Privacy Report: Utah Will Soon Publish US’s Latest Comprehensive State Privacy Law

Headlines that Matter for Privacy and Data Security.

US News

Utah Will Soon Publish US’s Latest Comprehensive State Privacy Law

*Update: This has now been signed by the Governor and will take effect December 31, 2023*

The Utah Consumer Privacy Act, also known as Senate Bill 227, recently cleared the Senate and the House. Though there are a few more steps before the bill becomes law, Utah could be the next state to publish a comprehensive state privacy law. The provisions include consumer rights, 45-day request response periods, a 30-day cure period, and unique attorney general enforcement provisions. Senator Kirk Cullimore, an advocate of the bill, stated, “[t]he bill accomplishes a balancing act by focusing directly on Utah consumers and their guaranteed rights, not the red tape that confuses businesses and consumers alike.” Notably, there is a unique bifurcated enforcement process. First, claims will go to the consumer protection office. If deemed legitimate, it’ll move to the attorney general. Once enacted, the law will take effect on December 31, 2023.  

Companies Have to Hold on A Little Longer: CPRA Regulations Not Expected Until Q3 or Q4

The California Privacy Protection Agency (CPPA) recently stated at a board meeting that it will delay the final regulations under the California Privacy Rights Act (CPRA). Although the CPRA states regulations should be finalized by July 1, the CPPA estimated it will not publish final regulations until the third or fourth quarter of 2022 due to staff shortages.

US DOJ Wants to Be More Involved in Cybersecurity Bill

Senior officials at the Department of Justice have recently offered feedback on the Senate-passed cybersecurity bill. The bill, formally entitled the Strengthening American Cybersecurity Act, would require certain companies to alert the government of potential hacks and ransomware. The bill would also require cyber incidents to be reported to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Members of the DOJ are pushing for more FBI presence in the bill. Specifically, they recommend improving the bill by requiring cyber incidents to be reported not only to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, but also to the FBI.

Wiretap Case Against General Motors and Decibel Insight Dismissed

A Delaware federal judge sent a message to the privacy world when he dismissed a proposed privacy class action against General Motors and Decibel Insight. Plaintiffs argued that by tracking users’ mouse and keyboard clicks along with the time, date, and user’s IP address, the companies violated federal and state privacy laws. Because the companies only recorded plaintiffs’ browsing while they were on the website, obtained no personal information, and did not sell or monetize the information, the judge ruled this ‘eavesdropping’ was not a concrete injury. Further, the court found that “Plaintiffs did not have a reasonable expectation of privacy over the anonymized data.” The case can be tracked here.

California Federal Court Demands Data File Transfer Company to Pay $8.1 Million

After a data breach in 2020, Accellion, a file share service provider, has agreed to pay $8.1 million to settle a class-action lawsuit. The settlement fund is to make all distributions necessary for credit monitoring insurance, cash fund payments, and documented loss. According to the lawsuit, the company “failed to protect the sensitive information of millions of users after threat actors exploited a vulnerability” in the company’s file transfer appliance. The breach impacted several clients and millions of users’ sensitive dataAs best practice, data file transfer companies should incorporate appropriate data security measures and identify vulnerabilities in their platforms. Find the company’s statement regarding the attacks here.  

New Jersey Could Require Comprehensive Information Security Programs in The Future

If enacted, New Jersey’s Senate Bill 1233 will require comprehensive information security programs for entities that own or license personal information about a resident of the State. It will require covered entities to develop, implement, and maintain a comprehensive information security program that is written and contains administrative, technical, and physical safeguards necessary to protect personal information. The bill also requires such comprehensive information security program to address: (1) designating one or more employees to maintain the comprehensive information security program; (2) imposing disciplinary measures for violations of the comprehensive information security program rules; and (3) requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information amongst other requirements stated in the bill.

Workers Compensation Act Is No Longer A Defense Against BIPA Claims in Illinois

In a recent case, the Illinois Supreme Court eliminated a notable defense used by employers facing BIPA claims: the exclusivity of workers’ compensation. Before the decision, employers could successfully argue that work-related privacy violations under BIPA were work-related injuries, which resulted in them being preempted by the Illinois’ Workers Compensation Act (IWCA). Now, these violations are not preempted by IWCA. Specifically, the Illinois Supreme Court explained that BIPA offers remedies for personal and societal injuries, while IWCA only covers certain types of work-related injuries—physical or psychological. Thus, IWCA is no longer a defense to Biometric Privacy Class Actions. Legislative reform could be on the horizon after this ruling.

Biden Calls for Enhancing Children’s Privacy Protections. Senators Support

In his State of the Union address, President Biden called for a ban on targeted advertising to children and an end to personal data collection on children by social media and online companies. This proposition was extremely timely. Two senators have been working on these efforts for a while. In May 2021, Senators Markey and Cassidy introduced the bipartisan Children and Teens’ Online Privacy Protection Act, which prohibits internet companies from collecting personal information from anyone 13-15 years of age without consent and limits the collection of personal information from young users. They recently published a letter pledging to work with the Biden administration to advance children and teen privacy protections. These efforts are expected to ramp up in the near future.

Global News

European Commission Publishes Draft Data Act

The European Commission published a new proposal to improve the digital environment by “promot[ing] fairness,” “stimulat[ing] a competitive data market,” “open[ing] opportunities for innovation,” and “mak[ing] data more accessible for all.” The Regulation on Harmonised Rules on Fair Access to and Use of Data—also known as the “Data Act” or the “Draft Data Act”—though consistent with other regulations such as the GDPR, aims to set uniform rules for “all sectors” regarding the use of data. According to the explanatory memorandum, some of the objectives of the Draft Data Act are to: (1) provide for the development of interoperability standards for data to be reused between sectors; (2) facilitate access to and use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data; and (3) provide for use by public sector bodies and EU institutions, agencies, or bodies of data held by enterprises in certain situations where there is an exceptional data need. The Data Act is supposed to make a significant contribution to the digital transformation objective of the digital decade.

European Data Protection Board Updates Guidelines for Data Transfer Codes of Conduct

The European Data Protection Board has updated its guidelines for using codes of conduct for data transfers. These guidelines provide clarification as to the role of the different actors involved in the setting of a code to be used as a tool for transfers and the adoption process. They aim to specify the application of Article 40-3 of the GDPR relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries in accordance with the GDPR. According to the guidelines, under Article 46 of the GDPR, controllers and processors should “put in place appropriate safeguards that may be used by organizations for framing transfers to third countries by introducing codes of conduct as a new transfer mechanism.” The guidelines also include a checklist of elements to be covered by a code of conduct intended for transfers.

Updates in India’s Proposed Data Protection Bill

India’s parliament has been working on the nation’s first comprehensive data protection law. Experts believe the final law will be published this year. Recently, a joint committee released a report that recommended substantial changes to the original version of the comprehensive legislation. The changes widened the scope of the law by covering both personal and non-personal data, as opposed to personal data only. Now “only a subset of entities would be required to designate data protection officers under the bill,” however, the designated entities have not yet been made certain. Data Protection Officers are responsible for providing information and advice to their organizations on all matters relating to compliance with the act, monitoring the personal data processing activities of the organization to ensure compliance, and serving as the point-person for assisting or otherwise cooperating with the Data Protection Authority on compliance matters.

Oman Approves Data Protection Law

Oman has enacted Royal Decree No 6/2022, a new personal data protection law. This law repeals Chapter Seven of the Electronic Transactions Law, also known as Royal Decree No 69/2008, and is in line with a trend of new data protection laws in the Middle East. It applies to the processing of personal data or data that makes a natural person identified or identifiable directly or indirectly, by reference to one or more identifier(s). Amongst others, some of the key provisions include: (1) Notification; (2) Consent; (3) Rights of Data Subjects; (4) Sensitive Personal Data; (5) Data Controller and Processor Obligations; (6) International Transfers; and (7) Notification of Breach. The law outlines consequences for breaching the law. Specifically, data subjects have the right to file a complaint to the Ministry. Violators can be fined.

Continue Reading