SALT LAKE CITY — A handful of personal privacy bills are finding broad support from Utah lawmakers this legislative session, but a few of the bills still have a ways to travel as the final five days of the 2021 edition fast approach.
New protections for personal information in the cloud
A proposal that would extend Fourth Amendment protections to personal information and documents stored in remote computer servers, commonly referred to as "the cloud," was left to die on the vine at the end of last year's session.
But a failure that was more about timing than lack of support — the bill earned unanimous House passage in the waning days of the 2020 legislative conclave but never made it to Senate consideration — looks likely to find a more successful outcome this time around.
HB87 establishes new definitions that stipulate what digital information can be accessed via a subpoena versus information, if sought by law enforcement, that will require a warrant.
The proposal found unanimous approval at every step of the process and is headed for the desk of Utah Gov. Spencer Cox.
Under the proposal, subscriber information held by a third-party provider — like a person's name, how long they've had an account and other basic user data — could be accessed through the direction of a subpoena. But access to transactional data, documents, etc. would require the higher bar of a warrant.
According to an assessment performed last session by the American Civil Liberties Union of Utah, the bill "establishes that a person who transmits data to a third-party (like a cellphone provider or cloud-based server) maintains ownership of their data and is entitled to a reasonable expectation of privacy."
New commission to oversee how government handles your personal data
A new law enforcement tool from a Utah-based company called Banjo — that relied on surveillance cameras, location tracking and mining social media sites for information to accomplish its goals — traveled an incredibly short journey from promise to peril but not until after it earned a multimillion-dollar state contract.
Last spring, the Utah Attorney General's Office announced the state had suspended use of the technology services of Park City-based Banjo after it was revealed company founder Damien Patton had past connections with a white supremacist group and was involved in a shooting at a Jewish synagogue in the early 1990s. The $21 million contract had also opened the door for dozens of local Utah law enforcement agencies to use Banjo's services under existing preferred provider agreements.
But even before the revelations of Patton's past became public, privacy watchdogs questioned the methods by which Banjo gathered information, whether the data was being appropriately scrubbed of personally identifying characteristics and the veracity of security measures in place to ensure access was limited to appropriate agencies and, even then, used only in specific and justified circumstances.
Sponsored by House Majority Leader Rep. Francis Gibson, R-Mapleton, HB243 would create a permanent committee, housed within the state auditor's office, that would include topic experts from the realms of internet technology, cybersecurity, law enforcement, data privacy law, data privacy technology and civil liberties law.
The collected experts would be responsible for reviewing technology products and services for how they collect, assess and store personal data and information for state agencies as well as those of Utah municipal and county government operations as well as school districts. Overseeing that work would be two new state data privacy officers, one of whom would also be a part of the auditor's staff and another in the governor's office.
HB243 passed the full House on a unanimous vote Friday and is headed for the Senate.
How easily should police be able to track your location? See your internet searches?
A new tool in wide use by law enforcement agencies across the country can draw a circle on any map and seek out, through chilling data search techniques, who was in or near that area at any specific time.
That's all thanks to the signals your cellphone is constantly receiving and emitting, whether you're using it or not.
So if you happened to be walking your dog through that search zone at the same time a crime was committed, you could end up as part of an investigation based on nothing more substantial than easily obtainable records showing everywhere you've been with that cellphone in your pocket.
Now, a bill that could have created landmark restrictions on these type of dragnet-style law enforcement searches, ones that can access databases showing not only where you've been but what searches you've conducted on your browser — even if you're not a suspect — has been toned down by Utah lawmakers but could still lead to some new privacy protections for residents.
In its initial form, Rep. Ryan Wilcox's HB251 would have created an outright ban on law enforcement access to that stored data without a much more specific and narrow warrant from the outset. But the Ogden Republican's revised version, which found unanimous approval from a Utah legislative committee this week, has dropped the attempt at a ban and removed any new stipulations on reverse keyboard searches.
But Wilcox says he still has hope to address both types of data gathering, and even in its current form, HB251 would create some new law enforcement boundaries where none previously existed when it comes to the scope of location data searches.
The revised version includes stipulations that reverse location search warrants include a requirement that the accessed data be anonymized, or scrubbed of any personally identifying information, that the areas to be "searched" for location data be appropriately minimized, and that the number of "targets" be limited in scope.
At the end of Friday's House session, HB251 was awaiting a final vote from the full body.
New opt-out rights for Utah consumers
A proposal aiming to require internet-based companies to get permission from users before they can share gathered personal digital data, as well as extending other rights to help individuals assert some control over their personal information, found support from the Senate Transportation, Public Utilities, Energy, and Technology Committee on Tuesday.
Sen. Kirk Cullimore, R-Draper, said his SB200 would, in addition to creating a permission requirement for sharing data, allow consumers to access, correct and delete certain personal data and get reports, on demand, showing what information about them has been shared and with whom.
The proposal has some similarity to consumer privacy legislation adopted by the European Commission several years ago and, more recently by California via the California Consumer Privacy Act and California Privacy Rights Act.
Business leaders are raising some concerns about the potential cost, and complexity of complying with the new rules, but the proposal earned a unanimous vote from committee lawmakers and is now awaiting a vote from the full Senate.
Default porn filtering on cellphones moving forward
A proposal aiming to require manufacturers of cellphones and tablets to have porn filtering software installed and switched on for all sales to Utah customers advanced to the full Senate on Tuesday after advancing through the Senate Transportation, Public Utilities, Energy and Technology Committee.
Supporters of HB72 point to the myriad problems early exposure to explicit content can create for children and believe the bill represents a new tool to help parents keep minors safe.
Opponents of the bill, which include representatives of retailer and manufacturer groups, roundly agree about the harms inherent in children being exposed to adult internet content, but argue Pulsipher's legislation is the wrong way to address the issue.
And civil rights groups believe the mandates would lead to infringement on First Amendment protections.
HB72, sponsored by Rep. Susan Pulsipher, R-South Jordan, has already completed its journey through the House and was on the Senate's second reading calendar at the end of Friday's floor session.