Privacy and Information Security

On Tuesday, Connecticut became the fifth state to pass comprehensive privacy legislation when Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” into law.  Connecticut joins California, Virginia, Colorado, and Utah in enacting new privacy laws that take effect in 2023. Out of fifty states in the U.S., ten percent have now passed a comprehensive privacy law.

Effective July 1, 2023, the Connecticut law adopts a general framework of definitions, consumer rights, and compliance obligations based on concepts of data controller and data processor from the EU’s General Data Protection Regulation (GDPR), and the right to opt out of the “sale” of personal data as first articulated in the California Consumer Privacy Act (CCPA).  Overall, the Connecticut law mirrors Colorado’s privacy law but then borrows select concepts from the California, Virginia, and Utah laws.  The result is a hybrid of the pre-existing state laws, but not a law that introduces significant contradictions or unique compliance challenges.
Continue Reading Ten Percent and Rising: Connecticut Becomes Fifth U.S. State to Enact Privacy Law

There’s a “request for investigation” pending at the FTC that some of our readers might have missed.  The April 12 complaint, filed by Georgetown Law professor Laura Moy on behalf of the Council on American-Islamic Relations, urges the FTC to conduct a wide-ranging investigation of the location data industry.

The complaint focuses in particular on alleged abuses harming the Muslim community, including the government’s purchase of location data from popular Muslim prayer apps to conduct “warrantless surveillance” on Muslim individuals.  According to the complaint, these practices have led to a “sense of constant surveillance” that has chilled Muslims’ practice of religion, freedom of assembly, and use of technology to communicate. The allegations have broader implications, too, as they describe the “unfettered” and “surreptitious” data collection across many contexts by multiple industry actors, including the operating systems, app and SDK developers, data brokers, and participants in digital advertising’s real time bidding (RTB) process.

As I write this blogpost, the complaint does not appear to have been posted on the FTC’s website.  Although the FTC seeks public comment on petitions for rulemaking, this complaint may not fall within that process since it chiefly seeks investigations, citing rulemaking as a “longer term” goal.  (Of course, stakeholders may want to consider providing input to the FTC anyway to assist in its consideration of the issues.)       
Continue Reading Complaint Urges FTC to Investigate the Location Data Industry

Age Appropriate Design Codes – Well Meaning, but Do They Make for Good Law?

As we’ve discussed here, there’s bipartisan momentum in Congress to enact stronger privacy protections for kids and teens – and specifically, tools that would enable minors and their parents to limit algorithms and online content that fuel self-harm and addictive behaviors. These efforts, reflected in several federal bills (see here and here

How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

As companies wait to see whether the Utah Consumer Privacy Act (UCPA) becomes the fourth comprehensive state privacy law, we are providing an overview of some of the Act’s key provisions – and how they depart from comprehensive privacy laws in California, Colorado, and Virginia.

Utah’s Senate unanimously passed the UCPA on February 25.  The House – also through a unanimous vote – followed on March 2.  The Legislature sent the UCPA to Governor Spencer Cox on March 15.  Because the Legislature adjourned on March 4, Governor Cox has 20 days from the date of adjournment – March 24 – to sign or veto the Act.  If Governor Cox takes no action, the UCPA will become law, with an effective date of December 31, 2023.

In broad strokes, the UCPA is similar to the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).  And, like the laws in Colorado and Virginia, the UCPA borrows some concepts from the CCPA – including a version of the right to opt out of the “sale” of personal data.

However, the UCPA pares back important features of all three of these laws.  Some of the significant changes include:

  • Applicability.  The UCPA’s applicability is narrower than the three other comprehensive state privacy laws.  The UCPA applies only to controllers or processors that (1) do business in the state (or target Utah residents with products or services); (2) earn at least $25 million in revenue; and (3) either: (a) control or process personal data of 100,000 or more consumers in a calendar year; or (b) derive more than 50 percent of gross revenue from selling personal data and control or process data of 25,000 or more consumers.  By contrast, the $25 million revenue threshold is an independent basis for the CCPA to apply to a business; and neither the CPA nor VCDPA includes a revenue-based exemption.
  • Exemptions.  In addition to exempting personal data that is subject to sector-specific privacy laws and regulations, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, the UCPA provides that the Act does not apply to certain entities, including a tribes, institutions of higher education, and nonprofit corporations.
  • Sale and Targeted Advertising Opt-Out Rights.  Although the UCPA requires controllers to provide consumers with the ability to opt out of sale and targeted advertising, the Act does not provide a right to opt out of profiling (or otherwise address profiling).  Like the VCDPA, the UCPA restricts the definition of “sale” to “the exchange of personal data for monetary consideration by a controller to a third party.”  This definition does not include “other valuable consideration,” found in the definitions of “sale” under the CCPA and CPA.
  • Opt-Out Consent to Process Most Sensitive Data.  The UCPA does not require opt-in consent to process most sensitive data, unless the data “concern[s] a known child,”  unlike the opt-in requirements of the CPA and VCDPA.  Instead, the UCPA requires controllers to “present[] the consumer with clear notice and an opportunity to opt out” of sensitive data processing.
  • Other Consumer Rights.  The UCPA provides consumers the right to confirm processing and to delete personal data they provided to a controller.  Consumers also have the right to obtain a portable copy of personal data that the consumer “previously provided to the controller.”  This “provided to” language follows the VCDPA’s access and portability right and contrasts with obligations to provide personal data “concerning” (CPA) or “about” (CCPA) a consumer.  The UCPA does not provide a right of correction or accuracy.
  • Enforcement and Regulation.  The UCPA does not include a private cause of action, nor does it authorize the Attorney General or other state official or agency to issue regulations.  The Division of Consumer Protection, in the Utah Department of Commerce, investigates potential violations and can refer an action to the Utah Attorney General for enforcement.  The Attorney General can recover actual damages for consumers and a penalty of up to $7,500 per violation, but only after a 30 day notice and right to cure period.


Continue Reading How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

Lina Khan’s Privacy Priorities – Time for a RecapRumors suggest that Senator Schumer is maneuvering to confirm Alvaro Bedoya as FTC Commissioner sooner rather than later, which would give FTC Chair Khan the majority she needs to move forward on multiple fronts. One of those fronts is consumer privacy, for which  Khan has announced ambitious plans (discussed here and here) that have stalled for lack of Commissioner votes. With Bedoya potentially on deck, now seems like a good time to recap those plans, as they might provide clues about what’s in the pipeline awaiting Bedoya’s vote. We focus here on three priorities Khan has emphasized in statements and interviews since becoming Chair.
Continue Reading Lina Khan’s Privacy Priorities – Time for a Recap

In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.

The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

OAG’s response, in a nutshell, is “yes.”  Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.”  OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis.  The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.
Continue Reading California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences

New Federal Bill to Protect Kids’ Privacy: Will This One Break Through?Last October, we blogged that bipartisan momentum was building in Congress to enact stronger privacy protections for children, even if (and especially if) Congress remains stalled on broader federal privacy legislation. Of particular significance, we noted a strong push to protect, not just kids under 13 (the cutoff under COPPA), but also teens.

Since

Day in the Life of a Chief Privacy OfficerOn this special episode, Privacy and Information Security practice chair Alysa Hutnik chats with Shana Gillers, TransUnion’s Chief Privacy Officer. Alysa and Shana discuss the journey to becoming a chief privacy officer, hot topics, and what it takes to stay on top of your game in privacy today.

Watch a video version here or the

FTC Continues to Focus on Incentivized ReviewsPlease join us for a webinar on February 24, 2022 at 4 p.m. on recent and upcoming FTC developments. The webinar will feature Kelley Drye’s Jessica Rich and Aaron Burstein, both former FTC officials, and will be moderated by the newest addition to our privacy team, Jayson Lewis. Here’s a taste of what we’ll be

A New Federal Privacy Law Could Come from an Unexpected PlaceAs we continue to watch the slow motion, often circular efforts in Congress to develop and enact comprehensive privacy legislation, federal action on privacy could end up coming from some surprising places.

By this, we mean it might not come from Senators Cantwell or Wicker, who have championed the leading, competing privacy bills in