2022 Bills

SB 227: Complicating the Patchwork of State Privacy Laws

This bill passed the house 71-0 and passed the Senate 28-0.

Libertas Institute opposes this bill

Staff review of the legislation finds that it violates our principles and must therefore be opposed.

One of the sticking points with technological innovation is how data and information can be collected and subsequently mishandled or misused. Many have called for data privacy legislation in response.

In light of the sprawling nature of online activity and commerce, a federal solution would be the most effective to apply across the nation. Unfortunately, the federal government has failed to act on data privacy legislation despite multiple efforts, and various states have taken up the challenge instead. Beginning in California, state data privacy laws have spread to other states like Colorado and Virginia.

In Utah, the most recent effort is Senate Bill 227, sponsored by Senator Kirk Cullimore. The bill creates a set of consumer rights in the personal data collected by private companies, with penalties and enforcement mechanisms attached to target companies who don’t comply. It applies to any company that handles the data of 100,000 Utah consumers and earns revenue exceeding $25 million.

Unfortunately, despite good intentions, this emerging patchwork of state data privacy bills is not only inefficient but harmful for innovation. Compliance with one state alone is a costly endeavor. Complying with multiple state laws at the same time is an even greater cost. 

The issue driving up costs the most is uncertain enforcement standards. Each state with a data privacy law gives the state attorney general or a data privacy commission the authority to interpret and enforce the law, which leads to unique interpretations depending on the regulator. This means that two otherwise comparable state laws could be interpreted differently, depending on the state’s enforcement authority. In a state like California, as seen in recent months, interpretations of data privacy law can be very broad and even impact companies who use reasonable efforts to protect consumer data under the law. 

A recent solution, proposed in Ohio’s latest data privacy law, is to create a protection for companies who, in good faith, comply with the privacy framework published by the National Institute of Standards and Technology (NIST). While the Ohio law runs into the same patchwork issue, the provision allowing companies to follow the federal framework underscores the need for a federal, not state, privacy law.

In the meantime, state lawmakers should focus their attention on data protection within their immediate authority. Protecting information collected by state agencies, as proposed by Representative Clare Collard and requiring a warrant before tapping into the databases of consumer-facing companies, would go much further toward protecting the privacy of Utahns.