In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

CPW on March Speaking Circuit: Stephanie Faber to Present at IAPP Data Protection Intensive France 2022 | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at Privacy + Security Forum’s Virtual Spring Academy 2022 | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

The Georgia Senate recently introduced an omnibus privacy bill modeled after (but significantly broader than) California’s Consumer Privacy Act (“CCPA”), titled the Georgia Computer Data Privacy Act (“GCDPA”).  The introduction of the GCDPA is surprising in a number of ways, including its sponsorship by Republican leadership.  It is also notable in the burdens it seeks to impose on businesses, surpassing even those in the CCPA and other recently enacted state privacy laws.  However, given that the leadership of the controlling party in the Georgia legislature supports it, it is likely to pass, though perhaps not in its current form.

Some of the most notable provisions of the GCDPA include:

  • Consumer consent required for collection of personal information. The GCDPA prohibits businesses from collecting personal information unless they have provided a notice and obtained the consumer’s consent.  This is more onerous than the CCPA, which generally permits businesses to collect personal information as long as they provide a sufficient notice at or before the point of collection.
  • Consumers must opt in to “sales” of personal information. The GCDPA prohibits businesses from “selling” data unless the consumer first opts in to the sale, which opt-in mechanism must be offered by a “clear and conspicuous link” on the business’s website.  Note that the definition of “sale” is the same as the CCPA’s; i.e., a transfer for “money or other valuable consideration.”  In addition, a business that sells personal information must provide a notice on its website that identifies the specific “persons” to whom data will be sold, and that discloses “the pro rata value of the consumer’s personal information.”
  • Very plaintiff-friendly private right of action. Unlike existing state privacy laws, the GCDPA expressly provides for a private right of action pursuant to which consumers may seek statutory damages.  Under most federal and state statutes that provide for statutory damages, a consumer can seek to recover their actual damages or a specified amount of statutory damages, whichever is higher. However, the GCDPA provides that consumers can recover their actual damages and statutory damages of up to $2,500 for each violation, or $7,500 for each intentional violation.  As with the other provisions described above, this is stricter than the CCPA, which only provides for a private right of action for certain types of data events—which could turn Georgia into the next jurisdiction focused on by the plaintiffs’ privacy bar.
  • No exemption for employee or business contact information. Unlike the CCPA and the privacy statutes enacted in Colorado and Virginia, the GCDPA does not contain a general exemption employee data or business contact information.

CPW is monitoring the Georgia bill and other state legislative developments this year.  For more, stay tuned.  We’ll be there to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.

CPW is pleased to announce that today David Oberly joins Squire Patton Boggs (US) LLP’s globally-recognized Data Privacy, Cybersecurity & Digital Assets Practice from Blank Rome, where he played an instrumental role in launching the firm’s Biometric Privacy Practice.  As a recognized thought leader in the biometric privacy space, David serves as a go-to expert for companies that utilize biometrics in their operations—counseling clients on the full range of regulatory compliance obligations applicable today, as well as on managing potential legal exposure and liability risks. David also regularly develops organization-wide biometric privacy compliance programs in connection with all types of biometric technologies.

In addition, David also serves as the trusted privacy advisor to companies across a wide variety of industries, providing compliance, risk management, and product guidance on a broad assortment of privacy, security, and data protection issues that companies face in today’s highly-digital world. David has particular expertise and experience in both counseling/advising and developing compliance programs in connection with consumer privacy laws, including the CCPA, CPRA, CDPA, and CPA. In this capacity, David routinely assists clients in understanding how consumer privacy laws impact their organizational data handling and security practices and has helped numerous companies operationalize compliance with today’s growing web of consumer privacy regulation. David also regularly provides guidance on compliance with a wide range of other state and federal privacy laws, including the New York SHIELD Act, NYDFS Part 500 Cybersecurity Regulation, Florida Security of Communications Act (FSCA), GLBA, HIPAA, and FCRA, among others.

David has deep experience in security incident response matters—both in terms of assisting clients in incident response and crisis management following data breach events and in counseling clients on concerns regarding potential security incidents. David’s expertise extends to a wide range of security incidents, including cloud data breaches, malware credit card breaches, employee phishing breaches, social media account takeover events, ransomware, and inadvertent data disclosure events. David is also experienced in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations, notifications to impacted individuals and privacy regulators, interacting with law enforcement and regulators, and implementing post-incident remediation plans.  David’s advisory work is informed by his significant experience in defending and litigating high-stakes, high-exposure biometric privacy class actions, particularly those brought under the Illinois Biometric Information Privacy Act (BIPA), as well as deep experience in defending other types of privacy and consumer protection class litigation.

Welcome, David!

Last week the Banning Surveillance Advertising Act was introduced in both the U.S. House (H.R.6416) and Senate (S.3520) by Congresswoman Anna G. Eshoo (D-CA), Congresswoman Jan Schakowsky (D-IL), and Senator Cory Booker (D-NJ).

The bill expressly prohibits advertising facilitators (e.g., publishers) from engaging in, or enabling an advertiser or third party from engaging in, targeted advertising using consumers’ personal information. However, the bill does permit advertising based on content the consumer is viewing, has searched, or is otherwise engaging with (e.g., contextual advertising). The bill also contains an exception for broad location targeting to a recognized place such as state or municipality.

Readers should note that the bill’s definition of personal information is broader than the California Consumer Privacy Act (CCPA) as it explicitly includes information that is linkable or reasonably linkable to individuals or devices. (The definition of “consumer” under CCPA, however, includes identification by “unique identifiers,” which includes device identifiers.) Further, it contains a private right of action in addition to enforcement by the FTC and State attorneys general offices.

This follows on the heels of recent state privacy laws that minimize the use of targeted and cross-contextual behavioral advertising through consumer opt-outs. Namely, the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), and Colorado’s Consumer Protection Act (CPA) are going into effect in 2023 and we expect additional state laws to be passed this year containing similar opt-out requirements. The California Attorney General has also been applying the CCPA’s “Do Not Sell My Personal Information” opt-out rights to interest-based advertising in multiple enforcement actions.

From an industry perspective, readers may recall that the ad tech community already has existing mechanisms for consumers to opt-out of interested-based advertising that function independent of legal requirements. Specifically, the Digital Advertising Alliance (DAA) and Network Advertising Initiative (NAI) both have well known interest-based advertising opt-out practices that are honored by industry participants.

Considering state legislators and the ad tech industry have embraced an opt-out regime rather than an outright prohibition, it is unclear how far these bills will progress through the federal legislative process. Additionally, given the private right of action and few co-sponsors to date, it is unlikely to make it out of committee in its current form.

The CPW team will continue to monitor the Banning Surveillance Advertising Act as it moves through the House and Senate.

Text of the introduced bill is available here.