Utah Governor Signs Online Privacy Law

Utah Governor Spencer Cox on Thursday signed into law a new privacy bill that gives state residents the right to opt out of some forms of behavioral ad targeting.  

The Consumer Privacy Act (SB 227) broadly requires companies to allow consumers to access and delete some personal data, and to opt out of its sale. The measure has a specific provision allowing consumers to opt out of targeted advertising.

As with recent laws in California, Colorado and Virginia, Utah's bill doesn't allow consumers to sue over online privacy violations.

The tech industry trade group State Privacy and Security Coalition backed the Utah bill, while consumer advocates including Consumer Reports and the Electronic Frontier Foundation argued that the measure was too weak.

Among other objections to the Utah bill, advocates argued that it should have included a provision requiring companies to honor global opt-out signals, such as “do-not-sell” commands that consumers can send through their browsers.



Two other states -- Colorado and California -- have taken a global opt-out approach.

The privacy groups also said the bill has an ambiguity that could allow companies to continue to serve certain forms of targeted ads, even when consumers attempt to opt out of behavioral targeting.

That potential loophole centers on the bill's definition of “targeted advertising,”

The measure says targeted advertising means ads based on data about people's activities across nonaffiliated websites or apps; the definition also specifically excludes ads based on a company's own data about consumers.

That exemption for first-party data could allow large companies with a vast trove of first-party data to serve ads to consumers on outside sites, the advocacy groups said. For that reason, Consumer Reports senior policy analyst Maureen Mahoney called the bill “a gift” to large companies, stating they “won’t have to change anything in order to comply with this law.”

She added that the bill “won’t protect consumers from invasive data practices” and “could harm consumers by causing them to think that their data is adequately protected after opting out.”

Next story loading loading..