Utah Expands Privacy Protections For Data Held By Third Parties

Utah's Governor Gary Herbert is expected to sign a privacy bill in the next few days following unanimous approval in the state's legislature. This bill is particularly interesting (at least to privacy law geeks like you and me) for two reasons:

First, this bill diverges from the general trend. The bill's primary effect is to limit law enforcement's access to electronic data. (The general trend in the United States over the past two decades has been to grant law enforcement greater access to electronic data while gradually restricting data access and sharing in the private sector.) In the United States, law enforcement agencies are generally permitted to access data that is shared with a third party without a warrant, if the third party (not the individual data subject) consents. Many of the large custodians of consumer data routinely grant access to government agencies without demanding a warrant. The U.S. Constitution's 4th Amendment, which prohibits unreasonable searches and seizures, generally has not been applied to information in the custody of a third party.

Second, bills like this could eventually make trans-Atlantic data transfers easier.  One of the primary sources of tension in the context of cross-border personal data transfers is the difference between the U.S. government's relatively easy access to these data repositories without strict procedural protections versus the European Union's General Data Protection Legislation, which calls for strong protections around consumer data. If other states, or the federal government, follow Utah's lead, the U.S. could move closer to becoming a jurisdiction with "adequate" privacy protections, for purposes of the GDPR.

The bill, titled simply "The Electronic Information or Data Privacy Act,"

• makes clear that the "owner" of data is the individual who transmits electronic information or data;
• requires, with some exceptions, a search warrant to obtain certain electronic information or data in the custody of a third-party (other than the owner);
• requires, with some exceptions, notification that electronic information or data was obtained;
• provides for transmission of electronic information or data to a remote computing service, including restrictions on government entities;
• excludes from evidence certain electronic information or data obtained without a warrant; 
• defines and re-defines certain terms; and
• makes some technical and conforming changes.

You can read the bill's full text for yourself here.

Will the "Washington Privacy Act" be the aftershock to the CCPA's seismic shift?

California has been getting most of the attention lately for the California Consumer Privacy Act, but Washington may be following closely behind with its own bold new privacy statute.  Senate Bill 5376 has been approved by the state's Senate and is currently before the House (in the Environment, Energy & Technology Committee as of the date of this post).  The current version can be viewed here. 

"Washingtonians cherish privacy as an element of their individual freedom..." the bill begins (somewhat awkwardly), and takes off from there.  Briefly, here are some highlights:

• Jurisdiction resembles the CCPA. It applies to entities that conduct business in Washington or intentionally target residents if they (a) processes personal data of 100,000 consumers; or(b) derives over fifty percent of gross revenue from the sale of personal data and process personal data of 25,000 consumers.
• The controller/processor paradigm is clearly set out, reflecting the influence of HIPAA and international laws.  Controllers and processors share liability under a "comparative fault" framework.
• Access, correction, and deletion rights are all specifically conferred (not unlike CCPA and GDPR).  These are each subject to "verification" of the request.  
• Consumers have a right to information regarding a controller's sharing of their data (by category) with processors, and processors must cooperate with controllers to fulfill opt-out, correction, and deletion requests from consumers. 
• Consumers are given the specific right to opt out of "targeted advertising" by controllers, and third-party processors must honor the request.
• Consumer requests should be fulfilled within 30 days, but the timeline can be extended by 60 days if necessary. 
• Risk assessments (similar to privacy impact assessments) are mandated for all new processing of personal information or material changes.  This is not limited to processing of sensitive data.  If the risks are substantial, consumer consent is required.  The AG may inspect risk assessments, but otherwise they are confidential.
• There are healthcare carve-outs; it doesn't appear to be intended to overlap with HIPAA.
• The use of facial recognition (a) for decision-making with "significant effects" or (b) by the government is specifically restricted.
• There is no private right of action created by the statute.
• The AG will enforce the statute, but there is a 30 day cure period. 
• An "office of privacy and data protection" is created, and (all of) the civil penalties extracted from violators by the AG will be used to fund it.

The statute would become effective July 1, 2021.  Stay tuned!