Utah Passes Privacy Law; Conn. Bill Gets Support
Utah could be the fourth state with a comprehensive privacy law. The Senate voted 25-0 Thursday to concur with House amendments to SB-227. In Connecticut, a privacy bill (SB-6) got thumbs up from Microsoft, Consumer Reports and the state attorney general’s office at a livestreamed hearing Thursday. Comcast and TechNet said the bill would be mostly interoperable with other state laws, but suggested some edits.
Utah Gov. Spencer Cox (R) “is still reviewing the bill,” a spokesperson emailed. Utah is the first Republican-controlled legislature to pass a privacy law, and Cox could become the first Republican governor to sign such a law. Virginia had a blue trifecta when it passed its privacy bill last year. California and Colorado also have privacy laws.
The Utah bill would take effect Dec. 31, 2023, and be enforced by the state attorney general. Sen. Kirk Cullimore (R) has said his bill is less burdensome for businesses than privacy laws in other states. At a hearing last month, it was generally supported by industry and opposed by Consumer Reports.
Consumer privacy groups will urge the governor “to return the bill to the legislature for further work,” tweeted Consumer Reports Senior Policy Analyst Maureen Mahoney. CR, Electronic Frontier Foundation, Electronic Privacy Information Center and others opposed SB-227 in a Wednesday letter to Utah Senate leaders. “In its current form it would do little to protect Utah consumers’ personal information, or to rein in major tech companies like Google and Facebook.”
The Utah bill gives clarity to businesses, said TechNet Executive Director-California and the Southwest Dylan Hoffman. "In the absence of a federal standard, allowing the same workability for Utah’s businesses that is provided in other states is crucial."
Connecticut AG William Tong (D) strongly supports SB-6 because it would give consumers “overdue rights,” said Deputy Associate AG Michele Lucan at the legislature’s joint General Law Committee hearing. The bill would be enforced solely by the AG. Lucan said it’s crucial to keep the proposed 18-month sunset on the bill’s 60-day right to cure. She praised the proposed law requiring companies to honor global opt-out signals from browsers, saying it would be nearly impossible for consumers to individually opt out from each company that has their data. She praised the bill’s definition of sale for including data exchanged for valuables other than money since “data has become its own form of currency.” Lucan raised concerns with the bill’s “many exemptions” and suggested strengthening protections for teenagers.
Microsoft supports the opt-out Connecticut proposal, including defining sale to include nonmonetary exchanges, said Senior Director-Public Policy Ryan Harkins. TechNet gives “high marks” to SB-6 for interoperability with existing laws in other states, but the association worries the broader definition of sale might lead to unintentional violations, said Executive Director-Northeast Chris Gilrein.
Companies could still give away data if sale is defined as monetary transactions only, responded Sen. James Maroney (D), SB-6 sponsor and committee chair: Whether money is exchanged is irrelevant to consumers.
Rep. Holly Cheeseman (R) raised concerns about the bill’s possible impact on small- and medium-sized businesses and requiring a global opt-out mechanism when the technology isn’t final. Cheeseman asked if it was possible to have different sunsets on the right to cure depending on business size. Also, she said she wouldn’t want people who like store loyalty programs to lose them when they do a global opt-out.
The 18-month sunset should give small businesses time to adjust, replied Lucan: The AG office is sensitive to business size when it explores possible violations. Lucan noted this year’s bill exempts data used only for payment processing, which had been a concern for smaller companies. The goal is to preserve loyalty programs, Lucan said.
TechNet is glad SB-6 has no private right of action but opposes ever sunsetting the right to cure, said Gilrein. But CR’s Mahoney said a sunset is important especially due to the AG’s modest resources. Right to cure isn’t a common feature of other kinds of consumer laws, she noted.
Mahoney praised the bill’s global opt-out requirement, saying a plugin is available now. But Comcast attorney Nancy Libin of Davis Wright said more time is needed to develop a universally recognized standard. SB-6 would allow consumers to use the global opt-out starting July 1, 2023, but not require businesses to honor them until Jan. 1, 2025. Libin urged lawmakers to push back the permissive first date to Jan. 1, 2025. Exempt audio and video recordings from biometric privacy provisions because they are important for accessibility, she added.
SB-6 could wrap in local restaurants since it would cover businesses that control or process personal data of at least 65,000 consumers yearly, warned officials from Connecticut and national associations. It's the lowest threshold of any state, said Brennan Duckett, National Restaurant Association director-technology and innovation policy. The proposed July 1, 2023, effective date gives less time to comply than other states did, he added. Sen. Maroney responded that California gave more time because such rules were then “brand new.”
Duckett said SB-6 would restrict loyalty programs more than Colorado and Virginia laws. Maroney said a hospitality association supports how SB-6 handles it, but the senator invited restaurant groups to propose better language.
The Virginia Senate voted 40-0 Wednesday for a House-passed amendment (HB-714) to its 2021 privacy law that would repeal the law’s consumer privacy fund and expand a nonprofits exemption. The House passed the Senate-passed version Tuesday (see 2203020069).