Summary:

 House Bill 307 (HB 307) enacts the Internet Privacy and Safety Act; establishes requirements for service providers; prohibits certain uses of consumer data; provides rights to consumers; establishes limitations on processing of consumer data; prohibits waivers of rights and retaliatory denials of service; provides for injunctive relief and civil penalties; and provides for rulemaking. 

 

Legislation Overview:

 House Bill 307 (HB 307) enacts the Internet Privacy and Safety Act (IPSA). Definitions are provided for terms such as “actual knowledge," "biometric data," "brokerage of personal data," “consumer," "dark pattern," "derived data," "first-party advertising," "profiling," "sensitive personal data," and more.

Except as otherwise provided, a service provider must: (1) configure all default privacy settings on the covered entity's online platforms offering features, products or services to settings that offer the highest level of privacy; (2) publicly provide privacy information, terms of service, policies and community standards in a prominent, precise manner and use clear, easily understood language; (3) publicly provide prominent, accessible and responsive tools to help a consumer exercise the consumer's privacy rights and report concerns; and (4) establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

When a service provider does not have actual knowledge that a consumer using the covered entity's online platform to access a feature, product or service is a minor, the provider must establish settings on that online platform that:

(1) permit a consumer to disable notifications or disable notifications during specific periods of time; 
(2) permit a consumer to choose between a privacy-protective feed and a profile-based feed; and 
(3) permit a consumer to disable contact by unknown individuals unless the consumer first initiates the contact or provide a mechanism to screen contact by individuals with whom the consumer does not have a relationship. 

When a service provider has actual knowledge that a consumer using their online platform is a minor, they must establish default settings on the platform: 

(1) that disable contact by unknown users unless the consumer first initiates the contact; 
(2) that disable notifications between the hours of 10:00 p.m. and 6:00 a.m. mountain time according to federal law; and 
(3) that use a privacy-protective feed. 

A service provider that provides an online feature, product or service that involves the processing of personal data may not:

A. profile a consumer by default, unless profiling is necessary to provide the online feature, product or service requested, and only with respect to the aspects of the online feature, product or service with which the consumer is actively and knowingly engaged; 
B. process the personal data of a consumer except as necessary to provide: (1) the specific online feature, product or service with which the consumer is actively and knowingly engaged, including any routine administrative, operational or account-servicing activity, such as billing, shipping, delivery, storage, accounting, security or fraud detection; or (2) a communication, that is not an advertisement, by the service provider to the consumer that is reasonably anticipated within the context of the relationship between the covered entity and the consumer; 
C. process personal data for any reason other than a reason for which the personal data is collected; 
D. process a consumer's sensitive personal data unless the collection of that data is strictly necessary for the covered entity to provide the online feature, product or service requested and then only for the limited time that the collection of data is necessary to provide the online feature, product or service; 
E. process a consumer's precise geolocation information without providing an obvious signal to the consumer for the duration of that collection that precise geolocation information is being collected; 
F. use dark patterns to cause a consumer to provide personal data beyond what is reasonably expected to provide the online feature, product or service, to forego privacy protections; 
G. allow a person to monitor a consumer's online activity or precise geolocation without providing an obvious signal to the consumer that the consumer is being monitored or tracked; 
H. process or transfer personal data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of childbirth or condition related to pregnancy or childbirth, color, disability, gender, gender identity, mental health, national origin, physical health condition or diagnosis, race, religion, sex life or sexual orientation; 
I. process personal data for purposes of targeted advertising, first-party advertising or the brokerage of personal data without the consumer first opting in to those purposes by clear and conspicuous means and not through the use of dark patterns; or 
J. process sensitive personal data for purposes of targeted advertising, first-party advertising or the brokerage of personal data. 

Service providers must provide a consumer the right to: 

(1) access all the consumer's personal data that was processed by the service provider; 
(2) access all the information pertaining to the collection and processing of the consumer's personal information, including: (a) where or from whom the covered entity obtained personal data, such as whether the information was obtained from the consumer or a third party or from an online or offline source; (b) the types of third parties to which the covered entity has disclosed or will disclose personal data; (c) the purposes of the processing; (d) the categories of personal data concerned; (e) the names of third parties to which the covered entity had disclosed the personal data and a log showing when such disclosure happened; and (f) the period of retention of the personal data; 
(3) obtain the consumer's personal data processed by a service provider in a structured, readily usable portable and machine-readable fomat; 
(4) transmit or cause the covered entity to transmit the consumer's personal data to another service provider, where technically feasible; 
(5) request a service provider to stop collecting and processing the consumer's personal data; 
(6) correct inaccurate personal data stored by covered entities; and 
(7) delete the consumer's personal data that is stored by service providers, including from nonpublic profiles.

A service provider must provide a consumer with a reasonable means to exercise the consumer's rights, and must comply with consumer’s rights.

A service provider may not retaliate against a consumer for exercising a right guaranteed by the IPSA, or a rule established under that act.

A service provider that violates rules are: (1) subject to injunctive relief to cease or correct the violation; (2) liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected consumer for each negligent violation; (3) liable for a civil penalty of not more than seven thousand five hundred dollars ($7,500) per affected consumer for each intentional violation. 

A consumer who claims to have suffered a deprivation of the rights secured under the IPSA may maintain an action to establish liability and recover damages or equitable or injunctive relief in district court. 

A service provider that is in compliance with federal privacy laws must be deemed to be in compliance with the requirements of the IPSA solely and exclusively with respect to data subject to the requirements of federal law. 

An online feature, product or service that is regulated by federal information security law is deemed to be in compliance with the requirements of the IPSA  solely and exclusively with respect to data subject to the requirements of federal law. 

The IPSA does not apply to the delivery or use of a physical product to the extent the product is not an online feature, product or service. 

Nothing in the IPSA may be interpreted or construed to: A. impose liability in a manner that is inconsistent with federal law; B. apply to information processed by local, state, or federal government or municipal corporations; or C. restrict a covered entity's or service provider's ability to comply with law or legal actions, or other protected actions.

On or before April 1, 2026, the State Department of Justice (DOJ) must promulgate rules for the implementation of the IPSA. 

On or before November 30, 2026 and on or before November 30 in each subsequent year, the DOJ must provide a report to the Interim Legislative Committee that is tasked with examining internet-related issues. Requirements of the report are detailed.



 

Current Law:

 
Apart from the Privacy Protection Act and Data Breach Notification law, there is currently no specific law related to internet privacy and safety.