Keypoint: Utah is on the cusp of becoming the fourth state to pass consumer privacy legislation while Florida’s bill is now through one chamber.
Utah is on the cusp of becoming the fourth state to pass consumer privacy legislation. For reference, last week, the Utah Senate unanimously passed SB 227 – the Utah Consumer Privacy Act. The House slightly amended the bill before unanimously passing it on March 2. The bill now moves back to the Senate for concurrence. The Utah legislature closes on Friday, March 4, such that final passage will happen quickly.
According to the Utah legislature’s website, after concurrence, the bill will be signed by the President and Speaker, enrolled, and delivered to the Governor. The Governor has 20 days from adjournment to sign the bill, not to sign the bill (where it becomes law), or veto the bill.
The bill is based on the Virginia Consumer Data Protection Act (VCDPA) but is much more business friendly. Here are some key takeaways:
- The bill applies to controllers or processors who conduct business in the state or produce a product or service that is targeted to consumers who are residents of the state, have annual revenue of $25,000,000 or more, and either (1) control or process the personal data of 100,000 or more consumers annually or (2) derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
- The bill includes broad exemptions for employee data, nonprofits, higher education institutions, covered entities and business associates, personal health information, and GLBA-regulated entities and data, among others.
- The definition of sale does not include “other valuable consideration.” The definition of sale also contains the following exemption, “considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.” This exemption is not found in the California, Colorado or Virginia laws.
- The bill allows for similar privacy rights as the VCDPA but limits the right to delete to personal data the consumer provided to the controller (not including all personal data the controller has obtained about the consumer). The bill does not allow for the right to opt out of profiling.
- The bill defines sensitive data but does not require consumer consent for processing such data as does the Colorado Privacy Act (CPA) and VCDPA. Rather, it states that a “controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing.”
- The bill only requires consent in the context of parental consent for the processing of children’s data. The definition of consent does not include dark patterns.
- Controllers are required to enter into data processing agreements with processors but the bill does not contain all of the requirements found in the CPA and VCDPA. For example, there is no requirement that processors allow for, or contribute to, reasonable audits and inspections by the controller or controller’s designated auditor.
- Controllers are required to provide consumers with privacy notices.
- The bill does not require data processing assessments as does the CPA and VCDPA.
- The bill does not require controllers to recognize opt-out signals as does the CPA.
- There is no private right of action. The Attorney General’s office would enforce the bill. The bill includes a 30-day right to cure that does not sunset.
- The effective date is December 31, 2023.
In Florida, the House passed Representative McFarland’s HB9 by a vote of 103 to 8. The bill is now with the Senate and has been assigned to the Judiciary Committee. Last year, the House and Senate both passed bills but could not reconcile their differences before the legislature adjourned. The Florida legislature adjourns on March 11.