Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Utah: 2023 privacy updates
The Utah Consumer Privacy Act (UCPA), which entered into force on December 31, 2023, functions as comprehensive privacy legislation in Utah. However, the Utah State legislature has been active in both amending state privacy legislation and providing for new additions. OneTrust DataGuidance provides an overview of legislation that accompanies the UCPA and developments in the Utah privacy framework, with comments provided by Clifford Blair, Shareholder at Kirton McConkie.
House Bill 311 for Social Media Usage Amendments
House Bill 311 for Social Media Usage Amendments (HB 311) was signed into law by the Governor of Utah on March 23, 2023, and entered into effect on December 31, 2023.
Main provisions
HB 311 mainly regulates social media companies and the use and design of social media platforms in Utah. It starts by defining terms such as 'addiction,' 'social media company,' 'post,' 'account holder,' or 'interactive computer service.'
The Division of Consumer Protection is granted enforcement and auditing authority to enforce requirements under HB 311. While social media companies in Utah are obligated to refrain from employing practices, designs, or features on their platforms that they know, or should know, cause a resident minor account holder to develop an addiction to the platform.
Fines and enforcement
Notably, HB 311 provides individuals with the right to bring a private action against social media companies for damages resulting from addiction, financial, physical, or emotional harm caused by the use of the platform.
HB 311 also specifies that a social media company may be subject to civil penalties if it is found to be using practices, designs, or features on its platform leading to addiction in Utah minor account holders. Penalties include:
- a $250,000 fine for each practice, design, or feature proven to cause addiction; and
- a fine of up to $2,500 for each Utah minor account holder exposed to the identified practice, design, or feature causing addiction.
HB 311 includes an affirmative defense for social media companies. To avoid penalties, the company must demonstrate the implementation and maintenance of a quarterly audit program that regularly checks for features that might cause addiction in users. Any issues identified during audits must be corrected within 30 days to avoid penalties.
HB 311 clarifies that certain types of content or conduct by social media companies are not subject to liability. These include content generated by users, passively displayed third-party content, and activities protected by Federal or Utah law.
Senate Bill 152 for the Social Media Regulation Amendments
Senate Bill 152 for the Social Media Regulation Amendments (SB 152) was signed into law by the Utah Governor on March 23, 2023 and entered into effect on May 3, 2023.
Main provisions
SB 152 starts by defining terms such as 'account holder,' 'interactive computer service,' 'minor,' and 'social media company.' Under SB 152, social media companies are mandated to adhere to specific requirements, including:
- obtaining parental consent for a Utah minor to either maintain or open an account;
- verifying the age of Utah residents;
- prohibiting individuals from opening an account if they do not meet age requirements under state or federal law; and
- providing parents or guardians with a password or other means to access the account.
In the context of accounts held by a Utah minor, SB 152 imposes restrictions on social media platforms. These limitations include constraints on direct messaging with users not linked through friending, exclusion of the minor's account from search results, advertising limitations, restrictions on data collections, and, subject to parental direction, limitations on hours of access.
Additionally, social media companies are required to prevent Utah minor account holders from accessing their accounts during the hours of 10:30 p.m. to 6:30 a.m. These restrictions can be modified by parents or guardians based on their preferences. Clifford stated that "one possible downside of such constraints could be that if minors find their social media channels to be overly restrictive, they could migrate to less regulated social media platforms or web platforms. This could lead to unintended consequences in more dangerous media."
SB 152 grants the Division of Consumer Protection the authority to receive and investigate complaints related to violations, as well as the power to impose fines. The Division of Consumer Protection also is mandated to compile an annual report detailing enforcement efforts, consumer interactions, fines, and penalties.
Senate Bill 194 for Social Media Regulation Amendments
Senate Bill 194 for Social Media Regulations (SB 194) was signed into law by the Governor of Utah on March 13, 2024, and enters into effect on October 1, 2024.
Main provisions
Centrally, SB 194 makes amendments to the requirements introduced under SB 152. Specifically, SB 194 outlines that for accounts held by a Utah resident under the age of 18, certain social media companies must, among other things:
- prohibit direct messaging with certain accounts;
- not show a minor's account in search results;
- not display advertising;
- not collect, share, or use personal information from the account, with certain exceptions;
- not target or suggest ads, accounts, or content; and
- limit hours of access, subject to parental or guardian direction.
Restrictions are also set for minor account holders, with SB 194 requiring that social media companies must:
- set default privacy settings to prioritize maximum privacy;
- implement and maintain reasonable security measures to protect the confidentiality, security, and integrity of personal information collected from a minor's account;
- provide an easily accessible and understandable privacy notice; and
- disable features that prolong user engagement.
Senate Bill 127 for the Cybersecurity Amendments
Senate Bill 127 for the Cybersecurity Amendments (SB 127) was signed into law on March 23, 2023, by the Governor of Utah and became effective on May 3, 2023. SB 127 focuses on various provisions related to enhancing cybersecurity measures.
Main provisions
Specifically, SB 127 amends the system security breach disclosure requirement. Entities owning or licensing computerized personal data of Utah residents must conduct an investigation, upon detecting a breach of system security. If misuse for identity theft or fraud is confirmed, timely notification to affected residents is mandatory. Notably, for breaches affecting 500 or more residents, entities must inform the Office of the Attorney General (AG) and the newly established Utah Cyber Center.
The Utah Cyber Center, established within the Division of Technology Services, is tasked with collaborating with various entities to develop a statewide strategic cybersecurity plan, coordinate incident response, share threat information, and promote best practices.
Governmental entities are also required under SB 127 to report breaches of system security to the Cyber Center, which shall assist in responding to the breach of system security. Beginning January 1, 2025, governmental entities will be required to use authorized top-level domains (such as .gov, .edu, .mil) for their official websites and email addresses. Nonetheless, a governmental entity may operate a website without an authorized top-level domain if, for example, the website is only for internal use or is temporary.
Clifford noted that "SB 127 increases the situations in which reporting of cybersecurity breaches is required. It also created the Utah Cyber Center to help Utah governmental entities ensure best practices regarding cybersecurity."
Senate Bill 226 for the Electronic Information or Data Privacy Act Amendments
Senate Bill 226 for the Electronic Information or Data Privacy Act Amendments (SB 226) was signed into law by the Governor of Utah on March 23, 2023, and entered into effect on May 3, 2023. SB 226 strengthens privacy protections by ensuring that law enforcement agencies follow proper legal procedures by requiring search warrants to access electronic information or data related to criminal investigations.
Main provisions
Warrant requirement: SB 226 mandates that, except under specific circumstances, a law enforcement agency cannot access location information, stored data, or transmitted data of electronic devices without a search warrant issued by a court upon probable cause.
On this, Clifford added that "the law enforcement agencies must show probable cause to obtain the warrant. Importantly, criminals who have taken possession of someone else's device cannot benefit from the protections of SB 226."
Data handling restrictions: A law enforcement agency may not use, copy, or disclose the location information, stored data, or transmitted data of an electronic device or data not covered by the warrant. Certain exceptions apply, such as when the law enforcement agency reasonably believes that the transmitted data is necessary to achieve the objective of the warrant.
Data destruction: Any electronic information or data not covered by the warrant shall be destroyed in an unrecoverable manner by the law enforcement agency as soon as possible after being collected.
Exceptions: SB 226 outlines specific situations where law enforcement agencies can obtain location information without a warrant, including emergencies, stolen devices, or with the owner's or user's informed consent.
Provider liabilities protections: SB 226 protects providers of electronic communications services or remote computing services from liability for providing information in good faith reliance on a warrant.
Regarding its interaction with privacy concerns, Clifford observes that "the judicial check provided by this bill creates greater privacy protections amid the larger discussions between the EU and the US about U.S. intelligence activities. SB 226 brings Utah in closer alignment with global privacy trends and provides appropriate protections while allowing for exceptions when enforcement agencies are faced with exigent circumstances. While it is yet to be seen, it may be that these additional requirements on law enforcement create an additional burden on courts that must approve warrants and therefore may reduce law enforcement access to these sources of information."
Senate Bill 149 for the Artificial Intelligence Policy Act
Senate Bill 149 for the Artificial Intelligence Policy Act (the AI Policy Act) establishes administrative controls and policies for artificial intelligence (AI), and enters into effect on May 1, 2024.
Main provisions
The AI Policy Act starts by defining terms related to AI, such as, 'generative artificial intelligence,' 'artificial intelligence technology,' 'learning laboratory,' and 'regulatory mitigation.'
Specifically, the AI policy Act creates the Office of Artificial Intelligence Policy, which is tasked with managing the Artificial Intelligence Learning Laboratory Program (the Program), which aims to analyze and research the risks and benefits of AI technologies.
Clifford pointed out that "The Learning Laboratory is intended to help understand the risks and benefits of AI and encourage its development in the State of Utah. To do so, the Learning Laboratory can mitigate regulatory burdens for AI-oriented businesses that partner with the Learning Laboratory. This partnership allows the AI Learning Laboratory to learn more about the different applications of AI, their risks, and benefits and propose legislative measures that take this learning into account."
According to the AI Policy Act, individuals using or intending to use AI in Utah can apply for regulatory mitigation agreements, outlining limitations and safeguards. The eligibility criteria for participants include demonstrating technical expertise, financial capability, potential consumer benefits, effective risk management plans, and appropriately limited testing. For participation in the Program, participants are required to furnish information, report incidents promptly, and comply with cybersecurity auditing procedures.
Clifford summarized that "the bill's sponsors identified existing consumer protection provisions in the state code and clarified that those provisions would also apply to AI. Similar to the EU's AI legislation, Utah is regulating AI at touch points with consumers, which is where AI creates the greatest risks."
Cristina Die González Editor
[email protected]
With comments provided by:
Clifford Blair Shareholder
[email protected]
Robert Snyder Associate
[email protected]
Kirton McConkie, Utah