EFF fights for strong data privacy laws in statehouses across the country. That’s why we joined a coalition of privacy advocates in urging Utah's lawmakers to stop the bill. Now we're asking Gov. Spencer J. Cox to veto SB227, which passed quickly through the state’s legislature last week. This bill protects privacy in name only, and lacks real protections or teeth. By setting such a low bar for privacy, and blessing some anti-privacy company tactics, it does not set a strong foundation for future privacy improvements in Utah. It should not become law. If you’re in Utah, please join us in asking Gov. Cox to veto this bill.
Tell Gov. Cox to Veto This Weak Data Privacy Bill
Strong privacy laws should help everyday people protect and manage their privacy. They should cover the companies and practices that pose the most potential for harm. They should be easy for people to use, so protecting our privacy doesn’t become an additional part-time (or full-time) job. They should ensure that people aren’t penalized if they choose to protect their privacy. And they should give people the tools to stand up for themselves if companies trample their privacy rights.
This weak Utah bill does none of those things. It specifically does not, for example, cover companies that profile people based on their data. It’s built on an opt-out structure, meaning people have to figure out which companies have their information and go to each of them, one at a time, to make their privacy requests. It doesn’t even allow for tools that people could use to make this process easier, such as requiring companies to recognize a global privacy signal that would broadcast a user’s intentions to web sites they visit.
This bill also fails on some of EFF’s highest priorities for effective and protective privacy legislation. The Utah bill expressly permits companies to charge people more or give them a lesser service if they ask a company not to sell their information. This makes privacy a luxury for only those who can afford it. It also lacks a private right of action—an individual right to sue, which is standard in many federal and state privacy laws. Even worse, it gives businesses a “right to cure” before any governmental enforcement. That gives businesses a “get out of jail free” card to violate the law, secure in the knowledge that they cannot be punished for privacy invasions that precede government requests that they stop. In short, this bill does nothing to incentivize companies to respect individual privacy.
The Utah bill is a much weaker version of a similar law that passed in Virginia last year. EFF opposed that bill, and has urged other state lawmakers not to follow in Virginia’s footsteps. The race to the bottom is accelerating. Now a version of Utah’s weaker bill has already appeared in the Iowa legislature. Virginia’s privacy law was empty; Utah’s bill is even worse. For example, Utah limits Virginia’s already flawed definition of a “sale” of data, and removes people’s right to appeal when companies refuse to comply with their requests.
State lawmakers must do better. We respectfully urge Gov. Cox to veto this bill and ask the legislature to pass a bill that truly protects the people of Utah.
Tell Gov. Cox to Veto This Weak Data Privacy Bill