U.S. Privateness Regulation Replace: Utah Joins Rising Record of States with Complete Privateness Legal guidelines as Different States See Potential Modifications
6 min read
March 11, 2022
Click on for PDF
Utah is poised to hitch California, Virginia, and Colorado in enacting complete knowledge privateness laws. Though Utah’s regulation largely follows the Virginia and Colorado fashions—with just a few provisions which will ease the burden on companies—it provides to an more and more energetic state legislative panorama. In the meantime, California is proposing modifications to its landmark privateness regulation as different states plow forward with debating or updating their very own knowledge privateness legal guidelines. Corporations ought to account for these modifications as they develop applications to adjust to the legal guidelines.
Utah Shopper Privateness Act
In Utah, the legislature unanimously handed the Utah Shopper Privateness Act.[1] After the invoice reaches the governor’s desk, he may have 20 days to signal or veto it or it would grow to be regulation mechanically signature if the governor vetoes the invoice, the legislature has adequate votes to override the veto, provided that it was handed unanimously. As soon as enacted, the brand new regulation will grow to be efficient by its phrases on December 31, 2023,[2]—roughly one 12 months after the same legal guidelines in Colorado and Virginia go into pressure. Corresponding to the opposite legal guidelines, the brand new regulation applies to corporations that (1) conduct enterprise in Utah or goal customers within the state, (2) have $25 million or extra in annual income, and (3) both (a) course of or management private knowledge of 100,000 or extra Utah customers or (b) course of or management private knowledge of 25,000 or extra Utah customers and derive 50 % or extra of their gross income from promoting private knowledge.[3]
Whereas Utah’s regulation is just like Virginia’s and Colorado’s legal guidelines, it has just a few variations which will make the regulation simpler for companies to observe. For instance, like Virginia and Colorado, Utah doesn’t embrace a non-public proper of motion in its regulation, though the lawyer normal can search statutory damages, as described extra totally beneath. Nevertheless, not like the legal guidelines in Virginia and Colorado, Utah’s regulation doesn’t require companies to conduct and doc knowledge safety assessments about their data-processing practices.[4] Utah additionally doesn’t require companies to arrange a mechanism for customers to attraction a enterprise’s determination relating to the buyer’s request to train any of their private knowledge rights.[5] And eventually, Utah’s regulation makes it simpler to cost a price when responding to client requests. Particularly, companies could cost a price when responding to client requests to train their private knowledge rights in Virginia provided that these requests are “manifestly unfounded, extreme, or repetitive,”[6] or in Colorado provided that a second request is made in a 12-month interval.[7] However Utah permits companies to cost a price in each these conditions in addition to when the enterprise “moderately believes the first function in submitting the request was one thing aside from exercising a proper” or is harassing, disruptive, or poses an undue burden on the controller.[8]
Regarding enforcement, whereas Utah’s Division of Shopper Safety can examine potential violations, Utah’s regulation, like Colorado’s and Virginia’s, limits enforcement to the state lawyer normal.[9] The lawyer normal should give corporations at the very least 30 days to treatment earlier than initiating an motion.[10] If the lawyer normal does deliver such an motion, they could accumulate statutory damages of as much as $7,500 per violation or precise damages.[11]
Developments in Different States
As Utah strikes forward with its new privateness regulation, California legislators have floated proposals to increase the business-to-business and employment-related exemptions within the California Shopper Privateness Act (“CCPA”). Below these exemptions, the CCPA doesn’t typically apply to employment-related knowledge or knowledge concerned in transactions between companies for due diligence or to offer or service. The California Privateness Rights Act (“CPRA”) is presently set to sundown these exemptions on January 1, 2023. However the payments launched in California would lengthen these exemptions both by January 1, 2026, or pursuant to the choice invoice, indefinitely.[12]
California just isn’t the one state with updates to its complete knowledge privateness regulation within the works. Colorado’s lawyer normal introduced just lately {that a} formal discover of proposed rulemaking below the Colorado Privateness Act will probably be issued by this fall to organize laws that will probably be carried out by January 2023. Within the meantime, city halls and conferences are deliberate to assemble feedback on that rulemaking.
Different states are transferring quickly to hitch California, Colorado, Virginia, and Utah. Knowledge privateness legal guidelines have handed committee or chamber votes this 12 months in Indiana, Iowa, Florida, Massachusetts, Ohio, Washington, and Wisconsin, and quite a few different states are also contemplating laws. Though the exact contours of those legal guidelines—and what number of, if any extra this 12 months, will probably be enacted, and when—stay in flux, the enactment of state privateness legal guidelines already has ushered in notable regulatory modifications affecting how corporations accumulate and handle knowledge whereas imposing a number of latest obligations and potential legal responsibility, throughout the nation. Corporations could be well-served to focus their compliance applications accordingly.
We’ll proceed to watch developments on this space, and can be found to debate these points as utilized to your explicit enterprise.
___________________________
[1] Utah Shopper Privateness Act (“UCPA”), S.B. 227, 2022 Leg. Sess. (Utah 2022).
[2] UCPA, § 17.
[3] UCPA, § 3, 13-61-102(1).
[4] See Colorado Privateness Act (“CPA”), S.B. 21-190, § 6-1-1309, 73d Leg., 2021 Common Sess. (Colo. 2021); Virginia Shopper Knowledge Safety Act (“VCDPA”), S.B. 1392, § 59.1-576, 2021 Spec. Sess. (Va. 2021).
[5] See CPA, 6-1-1306(3)(a); VCDPA, § 59.1-573(C).
[6] VCDPA, § 59.1-573(B)(3).
[7] CPA, § 6-1-1306(2)(c).
[8] UCPA, § 7, 13-61-203(4)(b)(i)(B)-(C).
[9] UCPA, § 13, 13-61-305; § 13, 13-61-401; § 14, 13-61-402(1)-(2).
[10] UCPA, § 14, 13-61-402(3)(b)-(c).
[11] UCPA, § 14, 13-61-402(3)(d).
[12] See A.B. 2871, 2021–2022 Reg. Sess. (Calif. 2022); A.B. 2891, 2021–2022 Reg. Sess. (Calif. 2022).
This alert was ready by Ryan T. Bergsieker, Cassandra Gaedt-Sheckter, Eric M. Hornbeck and Alexander H. Southwell.
Gibson Dunn attorneys can be found to help in addressing any questions you’ll have about these developments. Please contact the Gibson Dunn lawyer with whom you normally work, the authors, or any member of the agency’s Privateness, Cybersecurity and Knowledge Innovation apply group:
United States
Alexander H. Southwell – Co-Chair, PCDI Observe, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Observe, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert Ok. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, arog[email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCDI Observe, Paris (+33 (0) 1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2022 Gibson, Dunn & Crutcher LLP
Lawyer Promoting: The enclosed supplies have been ready for normal informational functions solely and will not be meant as authorized recommendation.
