Utah AG Seeks to Tighten Comprehensive Privacy Law Amid Trickle of Complaints
Utah should consider amending its comprehensive privacy law, given the underwhelming number of consumer privacy complaints filed in the statute’s first 18 months, said Attorney General Derek Brown (R) and the Utah Division of Consumer Protection in a report obtained Wednesday by Privacy Daily. “Complaints have not been as forthcoming as anticipated,” it said, but “violations are likely occurring.”
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Despite few consumers calling in, one complaint became a lawsuit against Snapchat, which Brown announced Monday, the report noted. In May, the AG's office gave Snap 30 days under a right to cure in the Utah law that never expires and “recently commenced litigation against Snap, Inc. for violations of the Act,” it said.
The Utah Consumer Privacy Act (UCPA) required a report to the legislature about its effectiveness by July 1 this year. Utah’s 2022 law was the fifth of 20 states’ comprehensive measures to be passed. However, it didn’t take effect until Dec. 31, 2023.
“The UCPA was cutting edge in 2022 when it granted consumers specific privacy rights in their personal data,” said Brown's report. “However, other states' privacy laws have been implemented, and there is now an opportunity for Utah law to be amended to achieve similar protections and benefits to Utah consumers and their privacy. Also, statutory changes could make the UCPA more effective and efficient to administer.”
The Division of Consumer Protection received 32 consumer complaints in the law’s first 18 months, said the report, which noted that Connecticut received about as many in the first six months of its legislation; Oregon received 110 in six months.
“Enforcement efforts have been limited so far,” primarily because “the structure of the UCPA anticipated that investigations typically would begin with consumer complaints which would be investigated by the Division and then referred to the [AG] for enforcement if appropriate.” The problem is that there haven’t been many complaints, it said.
One reason for the small number of complaints may be that “the UCPA gives Utah consumers more limited rights than most other states’ consumer privacy bills that have passed subsequent to the UCPA. For example, consumers might be dissuaded from seeking to have the personal data that they provided to the controller deleted when the controller can retain almost the same data on the consumer it obtained from other sources,” the report said.
“Second, Utahns may be less inclined to complain to government enforcers than citizens of some other states, like California, for example,” it said. “Utah generally sees fewer consumer complaints per capita under new laws than some other states, and Utah is a relatively low-population state.”
Finally, another likely “factor is the lack of sustained publicity about the public’s rights under the UCPA,” said the report. That might be because UCPA created a financial structure in which enforcement and educational expenses were funded by revenue collected from previous privacy enforcement actions and put into a restricted fund, it said. “However, the pump has never been primed, and the account remains empty.”
Utah enforcers have seen likely violations -- but they can’t always act. “For example, a controller must provide Utah consumers ‘a reasonably accessible and clear privacy notice’ that sets forth the consumers’ rights. … With respect to processing ‘sensitive data’ the controller must go further and must present the consumer ‘with clear notice and an opportunity to opt out of the processing,’” said the report. “Many companies have privacy policies that violate those or other requirements of the Act, and thus appear on their face to violate the statute. We have even observed privacy policies that give rights to citizens of other states (e.g., California) but not to Utah’s citizens because of the different state-law protections.”
The report also highlighted an unwieldy enforcement process. If the AG's office "learns of a non-compliant company, it must refer the matter to the Division for investigation, and then the Division must refer it back" for enforcement. The AG must then issue a 30-day cure letter "to spur a controller to come into compliance” before it can file a case.
“This process must be followed even if the Attorney General learns that there is an active multistate investigation into a company’s privacy policies; [they] cannot simply join that multistate investigation and enforcement effort. That is true even if other states with substantially similar laws have issued cure letters and the company has refused to come into compliance.”
The report suggested that enforcement could be streamlined by allowing the AG's office “to simply send a thirty-day cure letter as soon as it learns of a potential violation, and/or waive that requirement where another law-enforcement entity already sent a cure letter that did not resolve the potential violation.”
It also cited two additional UCPA limitations: “First, some core consumer rights, like the right to require that a controller delete data, is limited to data the consumer provided.” No other state imposed the same limit, it said. “Second, there are many carveouts for data covered by the Health Insurance Portability and Accountability Act [or] collected by governmental entities, nonprofits, financial institutions.”
Not only that, it said, but many other states provide consumers with additional rights, including (1) opting out of wholly automated decision-making, (2) requiring opt-in for processing of sensitive data rather than opt-out, (3) requiring controllers to apply purpose limitation and data minimization principles, (4) requiring data protection impact assessments, and (5) requiring compliance with universal opt-out mechanisms. “The Legislature could consider updating the UCPA to give consumers these additional rights.”
Utah Slaps Snap
Brown's Monday lawsuit alleged that Snapchat profits from design features made to addict children to the app, while facilitating extortion and unlawful drug sales.
Despite being a free app, “Snap charges its Utah consumers by taking their time and collecting and using their data,” the complaint said. “The data being extracted includes users’ locations, interests, and behaviors (for example, engagement with Snapchat’s camera and creative tools, users’ interactions with My AI, and all the details about what and how a user views on Snap), which the company then sells for advertising dollars.”
The suit, filed in Utah's Salt Lake County District Court, alleges violations of UCPA and the Utah Consumer Sales Practices Act, among other state laws. In particular, the complaint takes issue with “My AI,” Snap’s virtual chatbot, which allegedly uses dark patterns to get information from users, lacks proper safety protocols and gives misleading and harmful advice to children.
“Utah is taking a stand to protect our kids in an increasingly digital world,” Gov. Spencer Cox (R) said in a press release Monday. “This lawsuit against Snap is about accountability and about drawing a clear line: the well-being of our children must come before corporate profits.”
In an emailed statement to us Wednesday, Snap said it's "committed to making Snapchat a safe and fun environment for our community, and [has] built privacy and safety features into our service from the start."
Snap noted that a court last year preliminarily blocked a Utah social media law for likely violating the First Amendment (see 2409110025). "Now, unable to accept the court’s rejection of the state’s legislation, the Utah Attorney General is resorting to civil litigation as a means to circumvent the court and impose age verification requirements and age-related restrictions in ways that are unconstitutional."