Let's get some things straight on Utah's new electronic privacy bill, signed into law last week, because I anticipate confusion:

First, the statute isn't a comprehensive privacy law. Sure, it's titled the "Electronic Information or Data Privacy Act." (The presence of the conjunction "or" evokes Rocky and Bullwinkle cartoons, which usually presented two alternative titles for each episode. But I doubt this was the intent. Anyway, back to my point:) You might infer that Utah is following in California's footsteps in enacting its own mini-GDPR. Lousy inference. Rather, the Utah law's scope is limited: restricting the access of state law enforcement to electronic records. In fact, it strikes me as focused on two points: First, it provides that electronic records are entitled to protections similar to protections afforded physical objects under search and seizure law. As the bill's sponsor explained: "Traditionally, we have pretty good protection with case law and statutes that protect our physical stuff if law enforcement wants to search any of our belongings such as our homes, cars, or hard drives.” But courts haven't been consistent in affording protections to intangible things like electronic information. This law aims to change that. Second, it extends protections to electronic records even if you house them with someone else, such as a cloud provider. Here, Utah seems to be departing from the "third party doctrine" under federal Fourth Amendment law. The theory goes like this: If you entrust a widget to a third-party, then you can't really have a "reasonable expectation of privacy" in that widget; without a reasonable expectation of privacy, you aren't entitled to the protections of search-and-seizure law. At least some courts have invoked the doctrine to deny search-and-seizure protection to electronic records that a person has entrusted to an email service or other service provider. Again, the law aims to change that.

Your second mistake would be to conclude that the statute regulates the market for cloud computing. After all, the law purports to "provide[] for transmission of electronic information or data to a remote computing service." You'll find this assertion in the preface to the bill, titled "Highlighted Provisions." But look through the rest of the bill. You won't find anything else on the topic. Besides, the transmission of electronic information to remote computing services has existed for decades. Hard to see how a state legislature could "provide for" something that's already ubiquitous.

Finally, you might think that the law "provides that the individual who transmits electronic information or data is the presumed owner of the electronic information or data." Once again, the law's preface says so! And lots of people have been calling for individuals to be given an ownership interest in their own personal data. Finally, a legislature has done it! Sorry to burst bubbles, but search through the rest of the bill for the words "own" and "owner." The rest of the law doesn't actually say anything of the sort. The law doesn't even say that a person who transmits data is the presumed owner. To the contrary, the law seems to protect "electronic information or data transmitted by the owner of the electronic information or data". On its face, that text excludes protection for information or data transmitted by someone other than the owner. In other words, your mere transmission of information isn't enough to create a presumption that you own it.

I do have one question. Although the law generally requires law enforcement to get a warrant before searching a person's electronic information, it contains an exception for searches "in accordance with a judicially recognized exception to warrant requirements." Is the third-party doctrine one of those exceptions? As noted above, plenty of courts have relied on this doctrine to allow warrantless searches of electronic information entrusted to third parties.

I think the answer to my question is almost certainly "no." First, applying the third-party doctrine would swallow the rule. The whole point of the law is to protect electronic data held by internet service providers, cloud providers, and other third-parties--in other words, to overrule the third-party doctrine by statute. Second, I don't think the third-party doctrine is fairly characterized as an "exception to warrant requirements." The third-party doctrine is better understood as part of the threshold question about whether a particular government action is a "search" that's subject to the protections of search-and-seizure law. By contrast, exceptions to the warrant requirement address a question that arises later in the search-and-seizure inquiry: once you've decided that a government action constitutes a "search", is it one of those searches that requires a warrant, or one of those searches that doesn't? When the Utah law refers to "judicially recognized exception[s] to warrant requirements," I suspect it is referring only to doctrines addressing this latter question.