Government officials have claimed with increasing urgency they need the power to collect information about individualls to stop crimes and protect the public. Utah is on the brink of setting limits on what kind of personal data the government can collect.
The sheer number of data breaches and privacy overreaches have highlighted just how little control individuals have over information about themselves. They are frequently unaware of what information an organization has collected, how the data pieces are being used, or who those pieces are shared with. They also assume the organizations sitting on the data hoard are taking necessary steps to prevent theft or fraudulent use—but there isn’t a lot of regulation spelling out what those necessary steps are.
Data collection is out of control, and in the absence of any federal action, states have moved forward with their own laws. California is leading the way with strong privacy legislation that protects consumers from aggressive data collection by private enterprises, and New York’s cybersecurity regulations outline what financial services organizations such as insurance companies and banks have to do to safeguard consumer personal data. Earlier this month, Utah legislature passed the privacy bill 5HB 57, which requires law enforcement to obtain a warrant in order to get third-party providers to hand over user data. The bill is headed to Gov. Gary Herbert’s desk for signature.
“Utah legislators passed this latest privacy law, which requires law enforcement to obtain a warrant with probable cause in order to access any electronic data held by a third party, at least in most cases,” Molly Davis, a policy analyst at Libertas Institute, wrote for Wired.
5HB 57 prevents, at least for Utah residents, law enforcement officials from obtaining user data from third-party providers such as Google and Facebook just by asking. Currently, email and cloud service providers, social media companies, and other online entities can’t refuse to hand over the data or place restrictions on what the government can do with the information. This includes information on mobile devices such as photographs, email and text messages, and app-related data. Investigators have asked online services for account information such as usernames, IP addresses and login times as well as content provided by the users, such as emails, images, and documents.
“They [government] can access a person’s information so long as the company is willing to share—a loose practice that could easily be abused,” Davis said.
The Supreme Court originally ruled that consumers have no expectation of privacy when they give their information to third party providers, and narrowed that scope recently by excluding cell phone location data collected by mobile carriers from this category. The Supreme Court also encouraged legislators to pass laws defining what kind of data required a warrant and what didn’t.
With Utah’s privacy law, both state and federal law enforcement officials interested in information about Utah residents would first need to provide a judge with reasons for why they need the information and get a warrant before they can go to the providers for user data. They would need to show how the desired information was necessary for an ongoing investigation.
“If there is a legitimate safety concern requiring access to a person's data, law enforcement will still be able to obtain a warrant,” Davis said. “Without that warrant requirement in place, private data is left vulnerable to fishing expeditions that are rife for abuse.”
There are exceptions to the bill—the warrant requirement can be skipped in case of an emergency, or if the data invollved will be used to committ a felony or misdemeanours involving physical violance, sexual abuse, or dishonesty.
Model for Others
While this law covers only Utah, it can act as a template for other states considering how to protect user privacy from government overreach. Congress continues to deliberate on how to draft the federal consumer data privacy law, while states are already hard at work with their own versions—including restricting what companies can do with user data, defining how companies handle user consent, securing the data companies are allowed to have, and what companies have to do in case something goes wrong.
Much of the focus in 2017 and 2018 was on how companies would comply with the European Union’s data protection law. That’s just one law. In the United States, businesses have to deal with a patchwork of state and federals laws and sector-specific regulations.
Every state has its own breach notification law—when and how consumers are notified in the event of an information breach—but many of them are patterned after California’s law, which is considered the most comprehensive. Many of these laws have evolved over the years to add on new data security and privacy requirements, such as Colorado’s new HB18-1128, which increased oversight of third-parties and required businesses to establish formal information security policies. Vermont legislature passed a law to regulate data brokers. North Carolina legislators are considering a proposal to redefine breaches to include ransomware and to require businesses to undertake “reasonable security procedures and practices” to protect user data.
Oregon’s Health Information Property Act expands HIPAA’s protections to give users greater control over the use of their personal medical information. Virginia’s HB 2793 focuses on how businesses would care for, and dispose of, customer records. Under the proposed law, the business will have make sure customer information is shredded, erased, or otherwise modified when they are no longer needed to “make it unreadable or undecipherable through any means.”.
California is setting the tone again for data privacy legislation protecting consumers from aggressive data collection, mining, and sharing by private companies. Washington is considering Senate Bill 5376 which borrows elements from GDPR and California’s law. If passed, Washington-based consumers will have the right to access personal data being held, demand its deletion, and prevent information from being sold to third-parties. New York’s Right to Know of 2019 would require businesses to provide users with details about what kind of personal information they have collected on the users. New York is defining personal data widely, going beyond names, addresses, and Social Security numbers to include Internet activity, user-generated content, physical and sexual characteristics, racial, religious, political, professional, educational, and commercial information. Like California’s law, both Washington and New York are focusing on any entities that have business within the state, regardless of physical location.
When Utah legislator Craig Hall introduced HB 57, he said the bill would designate the creator of digital content as the owner, not the companies that operate the infrastructure holding the content.
"I want to make clear that the protections that we now have in the paper world are also in place for the electronic world," Hall said at the time.