Utah Governor Gary Herbert is expected to sign a new privacy law in the coming weeks that will make his state the first to protect private electronic data stored with third-party providers from government access without a warrant.

Under the legislation passed unanimously by the Utah Legislature earlier this month, law enforcement agencies need a warrant to obtain information about an individual from wireless communications providers, email platforms, search engine providers, or social media companies.

While much of the focus over the past two years has been on laws to protect consumer privacy rights, protecting private information from disclosure to law enforcement has also generated attention. Traditionally, the general rule followed, on both the federal and state levels, has been that law enforcement agencies can access information through third-party providers because individuals have no reasonable expectation of privacy when they share their personal information with third parties.

The U.S. Supreme Court curbed that traditional rule in last year’s 5-4 opinion in Carpenter v. United States, in which the majority held that the government’s search of personal cell phone location information held by a wireless communications provider constitutes a Fourth Amendment search, and therefore requires a warrant. However, the opinion did not extend beyond location information, and the dissenting justices urged that legislation was needed to govern this body of law in a new age of technology.

Utah’s new law addresses the issue head-on by specifically providing that “a law enforcement agency may not obtain, without a search warrant issued by a court upon probable cause,” the location information from an electronic device or “electronic information or data transmitted by the owner of the electronic information or data to a remote computing service provider.” “Electronic information or data” is defined broadly to include “a sign, signal, writing, image, sound, or intelligence of any nature transmitted or stored in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system.” In other words, law enforcement agencies cannot obtain information about an individual from third-party service providers without obtaining a warrant. Notably, there are specific exceptions, such as when the third-party provider believes an emergency exists with risk of death, serious physical injury, or sexual abuse.

Assuming Gov. Herbert signs the bill, Utah likely will not be the last state to venture into this area of law. Companies should therefore keep in mind that on top of the growing patchwork of consumer privacy laws and regulations, they may face new laws and regulations that change longstanding practices in how they respond to requests from governmental agencies.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory compliance, investigative, and litigation services across industry sectors. The Group assists in drafting privacy policies, third-party vendor agreements, and information security policies and procedures.


Copyright © 2019 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.