passing through the various committees, it must also pass on the floor of the Senate. All of these next steps must come to a conclusion by March 11, 2022, when the Florida legislative session comes to an end, unless the governor calls for a special session.
For more information please reach out to the authors.
On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.
Controllers and Processors Beware
SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act. For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).
Controllers are responsible for transparency, purpose specification, and data minimization. They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request). Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights. Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.
Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.
Applicability
The bill applies to:
The bill does not apply to, among others:
Consumer Rights
The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context. Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing. Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.
The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child. The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act. The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).
No Right of Private Action
The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.
Risk of Enforcement Action
The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General. However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).
Prior Legislative History
The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429). In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed. The Utah legislature closes on March 4, 2022.
Update as of March 3, 2022
On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker. The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process
What’s Next
In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.” Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.
If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action. The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.
Utah is inching closer to passing the Utah Consumer Privacy Act. CPW will be here to keep you in the loop.
On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.
Controllers and Processors Beware
SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act. For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).
Controllers are responsible for transparency, purpose specification, and data minimization. They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request). Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights. Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.
Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.
Applicability
The bill applies to:
The bill does not apply to, among others:
Consumer Rights
The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context. Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing. Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.
The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child. The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act. The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).
No Right of Private Action
The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.
Risk of Enforcement Action
The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General. However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).
What’s Next
The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429). In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed. The Utah legislature closes on March 4, 2022.
It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.
CPW is pleased to announce that today David Oberly joins Squire Patton Boggs (US) LLP’s globally-recognized Data Privacy, Cybersecurity & Digital Assets Practice from Blank Rome, where he played an instrumental role in launching the firm’s Biometric Privacy Practice. As a recognized thought leader in the biometric privacy space, David serves as a go-to expert for companies that utilize biometrics in their operations—counseling clients on the full range of regulatory compliance obligations applicable today, as well as on managing potential legal exposure and liability risks. David also regularly develops organization-wide biometric privacy compliance programs in connection with all types of biometric technologies.
In addition, David also serves as the trusted privacy advisor to companies across a wide variety of industries, providing compliance, risk management, and product guidance on a broad assortment of privacy, security, and data protection issues that companies face in today’s highly-digital world. David has particular expertise and experience in both counseling/advising and developing compliance programs in connection with consumer privacy laws, including the CCPA, CPRA, CDPA, and CPA. In this capacity, David routinely assists clients in understanding how consumer privacy laws impact their organizational data handling and security practices and has helped numerous companies operationalize compliance with today’s growing web of consumer privacy regulation. David also regularly provides guidance on compliance with a wide range of other state and federal privacy laws, including the New York SHIELD Act, NYDFS Part 500 Cybersecurity Regulation, Florida Security of Communications Act (FSCA), GLBA, HIPAA, and FCRA, among others.
David has deep experience in security incident response matters—both in terms of assisting clients in incident response and crisis management following data breach events and in counseling clients on concerns regarding potential security incidents. David’s expertise extends to a wide range of security incidents, including cloud data breaches, malware credit card breaches, employee phishing breaches, social media account takeover events, ransomware, and inadvertent data disclosure events. David is also experienced in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations, notifications to impacted individuals and privacy regulators, interacting with law enforcement and regulators, and implementing post-incident remediation plans. David’s advisory work is informed by his significant experience in defending and litigating high-stakes, high-exposure biometric privacy class actions, particularly those brought under the Illinois Biometric Information Privacy Act (BIPA), as well as deep experience in defending other types of privacy and consumer protection class litigation.
Welcome, David!
The FTC’s recent policy statement on the Health Breach Notification Rule (the “Rule”) substantially impacts the consumer-facing digital health industry by significantly expanding (a) the scope of entities subject to the Rule and (b) data practices that constitute a breach. Under the new guidance, any entity that collects health data from both a connected device and the consumer (excluding entities already subject to HIPAA) will be treated as a “vendor of Personal Health Records” (“PHR Vendor”) subject to the Rule. Moreover, PHR Vendors that share such information without the individual’s authorization will trigger the Rule’s breach notification requirements. Continue Reading FTC Policy Statement Substantially Expands Scope of Personal Health Record Vendor Rules