Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward.

By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth US state to enact comprehensive data privacy legislation. The UCPA was introduced on February 17, 2022, and sped through the state legislature, receiving final passage on March 3, 2022.

The UCPA, which is set to take effect on December 31, 2023, builds off existing and forthcoming privacy legislation in California, Colorado, and Virginia, but lightens some of the compliance burdens on businesses. The UCPA does not impose any new privacy obligations on businesses that are not already required in California, and businesses will be familiar with the UCPA’s requirements — all of which have appeared in existing and forthcoming state data privacy laws. In a welcome change for businesses, however, the UCPA is narrower in certain respects as compared to its analogues in California (CCPA/CPRA), Colorado (CPA), and Virginia (VCDPA). (See, e.g., Virginia Consumer Data Protection Act: Second US State Passes Comprehensive Data Privacy Legislation.)

The UCPA represents the latest in a string of state privacy laws that seek to fill a nationwide gap while Congress continues to debate the merits of a federal data privacy law. The UCPA marks a slightly different variation, as it appears to have been more directly informed by industry groups such as TechNet and the State Privacy Security Coalition. These industry groups are working toward a uniform set of privacy laws in the United States, and Utah could set an example for additional states.

This blog post discusses some of the UCPA’s key provisions.

The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties.

By Alain Traill and Gail Crawford

The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own products and services, with third parties. The proposals, released on 11 June 2019 by the Department for Business, Energy and Industrial Strategy (BEIS) in its Smart Data report and consultation, are indicative of a wider drive toward requiring companies to free up access to the data they hold. The drivers behind this include a desire to increase competition, foster the growth of data-driven services, and improve consumer choice.

The proposals follow the introduction of a range of sector-specific initiatives in the UK and is part of a concerted government focus on digital strategy, as evidenced in its recent white paper on Regulation for the Fourth Industrial Revolution, as well as the National Data Strategy introduced last year.

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

  • If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
  • Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
  • Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

August 2 Webcast to Consider Risks and Responses

A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry.

In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security failures that led to three data breaches at 45 Wyndham properties in less than two years. The action followed an expansive and expensive civil