Both the Utah CPA and the Connecticut PDPA include a comprehensive list of persons and types of data that are not subject to the respective law. Notably, both laws provide an exemption for financial institutions governed by or data subject to the Gramm-Leach-Bliley Act (“GLBA”). Among many others listed in these statutes, notable exemptions under the laws include: (a) governmental entities; (b) nonprofit corporations or institutions of higher education; (c) protected health information under the Health Insurance Portability and Accountability Act; (d) certain types of data subject to regulation under the Fair Credit Reporting Act (“FCRA”); and (e) data processed or maintained in the context of employment for purposes such as maintaining emergency contact information or administering benefits.
Consumer Personal Data Rights
The consumer privacy laws in Utah and Connecticut also establish consumer privacy rights that are similar to the rights established by the consumer privacy laws previously enacted in California, Virginia, and Colorado.
The Utah CPA creates the following consumer privacy rights for Utah residents: (1) a right to confirm and access the data a controller is processing about the consumer; (2) a right to delete the data provided by the consumer; (3) a right for consumers to obtain a copy of their data in a portable format; and (4) a “right to opt out of the processing of the consumer’s personal data for purposes of: (a) targeted advertising; or (b) the sale of personal data.”
Similarly, the Connecticut PDPA creates the following consumer privacy rights for Connecticut consumers: (1) a right to confirm and access the data a controller is processing about the consumer; (2) a right to correct inaccuracies in the consumer’s personal data; (3) a right to delete data provided by the consumer, or any data the processor obtained about the consumer; (4) a right for consumers to obtain a copy of their data in a portable format; and (5) a right to opt out of the processing of the personal data for purposes of: “(i) targeted advertising; (ii) the sale of personal data, except as provided [under the PPDPA]; or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”
The consumer rights established in Utah and Connecticut are very similar in many ways, such as the right to confirm, the right to obtain a copy of personal data, and the right to opt out for certain specified purposes. However, note that the Utah CPA provides a narrower set of rights by not including the right to correct inaccuracies. In addition, the right to delete in Utah only includes data that the consumer has provided to the controller, rather than any data “provided by” or “obtained about” the consumer under the Connecticut law. Therefore, there are some notable distinctions with respect to consumer rights between these two laws.
Exercising Consumer Rights and Responding to Requests
A consumer may exercise a right by submitting a request to a controller through the means specified by the controller, and the request must specify the right the consumer intends to exercise.
The processes for responding to a consumer request are very similar under the laws of Utah and Connecticut. As a general rule, the controller must take action on a request and inform the consumer of the action taken within forty-five days after receiving a request to exercise a right. The controller may extend the initial forty-five-day period by an additional forty-five days if reasonably necessary due to the complexity or volume of requests. If the controller has grounds to extend the initial forty-five-day period, the controller must inform the consumer of the length of the extension and the reasons for the extension before the initial forty-five-day period expires. The forty-five-day period does not apply if the controller reasonably suspects the request to be fraudulent and the controller is not able to authenticate the request. If a controller declines to take action in response to a request, the controller must, within forty-five days of receiving the request, inform the consumer of the reasons for not taking action.
However, one significant difference between the Utah CPA and the Connecticut PDPA is that the Connecticut PDPA requires the controller to establish an appeal process if the controller declines to take the action requested by the consumer, while the Utah law does not provide for an appeal process. If the controller fails to take action under the Connecticut PDPA, in addition to informing the consumer of the reasons for not taking action, the controller must inform the consumer in writing with the information regarding how to appeal the decision. Within sixty days after receipt of an appeal, the controller must inform the consumer in writing of any action taken or not taken in response to the appeal, and must include an explanation of reasons for its decision. If an appeal is denied, the controller also must provide the consumer with an online mechanism or other available method to contact the Connecticut Attorney General to submit a complaint.
In addition, under both the Utah and Connecticut laws, a controller may not charge a fee for information in response to a request, unless the request is the consumer’s second or subsequent request during the same twelve-month period. However, a controller may charge a reasonable fee to cover administrative costs of complying or refusing to act under limited specified circumstances. The controller bears the burden of demonstrating compliance with the charging of a fee.
Duties of Controllers
Both the Utah and Connecticut laws provide similar duties for controllers. Among other listed duties, controller duties under both laws include: (1) providing consumers with a privacy notice that includes certain required content specified by statute; (2) disclosing required information when a controller engages in targeted advertising; (3) establishing security practices designed to protect personal data and reduce the risk of harm to consumers; (4) obtaining consent when processing “sensitive data” from a consumer; and (5) prohibiting discrimination against consumers for exercising their rights, provided that a controller may offer a different price, rate, level, quality, or selection if certain conditions are satisfied. The Connecticut PDPA includes additional duties for controllers, including the duty to limit data collection to what is “adequate, relevant and reasonably necessary” for the purposes as disclosed to the customer and the duty to provide an “effective mechanism” for consumers to revoke consent.
Under the Utah CPA and the Connecticut PDPA, the attorney general in the respective states has exclusive authority to enforce these laws and neither law contains a private right of action. The Utah CPA provides that the attorney general must provide the controller or processor a written notice identifying each provision of the CPA allegedly violated and an explanation of the basis for each allegation at least thirty days before the attorney general initiates an enforcement action against a controller or processor, and must allow an opportunity to cure the violation in that timeframe. In contrast, the Connecticut PDPA provides for a sixty-day cure period and the attorney general may not initiate an action if the controller or processor cures the violation within sixty days. The Utah CPA also provides that the attorney general may recover actual damages to the consumer in an amount not to exceed $7,500 for each violation.
Update on Currently Enacted Laws
On July 8, 2022, the California Privacy Protection Agency proposed new rules to implement the CPRA and update the regulations issued under the CCPA, enacted in 2020 and 2018, respectively. As explained in the rulemaking announcement, the proposed regulations:
(1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.
The AG also announced that it continues to send notices to businesses regarding non-compliance with the CCPA and reminds businesses to comply with consumer opt-out requests, including those submitted through Global Privacy Control. The AG also highlighted an enforcement sweep of businesses operating loyalty programs that offer financial incentives in exchange for personal information, online advertising with deficient privacy disclosures, and called out a “Do Not Sell My Personal Information” link that was not fully operational.
As discussed in the previous Annual Survey, Virginia and Colorado were the first states to follow California in enacting comprehensive consumer data privacy laws, with the Virginia Consumer Data Protection Act (“Virginia CDPA”) and the Colorado Privacy Act. The Virginia CDPA becomes effective on January 1, 2023, and the Colorado Privacy Act becomes effective on July 1, 2023. Note that in Colorado, the attorney general plans to implement regulations for the Colorado Privacy Act before the law becomes effective. The Virginia attorney general has not given a timeline for the implementation of regulations under the Virginia CDPA. Therefore, entities subject to these laws should begin to implement compliance programs in anticipation of these laws becoming effective.
Potential Federal Privacy Law
On June 21, 2022, the American Data Privacy and Protection Act (“ADPPA”), a comprehensive federal privacy law, was introduced in the House. The Act covers entities or persons that are subject to the jurisdiction of the Federal Trade Commission (“FTC”), are common carriers subject to the Communications Act of 1934, are non-profit organizations, or are other entities that control or are controlled by, or are under common control with, another covered entity. While financial institutions are generally not subject to FTC jurisdiction, they may be subject to the ADPPA if they control or are controlled by a covered entity.
The ADPPA defines covered data to mean “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual.” ADPPA excludes data that is de-identified, employee data, or publicly available information. The ADPPA includes a category of “sensitive covered data,” which includes “government-issued identifiers, such as a social security number, passport number, and driver’s license numbers,” health information, financial account information, “biometric” and “genetic” information, “precise geolocation information,” private electronic communications (e.g., voicemails, e-mails, texts), “account log-in credentials,” “information identifying sexual orientation or behavior,” and other enumerated categories of private information.
The ADPPA requires data minimization—a “covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to” (1) providing or maintaining a product or service; (2) delivering a communication in the context of the individual’s interaction with the covered entity; or (3) carrying out the business relationship, or complying with legal requirements.
The ADPPA requires covered entities to develop privacy policies regarding the collection, processing, and transfer of covered data to comply with federal law, mitigate risks to individuals under age seventeen, mitigate privacy risks, and implement training and safeguards. The policies and practices must be “transparent.” Covered entities must make publicly available, in a clear, conspicuous, not misleading, and readily accessible manner, their privacy policies that provide a detailed and accurate representation of the entity’s data collection, processing, and transfer activities, in the language in which the entity provides its product or service, or carries out its activities.
Covered entities must provide individuals with the right to access covered data, correct verifiable material inaccuracies, delete covered data, and transfer that data at the individual’s request. Individuals also have the right to opt out of the transfer of their covered data.
The FTC is tasked with creating a new Bureau of Privacy to enforce the ADPPA and to create a Victims Relief Fund. State attorneys general may also enforce the ADPPA. Individuals may enforce the ADPPA via a private right of action four years after the ADPPA takes effect, and individuals may seek actual damages, injunctive relief, and attorneys’ fees and costs.
The ADPPA provides that a covered entity that is required to comply with Title V of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act , and other acts, and is in compliance with those acts, shall be deemed to be in compliance with the related requirements of the ADPPA. The ADPPA generally preempts state laws, except for consumer protection laws of general applicability, laws that address data breach notification requirements, laws that address banking or other financial records, and other non-finance-related laws.