UCPA Utah Consumer Privacy ActThe Utah Consumer Privacy Act: The Fourth Comprehensive State Privacy Law Following California, Virginia, and Colorado

The Utah Consumer Privacy Act: The Fourth Comprehensive State Privacy Law Following California, Virginia, and Colorado

On March 24th, Utah Governor Spencer Cox signed Senate Bill 227, the Utah Consumer Privacy Act (“UCPA”), into law. Utah is the fourth state to enact a comprehensive privacy law, following California, Virginia, and Colorado. In this blog post, we cover some of the most important things that businesses should know about this new state privacy law before its effective date of December 31, 2023:

Who does the UCPA apply to?

The UCPA applies to any controller or processor that (1) conducts business in Utah or produces a product or service that is targeted to consumers residing in Utah, (2) has annual revenue of $25,000,000 or more, and (3) that satisfies one or more of the following thresholds:

  • during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
  • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Governmental entities, third parties under contract with a governmental entity when those third parties are acting on behalf of the governmental entity, tribes, institutions of higher education, nonprofit corporations, “covered entities”, “business associates”, and financial institutions covered under the GLBA are exempted from the scope of the UCPA. The UCPA is unique in the sense that it explicitly exempts tribes and third parties under contract with the government. The UCPA also exempts certain types of data that are already covered under other federal laws, such as protected health information regulated by HIPAA, personal data regulated by the Driver’s Privacy Protection Act, and personal data regulated by FERPA.

What is “sensitive data” under the UCPA?

The UCPA defines “sensitive data” as personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status. Information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional is also considered “sensitive data.”

However, personal data that reveals an individual’s racial or ethnic origin – if processed by a video communication service – does not fall under the definition of “sensitive data.” Personal data processed under either the Health Care Facility Licensing and Inspection Act or Title 58 (Occupations and Professions) is also not considered “sensitive data.”

Does the UCPA provide any consumer privacy rights?

Yes. Under the UCPA, consumers have access, deletion, and portability rights, as well as the right to opt-out of the processing of personal data for purposes of targeted advertising and/or sale.

What is required of controllers and processors?

Under the UCPA, controllers are required to provide consumers with a reasonably accessible and clear privacy notice and to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Controllers will not be able to process sensitive data without first providing clear notice with an opportunity to opt out.

Processors must adhere to the controller’s instructions and take into account the nature of the processing and information available to the processor by appropriate technical and organizational measures, as reasonably practicable. Before a processor performs processing on behalf of a controller, the processor and controller must enter into a contract that sets forth several obligations concerning the handling of personal data.

What are the enforcement mechanisms?

Utah’s Division of Consumer Protection will have the ability to investigate consumer complaints regarding alleged violations of the UCPA by controllers and processors.

Before initiating an enforcement action, the attorney general must provide written notice to the entity in question outlining the provisions of the UCPA that have been or are alleged to have been, violated as well as an explanation of the basis for each allegation.

There is no private right of action.

When will the UCPA become effective?

The UCPA will become effective on December 31, 2023.

Key Takeaways

With four state privacy laws in the mix now and potentially more to come, businesses should prioritize developing a robust, scalable data privacy program. Our dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are experienced in helping businesses adapt to the constantly evolving legal landscape.

*Attorney Advertising: prior results do not guarantee similar outcomes.

Data Privacy Day: 5 Privacy Considerations for Businesses in 2022

January 28th is Data Privacy Day – an annual, international event to promote privacy and data protection best practices for both consumers and businesses.

Here at Octillo, every day is Data Privacy Day. Our premier team of highly skilled attorneys and technologists work with businesses day in and day out on all things data privacy. With our unique experience and expertise, we assist clients to build out privacy and data security compliance programs from the ground up, responding to headline-making national and international data breaches and cyber incidents, navigating the wide range of state, federal, and international regulatory regimes, and so much more.

For this year’s Data Privacy Day, we put together a list of the top five things that businesses can start thinking about when addressing privacy in 2022:

1. Data Rights and What They Mean for Your Data Management

The European Union’s General Data Protection Regulation (GDPR) comes with, amongst many other things, a number of data subject rights, including the rights to access, rectification, erasure (otherwise referred to as the “right to be forgotten”), restriction of processing, data portability, object, and not be subject to a decision based solely on automated processing. At the domestic level, the California Consumer Privacy Act (CCPA) also includes its own set of data subject rights, including the rights to access, opt-out of the sale of personal information, and deletion. The upcoming California Privacy Rights Act (CPRA), which amends and expands on portions of the original CCPA, adds the right for consumers to limit the use and disclosure of sensitive personal information. Both Virginia and Colorado enacted their own comprehensive privacy laws set to go into effect in the next 18 months – each with their own sets of data subject rights.

As 2022 progresses and as 2023 approaches, businesses should stay up to date with upcoming privacy laws and their respective data subject rights. In addition to data rights included in the aforementioned regulations, consumers in 2022 are increasingly invested in what companies are doing with their data. Developing and implementing data access request procedures is both a step towards compliance with privacy regulations and a way to demonstrate that your organization values consumer privacy.

2. Data Mapping

From a regulatory compliance standpoint, obtaining a complete and accurate picture of your organizational data landscape is essential. Part and parcel of compliance with major, comprehensive privacy laws, such as the GDPR and the CCPA/CPRA, includes determining the scope and flow of data into and within your organization. For example, from whom is personal data being collected? And to whom is that personal data going? What categories of personal data are being collected? When is it being collected? For what purposes is that personal data being collected? And where does it sit within the organizational infrastructure?

Data mapping is an extremely useful exercise for a business to understand its own data flows. In 2022, as privacy law continues to develop on both a national as well as an international scale, businesses should take the critical step to develop a data inventory and a data map.

3. Governing Your Privacy

Developing a privacy compliance program is important, and so is implementing those privacy policies and procedures into your daily operations. What does it mean to “govern your privacy”? After understanding data rights and mapping your data, the next step in the process is taking proactive measures to understand your privacy requirements and implementing data governance principles to comply with applicable laws and regulations. Data governance refers to an organization’s ability to understand its data flows and stakeholders, to handle data effectively and properly at all points of the information lifecycle, and to develop access privilege controls and accountability measures. In 2022, consider data governance principles when assessing how to protect and handle your data to comply with the major, comprehensive privacy laws.

4. The Good, Bad, and Ugly of Cookies

Another key consideration for businesses is their website’s cookie consent banner. For example, in the first week of January, France’s data protection authority (the CNIL) announced fines against Google and Facebook for €150 million and €60 million, respectively, for failures to make the rejection of cookies as easy to do as the acceptance of cookies. These fines follow on the heels of the CNIL’s November 2021 guidance, in which it reminded businesses that users must be able to “choose freely and in an informed manner to be the object of a tracking not strictly necessary for the provision of the requested service” and “to refuse such tracking.” Businesses should anticipate cookies and online data tracking to continue to be an area of focus for regulatory authorities and should take care to ensure that cookie consent banners are compliant with the varying applicable laws.

5. Annual Review of External Website Disclosure Policies and Notices

Businesses that are subject to the CCPA are required to update their privacy policies “at least once every 12 months.” Not only is an annual review of external website disclosure policies and notices required, but such a review presents an opportunity for a business to take stock of their data collection and processing practices and to ensure that any policies or notices reflect current activities. Furthermore, the privacy landscape is constantly evolving. New laws and regulations enter the playing field, while updates are made to existing ones. The four above-mentioned considerations can help businesses prepare for an annual review of privacy policies, and the review itself can help businesses stay up to date with current data practices and legal developments.

Conclusion – Data Privacy Day

In the spirit of Data Privacy Day, we hope that you take the time to think about how privacy impacts your business, and key data privacy and security consideration for 2022. Given that privacy compliance is a constantly evolving and long-term endeavor, we hope that you continue to engage with data privacy beyond Data Privacy Day. Octillo attorneys are committed to providing updates on relevant legislation, current threats, and proactive data security steps.

Be at the forefront of data privacy and security by following us on LinkedIn, reading our blog, and subscribing to our newsletter.

*Attorney advertising – prior results do not guarantee future outcomes.


Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 


New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Octillo recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   


Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Octillo’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Octillo recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 


Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Octillo’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 


Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  


Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Octillo Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Octillo recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  


Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Octillo’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 


More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 


Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Octillo’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

What's next for UK Data Privacy?UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

On November 10, 2021, a unanimous decision by the UK’s Supreme Court in Lloyd v. Google in favor of Google rejects an attempt to bring opt-out class action cases for data privacy claims in the UK.

In the UK, a robust class action regime for the field of data protection does not currently exist, and the Lloyd decision reflects a rejection of class action or representative actions in the data privacy realm Unlike the UK, a class action regime that allows for mass claims (including opt-out cases) has long existed in the US. Further, class action claims in the US have extended beyond traditional privacy tort claims to other claims related to data privacy (e.g., for violations of consumer protection laws and recently enacted data privacy laws such as the CCPA).

Background of Lloyd v. Google LLC  

Plaintiff Richard Lloyd filed an opt-out mass privacy action in English courts against Google relying on an old Civil Procedure Rule 19.6 which permits representative actions. Lloyd sought to bring the mass privacy action on behalf of 4.4 million allegedly affected iPhone users as a representative action for breach of Section 4(4) of the Data Protection Act 1998 (“DPA”).

Lloyd alleged that Google had breached its duties as a data controller under Section 4(4) of the DPA. Google allegedly used a workaround to capture user browser data from iPhone users when visiting a site with Google content after Apple enabled the automatic blocking of third-party cookies in its Safari browser. Lloyd alleged that the use of Google’s Safari workaround secretly tracked and captured data from millions of Apple iPhone users (between late 2011 and early 2012) without the users’ knowledge or consent.

Further, Lloyd argued that an individual is entitled to compensation under Section 13 of the DPA whenever a data controller fails to comply with any of the requirements of the DPA in relation to that individual’s personal data without proof of damages, provided that the breach is not trivial or de minimum. Lloyd sought a uniform amount of damages for all individuals without proving damage for all on basis of “loss of control” (or “user”) damages, a lowest common denominator of loss suffered by every individual by reason of the breach. Lloyd argued that because the loss of control of data has value, the users were entitled to compensation for that value of that loss.

In the High Court, Lloyd had to show a reasonable prospect of success to serve Google out of jurisdiction to move the case forward.  Google contested Lloyd’s claim on two grounds:

  • damages cannot be awarded under the DPA for “loss of control” of data without proof that it caused financial damage or distress; and
  • the claim, in any event, is not suitable to proceed as a representative action.

The High Court held in favor of Google on both issues and refused permission to serve Google.

Then, Lloyd appealed and the Court of Appeals which allowed it, reversed the High Court’s decision, and granted permission to serve Google.

Finally, Google appealed to the Supreme Court where the case captured more attention and triggered various intervening parties including UK’s Information Commissioner’s Office (ICO).

UK Supreme Court Decision

The issue brought before the Supreme Court on whether Lloyd should have been refused permission included three key questions:

  • Whether members suffered damages within the meaning of section 13 of the DPA 1998?
  • Did the class share the “same interest,” as required for a representative action to proceed?
  • Should the court exercise its discretion to disallow the representative action?

1. Damages for Loss of Control

The Supreme Court rejected Lloyd’s argument that “loss of control” damages without proof was within meaning of the DPA.    

Meaning of Damages

The Supreme Court held that to recover compensation under the DPA proof of material damage or distress are required: “to recover compensation [under the DPA] for any given individual, it would be necessary to show both that Google made some unlawful use of personal information relating to that individual and the individual suffered some damage as a result.”

The Supreme Court considered the wording of Section 13 of the DPA which states that a person who suffers damage from contravention by a data controller of any requirements of the act (or damages suffered from distress meeting specific conditions of Section 13) is entitled to compensation for that damage or distress.  It also noted that the intent behind the wording of Section 13 of the DPA was to implement Article 23 of the GDPR which provided compensation from a controller for damages suffered, i.e., material damage.

Thus, requiring only proof of breach would be inconsistent with the DPA.

Loss of Control Damages for Data Protection Violation

Lloyd argued that the same rule for “loss of control” or “user” damages without proof of damages permitted for claims for the tort of misuse of private information should apply to the claim for the violation of the DPA. Lloyd claimed this was appropriate because they are based on the same right to privacy.  In the tort cases, loss of control compensation was available for wrongful use of property, even without financial/physical damage.

The Supreme Court rejected Lloyd’s argument that the same rules for loss of control or user damages should apply. It emphasized distinctions between the common law tort claim of violation of privacy for misuse of private information a claim for a violation of a data protection law (e.g., the tort claim requires a reasonable expectation of privacy).  Further, the court noted that Lloyd did not bring a claim for misuse of the data collected by Google but rather a violation of the DPA.

Thus, loss of control damages without proof did not apply.

2. Representative Action

Most critically, the Supreme Court found that a representative action, in this case, would fail.

The Supreme Court held that recovery under the DPA requires proof of unlawful use and material damage or distress suffered as a result. The Supreme Court said that Lloyd had to show that each of the individuals of the class had both suffered a breach and suffered damages as a result of that breach. Thus, the use of a representative action as a method for recovery without proving either will fail.

In the decision, the Supreme Court rejected the argument for a representative action for breach of the DPA. Further, the Supreme Court determined that a representative action for damages without an individualized assessment for damages would fail.

Representative Action for Breach – Same Interest Test

The Supreme Court evaluated the representative action to establish breach of the DPA and entitlement to compensation based on that breach. The CPR 19.6 permits claims to seek recovery on behalf of a group of individuals where all individuals have “the same interest” in the claim. The court noted that the CPR 19.6(1) requires proof that all individuals  have the “same interest” in claim as the representative and this test was not met.

However, the court noted that Lloyd could have framed the claim differently and adopted a bifurcated process for the representative action under the Act and individual claims for damages separately. As Lloyd did not seek a bifurcated action, the Supreme Court stated that the only other option for Lloyd was a representative action for damages.

Representative Action for Damages – Uniform v. Individual

The Supreme Court evaluated a representative action for damages and Lloyd’s claims for damages for each class member on “uniform per capita basis.” The court stated that this option fails because the effect of Safari Workaround was not uniform across the class and likely varied by types of users (i.e., super/heavy users v. limited users) and different types and amounts of affected data. Thus, individualized assessment of damages would be required for all class members.

Lloyd argued for no assessment requirement relying on the proposition that the class was entitled to compensation for any (non-trivial) contravention of DPA without the need to prove individual damages. Lloyd argued that all members suffered a loss (damages or distress under the Art) based either on general damages on uniform per capita basis, or the amount that could reasonably be charged for releasing Google from duties.  The Supreme Court rejected both arguments.

Key Takeaways

The Supreme Court unanimously allowed Google’s appeal and restored the dismissal of the case by the High Court.

This decision provides some key takeaways:

  • Claims for Violations of the DPA:
    • Proof of material damages or distress are required for claims for violation of the DPA brought by individuals and groups
    • Representative actions are not suitable for claims for violation of the DPA without evidence of misuse or material damages/distress
  • Other Mass Privacy Claims:
    • Opt-out representative action for damages requires an individualized assessment of damages

Further, the Supreme Court’s decision to reject Lloyd’s attempt to bring an opt-out case against Google shows that opt-out representative actions are likely not possible (or at least very difficult) for data protection actions.

How will this impact future data privacy claims in the UK?

This much anticipated and landmark decision will drastically reduce the number of mass privacy claims brought in the UK due to the heightened evidentiary burden, and deter cases where only minimal evidence of harm as a result of breach exists.

For plaintiffs/claimants, this decision makes it even more difficult for individuals and class counsel to bring a mass privacy claims in the UK without obtaining proof of damages for all potential class members. This could be costly and likely deter many cases but does not completely prevent these types of cases where individuals have suffered actual damages.

For businesses, this decision provides some relief from potential frivolous claims or claims lacking evidentiary support for businesses processing personal information in or about individuals in the UK.

Other pending potential representative actions (awaiting this decision) will likely be prevented from moving forward in UK courts.   However, note, the Lloyd decision focused on the DPA as applied during the claim period (2011 to 2012) and not recent developments in the data privacy framework in the UK (i.e., updates to the DPA and the UK GDPR).

Even in light of the Lloyd decision, the international data privacy landscape remains complex.  Octillo works with its clients on developing international privacy compliance strategies and programs to implement proactive measures to protect personal data and thus reduce the risk of litigation.  Our team of experienced attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to provide guidance to navigate the complexities of international privacy frameworks and handle any resulting enforcement actions or litigation matters.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes. 


New Federal COVID-19 Vaccination Policies Trigger Data Privacy ConsiderationsNew Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

UPDATE:  On November 6th, the U.S. Court of Appeals for the Fifth Circuit issued a temporary stay of OSHA’s latest vaccine rules in BST Holdings, L.L.C., et al. v. OSHA, noting that “there are grave statutory and constitutional issues with the Mandate.” On November 12th, the Fifth Circuit issued an order in continuance of its November 6th stay, stating that enforcement of OSHA’s latest vaccine rules “remains STAYED pending adequate judicial review of the petitioners’ underlying motions for a permanent injunction.” The Fifth Circuit further ordered “that OSHA take no steps to implement or enforce the Mandate until further court order.”

However, with several other similar lawsuits pending in other federal circuits, the Judicial Panel on Multidistrict Litigation has selected, by lottery on November 16th, the U.S. Court of Appeals for the Sixth Circuit to be the tribunal to hear the consolidated cases. The Sixth Circuit will thus have the authority to issue the controlling opinion on OSHA’s latest vaccine rules, though many expect litigation to continue up to the Supreme Court of the United States for a final decision.

Businesses should stay up to date with current developments regarding OSHA’s latest vaccine rules and related lawsuits and should understand existing and intended data collections practices within their organizations.  Evaluating what is being collected, how it is being retained, how this information can be accessed and by whom remains a very important part of an organization’s data security and privacy infrastructure in light of this climate. The Compliance Team at Octillo is experienced in navigating such changes and can assist businesses with their data security and privacy programs as the landscape continues to evolve within the next couple of months.

Email Octillo Privacy Compliance Team Lead Kara L. Hilburger, Esq., (CIPP/US) at khilburger@octillolaw.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in this space.

Continue reading initial post regarding The OSHA Rule below.


On Thursday, November 4, 2021, the Occupational Safety and Health Administration (OSHA) published an Interim Final Rules (OSHA Rule) requiring employers with 100 or more employees to implement plans to confirm employees are vaccinated, and if not to test their employees weekly and require face masks. The OSHA Rule, published in the Federal Register on November 5, 2021, requires employers subject to the OSHA Rule to implement testing protocols for unvaccinated employees starting January 5, 2022.

Although the Fifth Circuit Federal Court of Appeals temporarily blocked the OSHA Rule on November 6, 2021, employers should still prepare a plan in the event the OSHA Rule is not permanently blocked given the pending compliance deadlines. This may require employers to revise existing procedures or create new policies and procedures. As employers develop and implement these policies, it’s important to carefully consider data privacy and security implications of maintaining this sensitive information about employees.

Below are just a few questions employers should ask as they develop these new policies.

Does the OSHA rule apply to me?

The answer depends on your company’s size, operation, and industry. Importantly, the new OSHA Rule does not apply to health care providers, which have even more stringent rules announced by the Centers for Medicare and Medicaid (CMS) on the same day.  The OSHA Rule applies to businesses with 100 or more employees.  To determine whether an employer meets this 100-person threshold, companies should count all full- and part-time employees at all locations and worksites. Employers do not have to count employees who are contractors, employees from a staffing agency, or franchisee employees if the employer is the franchisor.

What does the OSHA Rule require?

Employers that are subject to the OSHA Rule must:

  • Determine vaccination status. Determine the vaccination status of each employee, accept proof of vaccination, and maintain records of each employee’s vaccination status. The OSHA Rule outlines forms of acceptable proof of vaccination, which includes COVID-19 Vaccination Record Cards, a copy of medical records documenting vaccination, and employee attestations in limited circumstances.
  • Test unvaccinated employees and require masks. If an employer elects to not mandate COVID-19 vaccinations, the company must test each employee who is not fully vaccinated at least once every 7 days. If an employee has not been tested within a 7-day period, the employee must telework for two weeks before reporting back to a location with other employees and be tested within 7 or fewer days before returning. Employees will have to provide documentation of their test results and employers must maintain these test result records. Unvaccinated employees must wear face masks at the workplace.
  • Require employees to notify the employer of a positive COVID test or diagnosis. Companies must require employees to provide prompt notice of positive COVID-19 tests and diagnoses and take steps to remove them from the workplace until they meet the criteria for returning.

Are there any exceptions?

Yes. The OSHA Rule does recognize certain exceptions and exemptions to these requirements.

  • Employees who work exclusively remotely or at outside locations are not subject to the requirements.
  • The OSHA Rule also does not apply to workplaces covered by the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors.
  • The OSHA Rule does not apply to health care providers, which are covered by the CMS interim final rule.
  • The OSHA Rule has exceptions for employees who cannot receive the vaccine for medical reasons, or who are legally entitled to a reasonable accommodation under federal civil rights laws because of disability or sincerely held religious beliefs that conflict with the vaccination requirement.

Do I need to provide paid leave for vaccinations?

Yes. Companies subject to this rule must provide employees with up to four hours of paid time to receive their vaccination. They must also allow for reasonable time and paid sick leave for the employee to recover from vaccine side effects.

Do I need to pay for the cost of testing if an employee isn’t vaccinated?

No, the OSHA Rule does not require covered employers to cover the costs of testing. However, other laws, regulations, collective bargaining agreements, or collective negotiation agreements may require the employer to pay for testing.

How does the OSHA rule impact state vaccination and testing laws?

The OSHA Rule pre-empts any state law that has less restrictive standards regarding vaccination and testing for COVID-19 in the workplace. States can impose greater vaccination requirements; for example, some employers may be subject to state laws that do not include medical or religious exceptions.

What needs to be addressed in the vaccination policy?

Companies must develop, implement, and enforce mandatory policies that address COVID-19 vaccination procedures or mandatory testing if the company does not mandate vaccinations.  These policies must be provided to employees in a language and literacy level that employees understand.

Are there any additional documentation and reporting requirements?

Yes. Companies must provide employees and their designated representatives with their vaccination and testing records by the end of the next business day following the request for such records. Companies must also be able to provide policies and procedures to OSHA within four business hours and must provide an aggregate number of total vaccinated employees upon request by the next business day.  Finally, companies must report work-related COVID-19 fatalities to OSHA within 8 hours of learning about them. Covered employers must report a COVID-19 related in-patient hospitalization within 24 hours of learning about it.

Are there penalties for non-compliance?

OSHA Officials have stated they will use OSHA’s authority to inspect workplaces and investigate complaints received from employees. Failure to comply with OSHA regulations can lead to a $13,653 penalty per violation for serious or failure to abate violations and a $13,532 per violation for willful or repeated violations.

How should companies prepare?

Companies subject to the OSHA Rule should review the new requirements and develop a strategy on how to document and implement the mandatory procedures most effectively and efficiently. The new rule requires employers to collect and maintain sensitive employee data. Policies and procedures addressing how these records will be maintained and protected will be necessary, and in tandem with developing procedures, companies may want to evaluate whether they need to update record retention procedures and determine whether existing data security and privacy protocols are sufficient.  It is also recommended that companies work with legal counsel to review whether and how state laws interplay with the new OSHA requirements.  Many state laws have statutes and regulations requiring companies to safeguard medical information held on behalf of clients and employees. This is particularly important for employers that have not previously held sensitive employee information such as health records and may not have proper procedures in place for safeguarding such records.

Octillo continues to monitor this evolving landscape and provide updates on important topics that impact data privacy and security, which have a very real impact on business operations. Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment. Our team is available to assist your team in the evaluation of legal implications of current requirements and legislative changes in the data privacy field.

Email Octillo Compliance Team Leads Kara L. Hilburger, Esq., at khilburger@octillolaw.com or Jordan L. Fischer, Esq., at jfischer@octillolaw.com call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

1 2 3 10