A consumer privacy law on the cusp of enactment in Utah may pave the way for other Republican-controlled states looking to pass similar legislation.
The Utah Consumer Privacy Act is the first comprehensive consumer privacy bill in the U.S. to pass both chambers of a Republican-controlled state. It would give residents the right to know what personal data is being collected and ask it be deleted.
The bill is similar to legislation enacted in then Democratic-controlled Virginia last year, with wide carve-outs for financial and health data and no requirement that companies conduct data protection assessments related to the processing of sensitive information. The Virginia law and one passed in Colorado require assessments for such types of processing.
“I can see this approach as easier to get over the hump,” said Reece Hirsch, a partner at Morgan, Lewis & Bockius LLP in San Francisco. “It wouldn’t surprise me if it became a template for some other Republican-led states.”
The Utah measure provides protections for consumers that ensure their data is being used in ways they expect, said Tom Foulkes, senior director of state advocacy at BSA | The Software Alliance, in a statement.
“This bill takes an important step in acknowledging that companies must protect the privacy of consumers’ personal data and instill trust in technology,” Foulkes said.
Cox (R) hasn’t indicated whether he will sign the measure. His office didn’t immediately respond to a request for comment.
The U.S. lacks a comprehensive federal privacy law, but Democratic-controlled state legislatures in California, Virginia and Colorado have passed broad measures in recent years.
Utah’s Senate passed a bill Feb. 25, and the House of Representatives approved its measure March 2.
The quick legislative action signals the measure may be a playbook for Republican-leaning jurisdictions looking to pass bills with wide exemptions that don’t give consumers the ability to sue for alleged violations, said Dave Stauss, a partner at Husch Blackwell LLP in Denver. In any event, Utah’s move might put more pressure on Congress to pass a national law, Stauss said.
“It signifies that this is a bipartisan issue even if the substance isn’t particularly strong in the bill, and it adds to growing number of states that have passed bills that will further the impetus for federal action,” Stauss said.
The bill’s lack of a private right of action is a major loss for Utahns because attorneys general often don’t have the time and resources to meaningfully investigate and penalize offenders, said Maureen Mahoney, policy analyst at Consumer Reports.
The Utah Consumer Privacy Act has a 30-day cure period—meaning companies would have the ability to fix alleged violations before the attorney general could commence an enforcement action. The inability for consumers to sue and a right to cure that doesn’t go away mean companies’ bad behavior is likely to go unpunished, Mahoney said.
“The attorney general doesn’t have the resources to go after every company that’s violating the law,” Mahoney said. “There won’t be enough of a threat of meaningful consequences to incentivize companies to comply.”
Despite the bill’s similarity to the Virginia law and its number of exemptions, it still complicates the national compliance picture, said Kyle Fath, partner at Squire Patton Boggs in Los Angeles.
Businesses may apply more stringent standards from jurisdictions like California to consumers in other states, such as Utah, because it can be complicated and costly to comply in a piecemeal manner, he said.
Still, while some larger, more national companies may be able to adapt existing compliance programs to accommodate Utah’s potential new law, that’s not the case for all businesses, Fath added.
“For smaller, more regional companies in Utah, this type of law could be new for them,” he said.
The lack of a federal statute means many states are taking privacy regulations into their own hands, said Kristin Bryan, a partner at Squire Patton Boggs in Cleveland.
The inclusion of a private right of action for bills is a “worst case scenario” for businesses that would be regulated under such laws, she said.
Utah’s more tempered legislation may help state legislators enact bills that in the past have been shot down for being too onerous on the business community, Bryan said.
“It does appear they’re trying to strike the right balance between providing privacy protections while also limiting the exposure to businesses, as seen by lack of private right of action,” Bryan said.