Is it time for Utah to take a closer look at how the European Union and state of California are putting control of personal data into the hands of those against whom it’s being used — in an increasingly effective manner — to build the multibillion-dollar corporate behemoths of the tech world?
State lawmakers signed off on a series of new measures in this year’s Utah legislative session aiming to build protections against tech companies and public agencies abusing the troves of personal information gathered, assessed and sold in a practice that’s become the highly profitable backbone of the online world.
The work in Utah on personal privacy protections continues a trend that’s been in play for the past few years and runs somewhat counter to the track record of the state’s Republican-dominated Legislature — one that’s built a national reputation for cultivating a regulatory-light business realm in the Beehive State.
That light-touch approach is one of the tell-tales of Utah’s commercial environment that’s earned accolades for its business friendliness and, no doubt, part of the engine that drives one of the nation’s most diverse and powerful state economies.
But unlike the E.U. and Golden State, Utah leaders have yet to put control into the hands of the individual residents who are ceaselessly targeted with ads and pitches thanks to the mostly unregulated collection, trade and commodification of personal data — some of which can include intimate details of our faith practices, friends, education, incomes and personal histories.
Measures adopted several years ago by the European Union and more recently by California through both the legislation and referenda process, empower individual internet users to grant permission, or not, to share their accumulated data as well as other rights that include having inaccurate personal information promptly corrected, the ability to request what personal data has been gathered and with whom it has been shared, and other items.
An overused maxim about free-to-use social media platforms and other online digital services is, “If you’re not paying for the product, you are the product.” The “you” in this being the sum total of your personal digital minutiae that allows companies to hyper-target you for sales pitches and advertising.
It’s an issue on the minds of anyone who has wondered if their own personal information is a part of data breach revelations that have become a regularly featured news item or how companies have gotten so good — maybe too good — at the highly customized ads that greet them at every turn while connected to the internet.
The 2019 edition of the Utah Legislature made warrants mandatory for law enforcement searches of personal information stored on third-party servers, also commonly referred to as the cloud.
In 2020 lawmakers started talks about putting limits on the use of facial recognition software and access to DNA databases.
The 2021 session finished up as one of the most effective on record when it comes to curbing the use, and abuse of Utah residents’ personal information.
Among the latest efforts, this year’s HB243 creates a new Personal Privacy Oversight Commission that would be charged with watchdogging how government agencies collect and handle personal information. The issue earned a spotlight last year thanks to the missteps of Utah-based high-tech surveillance company, and one-time state contractor, Banjo.
House Majority Leader Rep. Francis Gibson, R-Mapleton, was a vocal critic of Banjo’s services even before the state entered into a $20 million contract with the company and put his concerns into action this session with the mandates of his HB243, which found overwhelming and bipartisan favor with lawmakers and appears likely to earn the signature of Gov. Spencer Cox.
“As it relates to government, how do we maintain privacy?” Gibson asked the members of the House Government Operations Committee during the session. “How do we know that information is being kept private ... and the things we give to government for our benefits are not being abused or taken elsewhere?”
Servers and wires are pictured in Salt Lake City on Thursday, Feb. 18, 2021.
Kristin Murphy, Deseret News
Gibson’s concerns, and questions, apply equally well to the private sector, and the 2021 edition of the state’s 45-day legislative session did dip its toes into the waters of empowering Utah residents with some control over their personal information. While SB200, sponsored by Sen. Kirk Cullimore, R-Draper, would have advanced a few of the mandates of California’s personal privacy regulations to Utahns, including the personal opt-out for data sharing, the effort made it no further than a Senate committee hearing.
Had Cullimore’s bill traveled further through the lawmaking pipeline, it’s likely that lawmakers and the public would have heard more about the costs associated with creating these new rights for digital self-determination and, even with carve-outs designed to protect small businesses, the numbers are staggering.
And those astronomic business costs would likely have proved untenable to Utah lawmakers but perhaps it would have at least begun the conversation about the harder to compute costs of what we collectively give up to the titans of digital commerce.
Research done by Berkeley Economic Advising and Research estimates compliance costs will scale, more or less, to the size of the business beholden to them with $50,000 for companies with 20 or fewer employees and up to $2 million or more for initial compliance for businesses with over 500 employees.
The group estimated the California business community’s cost of initial compliance with the state’s personal privacy regulations in the neighborhood of $55 billion — almost 2% of the state’s gross state product. That 2%, applied to Utah’s 2019 gross state product of almost $165 billion, comes in at around $3.3 billion in costs to businesses.
For context, that’s about 10 times the size of Salt Lake City’s current annual operating budget.
Industry watchers note other states are already testing the waters of their own version of California’s personal privacy regulations and, inevitably, a patchwork of similar regulatory efforts are likely to arise, particularly in lieu of any efforts moving forward at the federal level to ensure individual control of our personal data.
While Utah’s own take on putting the “I” into taking control of personal data sharing stalled on its first attempt this winter, another go is likely in the works.
And the patchwork product that will result of states’ attempts to compensate for personal data privacy protections — the ones so pointedly not being currently championed by Congress — will leave businesses to navigate an incomprehensible, and extremely expensive, operational minefield.
The flip side is, of course, the continued and unbridled monetization of our private, personal information, a scenario that has already transformed us all, as simply internet users, into the weary, and leery, digital products of our time.