Episode 23: Discussing Consumer Privacy/Security Legislation with Sen. Kirk Cullimore (UT)

Transcript:

Bill Tolson:                        

Welcome to the Information Management 360 podcast. This week's episode is titled The State of Consumer Privacy and Security Legislation, a conversation with Utah state senator Kirk Cullimore. My name is Bill Tolson, and I'm the Vice President of Compliance and E-discovery at Archive360. As you can infer from the title, joining me today is Utah state Senator Kirk Cullimore, author of the Utah Consumer Privacy Act, which was just signed into law by the Utah governor in March of this year. Senator Cullimore, welcome and thank you for taking the time from your busy schedule to join me today to discuss your new privacy of the law.

Kirk Cullimore:                 

Thanks for having me, Bill. Happy to be here.

Bill Tolson:                        

Now the state of Utah now becomes the fourth state to pass a consumer privacy bill into law, following California, Virginia, and Colorado, where I happen to be based. This is a fantastic accomplishment senator, and I wish other states could get to it as well. But I've talked to many state legislators over the last, boy, six months or so, and a lot of bills have been input. In fact, I read a stat from the International Association of Privacy Professionals the other day that said in the first two months of 2022, 27 new privacy bills were introduced in states around the country. I know many state legislatures only run for three, four, five months of the year. So I'm hoping that some of those are are going to get through, but obviously you made it through, and that was a huge accomplishment. One interesting thing I'd like to maybe pose is can you tell me how long you had been working on your privacy bill?

Kirk Cullimore:                 

Yeah, absolutely. So early in 2020 actually, maybe even late 2019, a constituent of mine who is an attorney called me and asked if I'd consider running some sort of consumer data privacy bill because he represents tech companies and thought that it would be important to establish some bright lines in Utah law to give his clients some guidance on what their responsibilities might be. CCPA was already in effect, and his concern was that consumers may have potential common law claims against business for not abiding by data protection type ideas or using data in ways that were not anticipated by the consumer.                                     

And so as somebody who represents those businesses, he was actually asking for this law so that the businesses would have some comfort in knowing what exactly the bounds of the law might be, and by that same token, he as a consumer also wanted some recourse and the ability to call out these businesses that might potentially be bad actors. And so I actually opened a bill file in the 2020 session. Because I opened it a little bit late, it did a not really see much daylight that session. But a bill did come out late in the 2020 session, and my promise to everybody was that, "Hey, let's work on this through the interim and let's see what we can get done." Of course that was the year of COVID.

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

And so things got put on pause for a while. But I think it was later that summer I told everybody, "Hey, anybody who might be interested, we're going to do a Zoom call and start working on this for the upcoming session," and to my surprise, that was the biggest Zoom call I've ever had. I think 60 people from all over the country and all over the state were involved and were expressing interest and concern, and that kind of started off this journey really in earnest. And so I had a number of meetings and input from all sorts of groups and businesses, and we worked on it through that fall into the winter, and then I opened a bill file in 2021 and we got pretty far actually. I got it through the Senate committee and kept making tweaks and changes as I got suggestions. In our process on the Senate floor, we have to vote on bills twice, and so we got through the first vote and it passed I think unanimously.

Bill Tolson:                        

Wow.

Kirk Cullimore:                 

And I kept having a whole bunch of various suggestions and tweaks and just didn't seem like I could get it to a point where I could get some consensus, and so I stopped running it, that session. It was getting late in the session anyways and I had other bills that I was dealing with, and so we didn't get it across the finish line, and honestly, at the end of 2021 session, I was not sure that I really wanted to take this up. I mean, I took on this crusade on behalf of a constituent. This is kind of outside of my wheelhouse and I'm an attorney, but don't really deal with tech stuff all that often. And so I thought, "Man, this is a big lift." The attorney that I was doing it for had, frankly, lost interest a little bit because he was hoping for a very clean, small bill, and inevitably it just got more and more complex and bigger.

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

And he said, "Well, this is kind of exceeding what my goal was anyways," and so it seemed like I didn't really have a champion anymore for the bill. So I thought, "Well, everybody's just nitpicking this and nobody seems to be really happy. So what am I doing?"

Bill Tolson:                        

Wow. That's a shame, but it's also really, really interesting. Was there, of that constituent or others, was there any one or two rights that everybody was asking for, or was it just kind of a mixture of to protect my personally identifiable information?

Kirk Cullimore:                 

Yeah. It was all over. I mean the consumers obviously wanted as much protection as possible. The businesses wanted as many exceptions and were trying to find the right path and they liked this in Virginia and they didn't like that, and they wanted this from Colorado, and so it got... And I think Washington was pretty far along in the process at the time, and so it was just hard trying to get consensus, and because this type of bill seemingly affects almost every type of business these days as everybody collects data-

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

... it just seemed like it was impossible to get everybody on the same page, and because some of the industries that still had problems with it have a pretty loud voice, it didn't seem like it was something we were going to be able to get done, that they'd be able to influence enough legislators that it would not pass.

Bill Tolson:                        

Right. Yeah.

Kirk Cullimore:                 

That essentially, it didn't, the bill didn't die by a negative vote. But it essentially killed the bill of just not being able to get it to a point where we could get enough people on board.

Bill Tolson:                        

I think in the last six months, if not the year, but the last six months, the whole hot topic of data privacy is really cropped up for lots of, even just citizens, much less companies watching these different bills come up and organizations wondering gee, in two, three, five years when there are 45 to 50 state privacy bills that slightly differ, how are we going to keep track of all these things? Because the definitions might differ, like you say the exemptions, the time to react. Those kinds of things are all potentially going to be different. So I'm sitting here in a private company and I talk to our clients and so forth, and outside law firms and stuff, and they're all really getting nervous about how are we going to be able to respond to all of these laws, not to mention the EUs GDPR and China's privacy law in Brazil and all these other ones. How are we going to keep track of all these differentiators and be able to respond?                                    

So I think it's becoming, obviously and you, I'm sure you're hearing this too, it's coming top of priority list. You mentioned Washington state and Virginia and Colorado. Did you get a chance to work with, or talk directly with, some of the various legislators in those other states? Washington, by the way Washington come to... Every state legislator I've talked to, they all said, "Yeah, we talked to Washington and looked at their bill," and for some reason, Washington state, which hasn't actually gotten a bill passed yet, is kind of the example bill that many of them at least start with.

Kirk Cullimore:                 

Yeah, and I think originally that's what we did as well. We looked a lot to Washington. I think when I was starting this, Virginia hadn't even really come online yet, and so that was the basis. I did not talk to any of the sponsoring legislators I don't believe. But I talked to various groups from the states and some of these national groups that were watching all of this. Virginia I think became law during the time that we were considering the 2021 legislation, and so that became a little bit of an influence, and to your point Bill, I think what the biggest concern was is we don't want a whole bunch of differences across the country, and so one of my goals, for better or worse, was to create a law that did not create any more burdens or was not any more onerous than CCPA for example, so that if you were in compliance with CCPA, that by default you would already be in compliance with the Utah law.

Bill Tolson:                        

So your thought was, I think it's a great thought, that you could use an existing law like the CCPA, CPRA, as a high watermark. Gee, everybody point at that one. If you meet that one, then you should be good with all of them.

Kirk Cullimore:                 

Yes. That was the goal, at least in Utah. That still did not appease a lot of the interest groups who said, "Well, we would just assume not see these laws proliferate around the country." But, but...

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

I think to your point earlier as well, one of the goals is inevitably with the internet and data collection and all of that, we're crossing state lines obviously. This is interstate commerce, and this really is probably something that Congress should take up, and so I think, again, one of the goals in Utah and other states is, "Hey, as more of these bills pop up across the country, that's going to kind of force Congress to have to take a look at this issue hopefully."

Bill Tolson:                        

Well, and that was going to be one of my other questions, and this comes up a lot, and like I just said all of these new laws that are close but not exact and all the differentiators that organizations are going to have to follow, what do you think that the chances are of a federal government privacy law that supersedes the state laws to make it obviously more straightforward for companies to pass? What do you think the chances of something like that kind of privacy bill coming into effect in two, four, six years? Because I, last I looked, and this was a month or so ago., I think the Senate and the House at the federal level had a total of about 18 or so privacy related bills. Five or six of them were more specific and like the state bills that have been passing, I think there were two that were very close. One from Senator Gillibrand in New York and one from Kansas, senator... God, I forget his name now. That's embarrassing.

Kirk Cullimore:                 

No, you're fine.

Bill Tolson:                        

But what do you think that the chances are, just in your obviously educated opinion, of the feds getting their act together one of these days?

Kirk Cullimore:                 

Well, I think it's inevitable. But the timing of it is obviously what's the question, and just in my experience, my very limited experience in Utah, I think it's a pretty low likelihood that we see anything happen in the next two to four years because it's just going to take so much input from so many different groups and advocacy groups and businesses, and this will seem a lot more permanent, if you will, than the various state laws, and again, in my experience it's easier to go in and tweak a state law. If there's something in Utah that we think, "Oh, that should be adjusted," well next legislative session we can probably get that done pretty quick.

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

Where that's a much bigger task at the federal level, and so I think whatever gets on the books is going to be subject to a lot of scrutiny and a lot of work, and in Utah, if it took me more than two years to get this little thing done, I think it will take at least that much time to find enough consensus that we get enough votes in the House and Senate on the federal level.

Bill Tolson:                        

Yeah. By the way, the Kansas senator, which I screwed up, I remember his name and it's Senator Moran, Jerry Moran, in Kansas.

Kirk Cullimore:                 

Oh, right.

Bill Tolson:                        

Him and Gillibrand have two different bills that are very close going after this. An interesting thing, you may or may not have heard this, but on December 10th of last year, the FTC filed an advanced notice of proposed rulemaking with the office of management and budget that basically initiates consideration of them doing a room making process around privacy and artificial intelligence. So it looks like at least the FTC at the federal level is starting to think we need to do this somehow. I think it's a little off that federal agency is doing it on their own versus it coming out of Congress. But I think enough companies and individuals are looking for something that maybe the FTC finally stood up and said, "Yeah, we'll do something until the Congress gets their act together."

Kirk Cullimore:                 

Yeah. I hadn't heard that, but I agree with you. One, it's a little off. It concerns me a little bit. We've got this large administrative state that de facto is creating laws anyways, and so it really wouldn't surprise me if that's the path that this started out, and maybe that's the impetus to get this going.

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

But my hope is that it is Congress that takes this up and not the FTC on their own through the rulemaking process.

Bill Tolson:                        

Well, and the problem with an agency like that, putting these laws out means the next administration come in and say, and void them all, right?

Kirk Cullimore:                 

Yeah, exactly. So I don't think that's going to provide the structure and the consistency that businesses and consumers are looking for. So yeah, you're exactly right on that.

Bill Tolson:                        

Right. So your law, your Utah Consumer Privacy Act, includes most, and all the bills sort of slightly different when it comes to these things, but they all have pretty much I think, or mostly the same rights, confirm that the company's actually collecting PII and then giving the data subject or the citizen the ability to access that PII through what is mostly universally called a data subject access request. GI can send a request to IBM or HP and say, "Hey, have you been collecting data on me, and if you are, what have you been collecting?" That is starting that right, and it, by the way, it's a very good right. But that process of responding to those requests is beginning to be an issue for many companies that I think almost none of them planned on, and some of the key market statistics I saw in this just lately is that the average corporation is receiving 147 data subject access requests per month at an average cost of $1,400 per request or $200,000 a month, and that's for a couple of reasons.          

Number one, that's just based on GDPR and the California privacy act laws, not these other ones that have come up. But it also is a problem with the actual corporations themselves because they have not been really actively managing all of their data, including the personally identifiable information. So they're having to go to 10, 15, 25 different repositories and say, "Well gee, what do we got on bill? He's been, he wants to know what kind of data we have." So it's, I think these bills, these laws, are becoming an impetus for organizations to actually get better control of their digital data and start managing it more effectively so that they can tell somebody like me, "Yeah, we have this data. We don't have any data on you. We don't know who you are. So sorry, go away."

Those DSAR, or data subject access request I think we're going to start hearing and more of. I know in your law, you can access PII and you could say, "What do you have on me?" And then you can request, with the European GDPR they framed it as the right to be forgotten, but basically it's the right to erasure. I know in yours you include the right to delete personally identifiable information that is not subject to other regulatory laws, or maybe it's part of e-discovery or something like that. But I noticed in the Utah law that it says you could delete PII that the consumer provided to the controller, but not that PII that was collected in the open basically. Is that true?

Kirk Cullimore:                 

Yeah. That's how it's written, and right now I think it's to address that concern that you mentioned, that anything that you provide to the controller is within the controller's control. That's what they're liable for, and it doesn't go to that next step now.

Bill Tolson:                        

Right.

Kirk Cullimore:                 

Again, because these other states have, like California, have gone to the next step-

Bill Tolson:                        

Yes.

Kirk Cullimore:                 

... there's a thought that some of that could be inferred or some of that process would be there. But right now, to address some of the business' concerns we said, "Well, you've got to delete at least the stuff that's within your control, and it doesn't..." Yeah. It's not as expansive, and there is some critique of that. But again, at this point we were trying to get something that we could find some consensus on. So...

Bill Tolson:                        

Oh yeah. Oh yeah. Yeah. I thought that was interesting because like you say, I look at the Californias and Virginias, and I think some of them don't go to that depth so they infer any information you have on me needs to be delayed, and then I think it was Virginia's that publicly available PII is not subject to the law. But I think that's an interesting differentiator. I don't think it's necessarily an issue one way or another. I think that will probably be one of those things that those privacy advocates will probably center on trying to get tightened up. But other rights is, that you've included is, the right to obtain affordable copy of the data, opt out of targeted advertising and sale of personal data, not to be discriminated against, those kinds of things, and I think you're not the only one, or [inaudible 00:18:18] is not the only one. But some of the bills basically give the right to consumers to correct data that's potentially wrong or incorrect, but I don't think you covered that in the Utah, your Utah law, did you?

Kirk Cullimore:                 

We didn't, and again I think that's another one where if you have the right to delete, maybe it could be inferred that you have the right to correct. We didn't spell that out. My guess is that most controllers or processors would want to do that because if the alternative is just to delete the data, that there'll probably be a path to just correct it. But we didn't spell that out in our law, not to suggest that businesses shouldn't or ought not to allow that. Just again, it was one of those things where the process and how to get it done, it was just becoming difficult that if we wanted to get a bill to pass this year, that that was something we were going to have to come back to.

Bill Tolson:                        

Oh sure, and I would assume that like the other states with the existing laws, California did with the CPRA, you'll be slowly amending it over time and adding or subtracting stuff from it. Part of the legislative process, right?

Kirk Cullimore:                 

Yeah exactly, and that really was part of the goal this year, was this is not the perfect bill. But we got it to a point where hey, we think we can get something passed, and in my estimation it's going to be easier to come in here and change a thing or two than to try to implement a whole new privacy act or work on that from year to year. So...

Bill Tolson:                        

Yes. Oh sure, and the other states that I've talked to, the other, the authors of bills have said the same thing. We need to do what we need to do just to get the bill on the books, get the law on the books, and then we can slowly change it over time as there's more input from data subjects and from industry and those kinds of things. So the key thing is to get something there that addresses most of the things that people want, and then fine tune it over time, and I think people expect that, and that's obviously a great process. What makes a company subject to the bill I notice, I think you're almost exactly the same as many of the other ones I've read. To be affected, these entities are required to have an annual revenue of at least $25 million and annually control or process personal data, I think in the Utah case, 100,000 or more Utah residents.

And by the way, I like the way that you spelled that out in your law because some of the bills and some of the laws don't say California residents or don't say Virginia residents. They just say residents and people have misconstrued that. But I think in your case, 100,000 Utah residents is about 3% of the Utah population as I remember, and that seems pretty realistic. But one caveat, and I think I know this, but I want to say it anyway so others do, so if a company only controls the personally identifiable information on, for example in your case 45,000 Utah residents so it doesn't reach the 100,000 mark, then they're not subject to your privacy act, right?

Kirk Cullimore:                 

That's correct. So there is the two thresholds.

Bill Tolson:                        

Right.

Kirk Cullimore:                 

Has an annual revenue of 25 million or more, and then the second threshold is either controls or processes personal data of 100,000 consumers, which is Utah residents.

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

Or they derive 50% of their gross revenue from the sale of personal data and controls 25,000 consumers, and so there is the potential that if your business is primarily in the sale of data, that that consumer threshold is quite a bit lower.

Bill Tolson:                        

Yeah. I was going to say it, it sounds, the way that's worded it sounds like you were really targeting data brokers, which need to be, have more control of them, obviously, and by lowering that number from 100,000 to 25,000 I think it really does do that.

Kirk Cullimore:                 

Yeah. That was the intent. Obviously, the other intent is, you see in other states, is to not necessarily put all these burdens on new and upcoming businesses. In Utah, we've got a pretty vibrant tech sector that's dubbed Silicon Slopes there as opposed to Silicon Valley, and so we've got a lot of entrepreneurial tech businesses that are, inevitably are going to be in the business of having data, and so we didn't want to stifle that innovation and that entrepreneurship. However, I think what's important to know is that even if you're not necessarily subject to this law, the guidelines and the bright lines are here. And so I would expect that most businesses are going to follow the law in anticipation of either meeting that threshold or just to say if some consumer claims that they're in violation of the law, even if they're not subject to it, they can still make a claim that, well one we're not subject, but even if we were, we're still in compliance with the law, and so that's the intent there. We hope that most businesses will still react to this.

Bill Tolson:                        

Well, no. I think that most businesses and states, including Utah, including Colorado, they're not in the business of selling personally identifiable information. They're in the business of providing services or manufacturing stuff and things like that, and yes, they want to collect their customer data so that they can send them newsletters or send them emails and say, "Hey, we got a new revision of this out," or, "We got a new product that we think you might like," that kind of stuff, and that kind of data is related to the business that they've done business with the company before. So I think the way that these things are worded, the way you've worded yours really kind of sets a lot of companies minds at ease that we collect Bill Tolson's email address and general stuff, we're not asking for personal attributes or anything like that.           

But they want to do sales and marketing to them because they've done business with them before, and I think that's what most companies looking at this really kind of see, and the way that these laws are worded it does kind of make it obvious unless you're an IBM or a Hewlett-Packard or an AT&T that has millions of customers, you're probably treating your customers pretty well anyway and you don't want to get on their bad side by misusing their data. But the other side of that is that data could be breached. Then all of a sudden they're getting emails from the company saying, "Hey, we've been breached. Your data's out there on the dark web. We're going to give you two years of credit monitoring," all these kinds of things and it obviously hurts the reputation.

So I think many people, the way that a lot of stories are being written about these new privacy bills, I think it freaks businesses out and if they could understand more, that it's not really affecting them that much. All you got to do is act in the best interest of your consumer and you're going to be good. You're going to be fine.

Kirk Cullimore:                 

Yeah. I think that's exactly right, and the hope is that the compliance with the Utah Consumer Data Privacy Law is not something that they're not already doing, or at least thinking about and working on getting into compliance. So-

Bill Tolson:                        

Exactly. Exactly. Yeah. One thing I wanted to ask you about, and I've asked all the state senators that I've talked to the same thing, in your law, all the bills use almost exactly the same language when it comes to security and they all, like I said, this is not just Utah, but they all say controllers must establish, implement, and maintain reasonable administrative technical and physical security practices, which is pretty broad. Did you keep it at that higher level just to make sure that you were not putting additional I guess challenges to companies, because one other thing that I wonder and I've brought up is we're to the point now where could a state law say reasonable security practices, including all personally identifiable information, should be encrypted while in transit and while at rest? Does that make sense?

Kirk Cullimore:                 

It does, and I think as I recall now, it's been a more than a year, but earlier versions of the bill had spelled out exactly what those security measures had to be-

Bill Tolson:                        

Oh, wow. Great.

Kirk Cullimore:                 

... and what businesses had to do, and, again, legislation is the-

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

... is the practice of what's possible, and that was-

Bill Tolson:                        

Negotiation.

Kirk Cullimore:                 

Yep, and that was one of the biggest sticking points is dictating too much of what that security was going to look like or what the process would be, and so that's, again, for better or worse, that's one of the things that had to come out as there was just not any consensus. We were not going to be able to get to a point where we had a bill if we spelled it out too much, and so it is pretty broad still. But that's something that we could definitely look at and still work on.

Bill Tolson:                        

Yeah. I mean, like I say, I asked the same question of the other states and I think it was New York who doesn't yet have a passed bill, and in Virginia. They both said, "Yeah, no. We recognize that that's a little too high level," and in future years with amendments... Sorry, I think it was Virginia basically said, "Yeah, we really plan on tightening that up a little bit." I mean, they all made the point that we don't want to designate specific technologies related to specific brands. That wouldn't be fair number one, but to say something like... And I got this thought from all the stuff I do around the European GDPR. In the GDPR privacy regulations, it does say in a couple places, it doesn't say you must encrypt data, but it does say that if your system is breached to where personally identifiable information could have been viewed or looked at, but if that data was encrypted and encryption keys were kept separately, then in fact for the GDPR there was not a breach, and the notice, that breach notification is not triggered.             

That's what kind of got me thinking about this as a money saving and a liability saving practice for companies that are sitting a PII. If you encrypt it and everybody's buy a ransomware, extortion-ware, or any other kind of cyber attacks companies, are just getting opened all the time now, you would think, and I've actually talked to cyber liability insurance brokers about this and they all say, "Yeah, if you're encrypting your data, your cyber liability insurance rates are going to be much lower," which makes sense.

Kirk Cullimore:                 

Yeah. No, that's probably great practice, and that's probably something we got to look at with GDPR and see if we can implement some of that to encourage that, at least at the Utah state level.

Bill Tolson:                        

Oh yeah. Yeah. The enforcement arm for your law is the state AG, right?

Kirk Cullimore:                 

It is through the Division of Consumer Protection.

Bill Tolson:                        

Oh, okay.

Kirk Cullimore:                 

And so we wanted a private right of action, which is not going to fly in Utah. That's-

Bill Tolson:                        

Well, I was going to bring that up too. But I know in most of the states I've talked to, they all say that was a guarantee that it would not be passed.

Kirk Cullimore:                 

Yes. That was the same here in Utah. But we still wanted the consumers to have a very viable and reasonable option to make complaints for companies who are not being responsive or potentially not following the law, and going right to the AGs office seemed a little bit cumbersome and maybe not as consumer friendly, and so the Division of Consumer Protection has a procedure where a consumer can just go make a complaint and then they can look into that complaint.

And it seems just a little bit more consumer friendly in that you basically have a case worker assigned to it and you can respond to them and interact with them and if after investigation the division does find in fact that there is a violation of the law, then they would escalate it to the AGs office, and my assumption is they would send it to the AGs office with their file and the findings of their investigation. So it's a little bit more ready to go, and so not only did I feel like that was more beneficial to the consumer, but it was less burdensome and probably less costly on the AG than having the AGs office have to do an investigation for every consumer complaint.

Bill Tolson:                        

Or staff a whole new agency like California did, right?

Kirk Cullimore:                 

Exactly, yep.

Bill Tolson:                     

Yeah. I mean just another level of bureaucracy I think, and I was originally born in California. So I'm leery about a lot of the stuff that they do. I noticed that the penalties per violation in the Utah law include, I think in the text it says actual damages to the consumer and up to $7,500 penalty for violation. Does, if there are actual damages, and unlike I think at California may have at one point have had the concept of presumed damages, but I don't think it does anymore. But up to that point, does that, actual damages, if they're figured out, does the data subject, does the citizen actually get any of that, or does it go into the agency for overall budget use?

Kirk Cullimore:                 

The intent is that the actual damages would go to the data subject, but then that the fines would go to the fund to help with further enforcement and all of that. So-

Bill Tolson:                        

Well, that makes sense.

Kirk Cullimore:                 

So if there are actual damages that the consumer can be made whole.

Bill Tolson:                        

Yeah. I think in California, any fines get paid for the agency and it goes into the general budget. But if the citizen uses the private right of action, then they obviously can collect what they can collect from the company. So that's, I think that's really interesting. I did notice, I don't know if you've run across this, but the New York privacy bill, which has been introduced every year for the last four or five years, and I think the senator I talked to who's co-author Senator Kevin Thomas, in some of the original introductions of the bills he used a concept called, referred to as a data fiduciary, which is probably one of the main reasons why it hasn't passed in the law.

But that obviously could be an issue for companies, and when I had him on the podcast a couple months ago, I said, "Oh, I noticed in your newest bill that the data fiduciary provision's not in there," and he was silent for about 10 seconds. He said, "Oh no, it's there. I just renamed it." Okay, I think he called it the duty of loyalty and care, which basically is the same thing. That obviously probably wouldn't fly in Utah I assume.

Kirk Cullimore:                 

I don't think so, and in fact, that's... With my constituent, that's one of the impetus of getting this bill going, is that if that duty could be inferred, then potentially these businesses have liability and risk associated with that duty, and so by spelling out what exactly their responsibilities are in law, that kind of hedges that risk and that liability, and so that was the whole point of this, was maybe opposite of as what the New York legislators trying to accomplish, that we're saying, "No, let's just establish what precautions and what parameters you need to operate within." That's the extent of your liability.

Bill Tolson:                        

Yeah. I have forgot to ask this of the other states. Did you consider, do you see a need in the future, in future privacy amendments and stuff, to limit the transfer of Utah citizen personally identifiable information outside the country like the EUs GDPR does?

Kirk Cullimore:                 

That's a good question, and we didn't even really begin to address that. Again, this data and these businesses are not just operating within Utah obviously, and probably in many cases are not just national, but international, and so we did not want to, again, stifle innovation and what businesses might be able to do within the state of Utah, and in fact some of the other bills that I've run this past year deal with blockchain technology.

Bill Tolson:                        

Oh, yeah.

Kirk Cullimore:                 

Which can easily expand beyond national boundaries, and so I think we would be hesitant to do anything like that unless we can find the right balance between kind of allowing for this global market to expand and to develop within Utah while still finding the right balance to protect the consumer's data and what their expectation is of how that data might be used. But we didn't really delve into that too much yet.

Bill Tolson:                        

Well, and that's a good point because under the GDPR, each country in the EU has their own data protection authority, but they all adhere to the overall GDPR authority. So they could say, "Well gee, you can't move data out of the EU." So you would need that kind of federal positioning as well. One thing I wanted to get on the record, I know the answer and I just want people to hear it I think from you, is the Utah state law can be construed as global, right? A company in Turkey collecting Utah data subject PII is basically under the auspices of following this law, if the state wanted to go after them if they were misusing the data, right?

Kirk Cullimore:                 

Yeah. That, I mean that's the intent. If they meet the initial thresholds that we talked about, about how much data they're collecting and their revenues and all of that. But yeah, that is the intent, that-

Bill Tolson:                        

They're in violation of the law and they're not in the United States, they're still subject to the law if the state decided they wanted to make a point and go do that and maybe collect actual damages and things like that. The EUs GDPR started that back in 2018, and it said doesn't matter if you're in South America or Russia or China or whatever else. If you had collected EU citizen PII and you misuse it or it's breached, then you're subject to the law, and that makes a lot of sense. But I think that point, that's why I wanted to bring it up, is that a lot of people don't understand that all of these worldwide privacy laws are global in nature. So it's not like, "Well gee, I'm in the United States. I'm only going to collect U.S. data," or something like that, "And I'm not going to be subject to EU." I mean that's awfully hard to manage anyway. But I just wanted to make sure everybody understood that this is a global law when it comes to protecting Utah citizen PII.

Kirk Cullimore:                 

Yeah, that's correct, and again, if you're going to take advantage if you will, or solicit business of Utah citizens, then yeah. You're availing yourself of those laws.

Bill Tolson:                        

Yeah. I think you might have touched on this, but did you work with any specific company or industry that gave you feedback that you could use. I know you talked about the constituent and then you referred to the other data subjects and companies and stuff. I know in many of the other states they have asked for, and rightfully so, received help from the big industry players to say what's realistic, what are the kinds of things you're seeing in other states. Is that something you looked at or did do, or was it really much more homegrown?

Kirk Cullimore:                 

No. It, we definitely solicited input from everybody. I wouldn't say that there was any one business or industry that has more of a fingerprint on this than another. Like I said, the original bill was pretty homegrown. But of course that one didn't fly.

Bill Tolson:                        

Yeah.

Kirk Cullimore:                 

And so as we added to that, that's where we started pulling from Washington and Virginia, and then making tweaks here and there based on all sorts of industries and businesses, and [crosstalk 00:37:11].

Bill Tolson:                        

And I know they've worked with various spitters, industry groups and industries, I know Massachusetts, Connecticut, and others have worked with the obvious names just to get their inputs and things because these bigger guys do business worldwide, and so you got to make sure that you're covering at least their challenges or at least understand them. But the fact that you were really driven originally by a constituent, I mean it's just fantastic, especially a lawyer. I mean boy, they know what they're doing, right?

Kirk Cullimore:                 

Yeah. Yeah, and like I said, the original bill was really pretty simplistic and his goal was, "Hey, create an easy path for consumers and create big, bright lines that are easy for the business," and in fact he litigates in California on some of this stuff, and so he really wanted to avoid the complexities of that. But yeah, this is the result of two and a half, three years of work, and it's, like we've said, it's imperfect. But it's a good starting point and it's something that we could actually get on the books.

Bill Tolson:                        

Well, and it's the legislative process and that's the way it works, and that's the way it's supposed to work, right?

Kirk Cullimore:                 

Exactly.

Bill Tolson:                        

So like I say, the fact that you're only the fourth state out of 50 that have gotten this done I think is a huge tribute to both you and your state. So I think that's fantastic. So I think that probably wraps it up today on our podcast of the Information Management 360 podcast. I want to thank you for this really insightful, and actually enjoyable discussion today on the very important subject of dat privacy and kind of steps that you went through in your thinking process. Like I say, I think it's been a great accomplishment for you and your state.                

If any of our listeners today has questions on this topic that would like to talk to a subject matter expert, please send an email mentioning this podcast to info, I-N-F-O, at archive360.com, and we'll get back to you just as soon as possible. Also, check back on the Archive360 resource page for new podcasts with leading industry experts on a regular basis. In fact, I do have a podcast recording scheduled with the Colorado state senator Paul Lundeen, co-author of the Colorado Privacy Act that's scheduled in the near future. So check back for that. But again, Senator Cullimore, this has been fantastic and I really appreciate you taking the time to be with us today.

Kirk Cullimore:                 

Well, thank you, Bill. Thanks for all your work, and appreciate the podcast and the information, and just thanks for what you do.

Bill Tolson:                        

Great. Thank you.