Utah Moving on Data Privacy Laws
Utah is making moves in the data privacy realm. Two separate bills have come to light this year: The Genetic Information Privacy Act (GIPA) was recently signed into law, and the Utah Consumer Privacy Act (UCPA) was introduced in Utah’s State Senate in February.
The two bills cover very different ground, but both might have implications for your organization. Here’s what you need to know:
Genetic Information Privacy Act
GIPA looks to protect genetic data collected by direct to consumer genetic testing companies (like 23andMe, Ancestry.com). It has already been signed into law and is expected to become enforceable in May 2021. Any violations will be enforced by Utah’s attorney general, who may recover actual damages to the consumer, attorney fees, and a $2,500 penalty for each violation.
Applicability
This law mostly concerns direct to consumer genetic testing companies, which are defined as entities that collect, use or analyze genetic data provided by consumers.
Genetic data includes any data related to a consumer’s genetic characteristics, including raw sequence data, and genotypic and phenotypic information derived from it, or self-reported health data. Genetic data that is deidentified– meaning that it cannot be linked to a specific consumer–ids excluded from the definition.
Notice Upon Collection
For any data activity involving such a transaction, companies must deliver essential information about how they collect, use, and disclose the consumer’s genetic data.
Additionally, they must maintain a publicly available privacy notice detailing the company’s data practices–including collection, consent, use, access, disclosure, transfer, security, retention and deletion. These notices must clearly describe how the company uses the genetic data they obtain from the consumer, specifying who has access to test results and how the company may share generic data.
After reading these notices, the consumer must consent to outlined data practices. Separate express consent is needed for the transfer of consumers’ data to a party other than a company’s vendors and service providers, the retention of the consumer’s biological sample, and the use of the data beyond what is necessary for the transaction, such as for marketing and research purposes.
Security Program and Consumer Rights
To protect against data branches or other unauthorized forms of access, use or disclosure, companies must create a comprehensive security program.
Additionally, they must provide a process for the consumer to:
Access their genetic data
Delete their account or genetic data
Destroy their biological sample
Consumer Privacy Act
Though GIPA creates strong protections, UCPA goes several steps further. Utah’s stab at a CCPA-style comprehensive state privacy law is open for consideration by the Utah State Senate. If passed, it will take effect on January 1, 2022.
Applicability
For those familiar with other state privacy laws, the conditions for applicability might sound familiar. UCPA applies to any controller or processor that conducts business in Utah or targets their product or service to Utah residents, if they control or process the personal data of 100,000 consumers during a calendar year. The law applies to such businesses that control and process the personal data of over 25,000 consumers, if they derive over 50% of their gross revenue from the sale of personal data.
These regulations do not apply to deidentified data or pseudonymous data that is kept separately from the identity of the consumer.
There are certain exceptions to these regulations. Adhering to the requirements can not restrict an organization’s ability to comply with legal investigations or inquiries, cooperate with law enforcement, or deal with a legal claim. Likewise, data activity that is necessary to fulfill a transaction requested by a consumer is not covered. Further exceptions apply to protecting an individual’s safety, preserving the integrity or security of systems, books, or records, or mitigating illegal activity, such as security incidents, identity theft or fraud.
Consumer Rights
UCPA establishes five main consumer rights: access, correction, deletion, portability and opt out. Unlike the California Consumer Privacy Act (CCPA), the bill features no private right to action, meaning consumers can’t seek actual or punitive damages for data breaches resulting from a violation of the law.
Under the law, consumers would have the right to confirm whether their data is being processed and obtain information on the categories of data that has been collected from them. Taking into account the nature of data and the purposes of the processing, consumers can correct their inaccurate personal data, and delete personal data they’ve provided to the controller.
The right to portability is similar to what we have seen in other laws. Any copy of a consumer’s personal data provided to them must be in a form that’s transmittable to other controllers.
Consumers have the right to opt out of certain types of data activity. Unsurprisingly, consumers can opt out of the sale of their personal data or processing of their data for targeted advertising. This right is extended to certain types of profiling when used to make decisions involving criminal justice, employment opportunities, health care services, access to basic necessities or the consumer’s enrollment in an educational institution.
To exercise any of these rights, the consumer may submit a request to the controller detailing the rights they intend to exercise. Organizations must provide consumers at least one reliable means of doing so, including an email address dedicated to fielding requests.
After receiving a request, organizations have 45 days to take action and inform the consumer of the status of the request. If necessary due to the complexity of a request or the volume of requests the organization has received, they may extend the period by an additional 45 days and inform the consumer of the reason for the extension.
If the organization decides not to take action, they must tell the consumer why and provide instructions for how to appeal. The appeal process must be conspicuously available to the consumer. Within 60 days of the appeal request, the organization must give the consumer an explanation regarding their decision. Like the rights request process, this period can be extended by another 60 days in certain circumstances.
While organizations may not require consumers to make an account to submit a request, they can require them to use an existing account. Consumers are only entitled to one free request every 12 months; organizations may deny second or subsequent requests or charge an administrative fee to cover the costs of compliance. Organizations are also not obliged to comply with requests they can’t authenticate.
Consumers may not be discriminated against for exercising their data privacy rights. This means they can not be denied a good or service, charged a different price, or provided a different quality than other consumers on the basis of the request. However, this does not prohibit organizations from offering benefits to consumers who participate in loyalty or rewards programs, which tend to involve the processing of personal data.
Controller Responsibilities
In addition to adhering to consumer requests, controllers must follow certain principles to ensure adequate protection.
Controllers must be transparent about their data practices. This means they are required to provide a clear and accessible privacy notice to consumers detailing the categories of data processed and shared with third-parties, the purpose for processing, any third-parties the data is shared with and how they can exercise their data rights.
Data minimization is also key to this law. A controller may only collect data without consent if the collection is relevant to the explicitly stated purposes. Sensitive personal data– race, religious beliefs, sexual orientation, health condition, immigration status– may not be processed without the subject’s consent.
The law requires organizations to maintain technical, administrative and physical data security practices to protect the confidentiality of personal data and foresee risks of harm to consumer privacy. These security practices must be appropriate to the volume and nature of personal data involved.
Data Protection Assessments
Annual data protection assessments must be conducted for the sale of data, processing of personal data for purposes of targeted advertising, and processing for the purpose of profiling, if the profiling poses a risk of deceiving or injuring the consumers. Any data activity that presents a heightened risk of harm to the consumer, including the processing of sensitive personal data, must be assessed as well.
The data assessment must balance the benefits of processing the data to the consumer, controller, stakeholders and public with the security risks posed by the activity. Safeguards employed by the consumer to mitigate risk must be considered as well, such as the use of deidentified data. The assessment must also include the context of the activity, the relationship between the controller and the consumer, and the reasonable expectations of the consumer.
These assessments must be made available to the division or attorney general upon request. Assessments must be retained for at least three years.
Enforcement
The Division of Consumer Protection has the power to investigate consumer complaints regarding violation and to refer incidents to the attorney general. After initiating an enforcement action, the attorney general has 30 days to notify the violator of the relevant provisions and the basis of each allegation. From this point, the violator has 30 days to cure the violation and notify the attorney general that the violation is cured and no further violation will occur.
In the case that an organization fails to cure a violation or continues to violate after claiming to cure, the attorney general may recover the actual damages to the consumer and an amount not exceeding $1,000 per consumer for each violation.