The last decade has seen a slew of industry defining changes to the legal privacy landscape. Recent months have brought a seeming respite from new large-scale privacy legislation, but the progress of privacy regulation continues. Two new domestic privacy laws, one state and one federal, have been enacted, and recent political rumblings may signal a new locus of privacy legislation.

Utah has joined California, Virginia, and Colorado as the first states to pass comprehensive consumer privacy legislation. And, the federal government has taken another incremental step in crafting uniform nationwide privacy legislation – albeit one limited to breach notification in critical infrastructure.  While there’s been little movement in universal privacy legislation at the federal level, there is a conspicuous increase in political dialogue regarding the online privacy of children and dangers of social media. There may be no single story that defines privacy in 2022, but much has happened and will happen to keep privacy professionals busy.

‍

Utah Consumer Privacy Act

On March 24, 2022, Utah became the fourth state to enact consumer privacy legislation. The Utah Consumer Privacy Act (UCPA) broadly defines personal data as any data "linked or reasonably linkable" to an individual. However, the UCPA is limited only to consumer data and excludes data collected in business-to-business and employment contexts.

The UCPA applies to for-profits entities that (1) conduct business in Utah or target products and services to Utah consumers, (2) have annual revenues of $25 million or more, and (3) meet either of the following requirements:

(a) Annually control or process the personal data of 100,000 or more Utah residents; or

(b) Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Utah residents.

The UCPA allows Utah residents to request the following:

• Access personal data
• Delete personal data
• Obtain a copy of their personal data
• Opt out of the sale of personal data
• Opt out of the processing of personal data for targeting advertising

The UCPA also recognizes a second category of sensitive data. This includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatment or conditions, biometric or genetic data used to identify individuals, and geolocation data. The UCPA requires that Utah residents receive notice when their sensitive data is processed and have an opportunity to opt out of that processing.

The UCPA doesn’t create a private right of action. Instead, it allows the Utah Attorney General to enforce the statute with penalties up to $7,500 per violation. Companies will have significant lead time to prepare for the UCPA. It won’t go into effect until Dec. 31, 2023.

‍

Cyber Incident Reporting for Critical Infrastructure Act of 2022

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). There appears to be no comprehensive federal data privacy framework on the horizon. With CIRCIA, Congress continues a more incremental approach. The act provides uniformity of data breach notification rules for certain limited industries.

CIRCIA remains a work in progress. Its most important provisions must still be defined by administrative rulemaking. The law provides the Cybersecurity and Infrastructure Security Agency (CISA) 42 months to complete the rule-making process and issue its final rules.

CIRCIA is limited in scope. It applies only to covered entities, which are defined as entities in a critical infrastructure sector. This includes the following industries: Chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems.

The reporting requirements are triggered by a covered cyber incident. The CISA director will determine criteria for both covered entities and covered cyber incident during a lengthy public comment and rule-making process. It will generally entail one of the following: (1) a covered entity must report a covered cyber incident to the CISA within 72 hours after the entity reasonably believes an incident occurred; and (2) A covered entity must report any ransom payment as the result of a ransomware attack within 24 hours.

The requirements of reports to CISA are subject to final rulemaking, but at a minimum, they will include: a description of the event, description of the vulnerabilities exploited, believed perpetrator, description of the information breached, and description of the entity.

‍

CIRCIA also includes many provisions related to information sharing. Once fully implemented, these new requirements should help many industries better protect their online assets.

‍

Renewed Focus on the Online Privacy of Children

Uniform privacy legislation at the federal level feels as far away as ever, but one area that is gathering political will is additional protections for the online privacy of children – particularly related to social media.

In his March 2022 State of Union Address, President Biden said, "It’s time to strengthen privacy protections, ban targeted advertising to children, and demand tech companies stop collecting personal data on our children."

On the heels of President Biden's speech, the attorneys general of eight states–led by Massachusetts Attorney General Maura Healy–announced a nationwide investigation into "whether TikTok is designing, operating, and promoting its social media platform to children, teens, and young adults in a manner that causes or exacerbates physical and mental health harms.”

Healy added: “As children and teens already grapple with issues of anxiety, social pressure, and depression, we cannot allow social media to further harm their physical health and mental wellbeing.” Three days later, on March 25, 2022, an Illinois Federal Court approved a $1.1 million settlement with TikTok regarding allegations that it had violated provisions of the Children’s Online Privacy Protection Act–namely by failing to obtain verifiable parental consent and selling minors’ user data.

It may be that the next arena of domestic privacy legislation will be that of minors. An impetus is growing to legislate additional privacy controls related to children. Already a bipartisan group of U.S. Senators has proposed privacy legislation aimed at children that, among other things, would:

• Raise the ages of protected children from 13 to 15
• Ban targeted advertising to children
• Allow deletion of children's data.

‍