record keeping software Archives - Zasio

Utah Becomes Newest State to Adopt Consumer Privacy Law

Zasio — Fri, 20 May 2022 19:16:53 +0000

On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer J. Cox, making Utah the fourth state, behind California, Virginia, and Colorado, to pass comprehensive consumer privacy legislation.

The UCPA’s Applicability

The UCPA applies to entities that:

conduct business in Utah or produce products and services that target Utah residents;
have an annual revenue of $25 million or more; and
either controls or processes the personal data of at least 100,000 Utah residents or derives 50% of its revenue from the sale of personal data and controls or processes the data of over 25,000 Utah residents.

There are also a number of exemptions under the UCPA, including, government agencies, institutions of higher education, non-profit corporations, and entities regulated under the Health Insurance Portability and Accountability Act (HIPAA).

What Rights Do Consumer Have Under the UCPA?

Utah residents have the following rights under the UCPA:

Access: Right to confirm whether a controller is processing the consumer’s personal data and access to that data.
Deletion: Right to delete the personal data provided to the controller.
Portability: Right to obtain copies of the personal data provided to the controller in a format that is portable, usable, and transmittable.
Opt-Out: Right to opt-out of the processing of personal data for targeted advertising or sale of personal data.

Responsibilities for Processors and Controllers

The UCPA specifies the following responsibilities for processors and controllers:

Contracts between processors and controllers shall be established before processors begin processing information on behalf of a controller. The contract should provide the instructions for processing personal data, the purpose, type of data being processed, the duration, and the rights and obligations of the parties. The contract should also ensure confidentiality by the processor in relation to the personal data being processed. Any subcontractors must also enter into a contract and abide by the same obligations as the processor.
Controllers shall provide consumers with a privacy notice that includes:
categories of personal data processed by the controller;
purpose of processing the personal data;
how consumers may exercise their rights;
categories of personal data that are shared with third parties;
categories of third parties with whom the controller shares personal data; and
the manner in which consumers may exercise the right to opt-out of the sale of personal data or processing for targeted advertising.
Establish data security practices to protect the confidentiality of personal data and reduce the risk of harm to consumers in relation to the processing of their personal data.
Controllers may not process data collected from a consumer without providing notice and the opportunity to opt-out of the processing.
Controllers may not discriminate against consumers for exercising their rights by denying goods or services, charging different prices to consumers for goods or services, or providing the consumer with a different quality of goods or services.

UCPA Enforcement

The Utah attorney general has the exclusive right to enforce actions under the UCPA (i.e., consumers do not have a private right of action against business for UCPA violations). Violators of the law have a 30-day cure period upon receipt of written notification before the attorney general initiates any actions against the controller or processor. Uncured or continued violations are subject to penalties up to $7,500 per violation and may be responsible for payment of damages to the attorney general to be deposited into the Consumer Privacy Account.

The UCPA’s Effective Date

The UCPA becomes effective on December 31, 2023, giving businesses a grace period to adjust their operations. While this may seem far off, don’t underestimate the amount of time it can take for a business to adjust its practices to be legally compliant. Instead, contact Zasio to find out how you can help bring your business into compliance with this new law, as well as other comprehensive state privacy laws.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post Utah Becomes Newest State to Adopt Consumer Privacy Law appeared first on Zasio.

Do You Ever Feel Like, Somebody’s Watching You? That’s Because They Are

Zasio — Mon, 13 Sep 2021 20:25:14 +0000

With video surveillance becoming less expensive and more widely available, our images are increasingly recorded. But things are not as Orwellian as they seem. Even before drones, dashcams or video doorbells became everyday items, regulators established requirements for video surveillance. How long an entity can retain images depends on several things, including the areas the cameras cover, the type of business capturing the image, and the events captured.

Most international video surveillance requirements are not found in regulations, directives, or statutes. Rather, these requirements are frequently governed by data protection authorities through guidelines, decisions, or standards. But don’t let these titles fool you about their enforceability. Data protection authorities view these guidelines at the very least as best practices, and EU member states reference them when sanctioning and fining an entity for non-compliance.

Video Surveillance Coverage: Areas and Businesses

Generally, businesses using video surveillance are required to inform the public they are under video surveillance, in line with many data protection laws which mandate data subjects be informed their data is being processed. The EU Data Protection Supervisor states these notices “are mandatory because individuals affected by video surveillance must be informed upon its installation about the monitoring, its purpose, and the length of time for which the footage is to be kept and by whom.”[1]

Video surveillance requirements also force businesses to limit surveillance to areas like parking lots, building entrances, or streets. This does not mean surveillance cameras can cover wide swaths of these areas. Businesses are further limited to recording those areas of parking lots or building access or emergency exits that justify the protection of individuals and property.

Certain businesses are required to use video surveillance, such as banks, casinos, ATMs, and other financially-related businesses. Legal requirements also note that certain areas never justify video surveillance, like bathrooms, changing rooms, and pools. These areas are considered inherently private, and legal requirements recognize that data subjects deserve a heightened level of legal protection from video surveillance.

Incident Versus Non-Incident

In the legal realm, there are two main types of surveillance that regulators are looking at: incident and non-incident camera footage. Whether footage captures evidence of an incident will determine the retention period for that section. Most recordkeeping requirements set a minimum amount of time records must be retained. Recordkeeping requirements for video surveillance, however, typically set a maximum amount of time these images can be kept. Incident-capturing footage requirements follow this same method but may allow for slightly longer retention periods. For example, Greece doubles the amount of time businesses may keep video surveillance images following an incident. Generally, where surveillance footage does not contain images of an incident, the maximum amount of time this footage can be retained may be a few months, weeks, days, or hours.[2]

EU member states have some of the strictest requirements when it comes to video surveillance. For example, under Austrian law, images may be retained no longer than 72 hours.[3] In Germany, this period is 48 hours.[4] And in Italy, video surveillance must not be retained longer than 24 hours.[5] Complying with these limitations can prove difficult when an entity does not frequently check its surveillance footage, such as over a weekend or a holiday. Accordingly, regulators acknowledge that these retention periods may require some flexibility. Some regulators also permit for a longer retention period when parties consent through written agreements.[6]

Most legal requirements allow for longer retention when images are necessary for court proceedings or criminal investigations. However, investigating a crime or incident does not give an entity carte blanche to retain images indefinitely.[7] Typically, legal requirements require destruction within a few months, weeks, or days of the conclusion of an investigation or related proceedings.

Legal Requirements Versus System Capabilities

Video surveillance is one area where the law and technology play leapfrog. Sometimes the legal requirements are ahead of their time; sometimes technology is cutting edge. As noted, some European jurisdictions allow video surveillance retention for only hours or days. Not all video surveillance systems are created equal, and some systems do not have the capability to automatically erase footage every 24 hours. When this is the case, entities must be careful to note their surveillance footage retention periods in their notices and policies.

Conclusion

Whether you are a privacy-minded individual concerned about your image being captured through video surveillance or a business concerned about legal repercussions from your video surveillance practices, data protection authorities and regulators have provided guidelines on what your rights are. To learn more about how video surveillance may affect your business, contact Zasio today.

[1] European Data Protection Supervisor, Video Surveillance, “What are the main data protection issues?”

[2] EDPB Guidelines 3/2019 on processing of personal data through video devices (8)(119).

[3] Ordinance of the data protection authority on the exemptions from the data protection impact assessment.

[4] Short Paper on Video surveillance according to the General Data Protection Regulation.

[5] Video Surveillance Decision 2010.

[6] Ordinance of the data protection authority on the exemptions from the data protection impact assessment.

[7] EDPS Guidelines on video-surveillance (7.1.1).

The post Do You Ever Feel Like, Somebody’s Watching You? That’s Because They Are appeared first on Zasio.