Update March 31, 2022: Utah Governor Spencer Cox signed the bill on March 24, 2022.
With the passage of the Utah Consumer Privacy Act (UCPA), Utah will become the fourth state to pass omnibus consumer privacy legislation, after California, Virginia and Colorado, when Utah Governor Spencer Cox signs the bill into law. . Governor Cox has 20 days to sign the bill or take no action (after which it will become law) or veto the bill. The UCPA shares many similarities with other state laws, particularly the Virginia Consumer Data Privacy Act (VCDPA), and businesses operating or serving consumers in Utah will be required to build for compliance by the December 31, 2023effective date.
The UCPA applies to for-profit entities (“controllers” or “processors”) that (1) conduct business in Utah or target products and services to consumers who reside in the state, (2) have annual revenues of at least $25 million, and (3) meet one of two minimum requirements:
- Monitor or process the personal data of 100,000 or more Utah residents (“consumers”) each year; Where
- Make more than 50% of your gross revenue from the “sale” of personal data and control or process the personal data of 25,000 or more consumers.
The law exempts certain types of data and entities, including publicly available data, anonymized data, and data subject to the Health Insurance Portability and Accountability Act, the Protection of Life Act Driver Privacy and the Family Education Rights and Privacy Act. The UCPA also includes broad entity-based exemptions for entities and businesses covered by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, as well as nonprofit entities, institutions of higher education, tribes and government agencies.
The UCPA mirrors Virginia and Colorado (PCA) definitions of “personal data”, defining the term as broadly applying to all data that is “linked or reasonably likely to be linked” to an individual. Unlike the California Privacy Rights Actwhich amends the CCPA and comes into force next January, the UCPA applies only to consumer data and expressly excludes personal data collected in an employment or business-to-business context.
As in other state laws, the UCPA provides consumers with certain rights over their personal data. Specifically, consumers can ask to:
- Access the personal data that a data controller processes about them;
- Delete the personal data that the consumer has provided to the controller;
- Obtain a copy of the personal data, in a “portable” format, that the consumer has provided to the data controller; and
- Opting out of the “sale” of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing of personal data for the purposes of targeted advertising.
Monitors have 45 days to respond to a request, with a 45-day extension if reasonably necessary. Although controllers must process requests free of charge, they may charge a fee for a second or subsequent requests over a 12-month period, or if certain other circumstances apply (for example, the request places an excessive burden on company resources). Controllers may refuse a request if they cannot authenticate the request or if the personal data is pseudonymised.
Obligations of controllers and processors
The UCPA adopts the “controller” and “processor” framework used in the EU General Data Protection Regulation (GDPR) and the privacy laws of Virginia and Colorado. Controllers determine why and how personal data is processed, while processors process personal data on behalf of a controller.
Controllers and processors must enter into a written contract which sets out the details of the processing, such as the personal data to be processed, the purpose of the processing and the rights and obligations of the parties. Sub-processors must follow the instructions of the controllers when processing personal data and they must engage sub-processors via a written agreement which arises from the obligations of the sub-processor.
Controllers must post a privacy notice containing similar information about their personal data practices to that of other national laws, such as the categories of personal data processed, the purposes of the processing, the categories of disclosures to third parties and how consumers can exercise their rights.
Unlike in Virginia and Colorado, controllers only need to provide notice and an opportunity to opt out before processing sensitive consumer data (or comply with the Children’s Online Privacy Protection Act ( COPPA) for sensitive data of children under 13) instead of obtaining opt-in consent to the collection and processing of such data. Sensitive Data includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatments or conditions, biometric or genetic data used to identify individuals and geolocation data.
The UCPA, however, provides exemptions that are not found in the laws of Virginia or Colorado. In particular, the provisions of the UCPA regarding “sensitive data” will not apply to information revealing racial or ethnic origin when processed by a video communications service, which the UCPA does not define, or some health workers.
In addition, data controllers must implement appropriate safeguards and must not discriminate against consumers exercising their rights under the law. However, data controllers may offer loyalty, rewards and discount programs in good faith and offer a different price or quality of product or service if a consumer opts out of targeted advertising.
Limitations and application
The UCPA contains important substantive exemptions that mirror those provided by the laws of Virginia and Colorado, including that nothing in the law shall, among other things, restrict the ability of a controller or processor to to comply with the law or legal process; provide a product or service requested by the consumer; perform a contract with the consumer; repair technical errors or protect security; conduct internal analysis or other research to develop, improve or fix a product, service or technology; or perform an internal operation reasonably aligned with consumer expectations or consistent with processing to provide a product or service.
The Utah Division of Consumer Protection can investigate consumer complaints under the UCPA and refer complaints to the Attorney General. The Attorney General has sole enforcement authority and must provide entities with written notice of an alleged violation and a 30-day opportunity for redress. The Attorney General can sue for uncorrected violations and recover actual damages to the consumer and $7,500 per violation in civil penalties. There is no private right of action and the law expressly prevails over state and local privacy laws.
The Attorney General and the Consumer Protection Division are accountable for the effectiveness of enforcement provisions and protected and unprotected data under the law, but have no explicit regulatory authority.
Differences from privacy laws in other states
Longtime readers will recognize the close kinship between the UCPA and the privacy laws of Virginia and Colorado. Although we noted at the outset that UCPA most closely resembles VCDPA, there are subtle differences between them. These differences include:
- $25 million threshold: While the UCPA only applies to entities that have annual revenues of $25 million or more (and meet another threshold requirement), the VCDPA does not contain a revenue-based requirement. California law establishes annual revenues of $25 million as a possibility threshold, not as a requirement for all entities.
- Narrow right to delete: Unlike the VCDPA (but like the CCPA), the UCPA limits a consumer’s right to delete personal data to all data that the consumer has provided to the controller.
- Sale exception: The UCPA provides an additional exception to “sale”: a sale does not occur if the disclosure to a third party is made for a purpose consistent with a consumer’s reasonable expectation given the context.
- No right of appeal: Unlike the VCDPA, the UCPA does not give consumers the right to appeal denials of requests to exercise their rights.
- No obligation to carry out data protection assessments: Unlike the VCDPA, the UCPA does not require controllers to perform data protection assessments of certain processing activities.
- Disable profiling: The UCPA does not contain a concept of “profiling” and therefore, unlike the VCDPA, does not give consumers the right to opt out of profiling.
- Sensitive data: While the VCDPA and Colorado require consumers to affirmatively consent to the processing of their sensitive data, the UCPA contains a CCPA-like requirement that controllers provide the consumer with notice and an opportunity to opt out before treat their sensitive data or, with respect to children’s data, comply with COPPA. In addition, as noted above, the UCPA includes an important exception for personal data processed by a “video communications service” (undefined) and certain healthcare workers.
Companies subject to the UCPA will generally find that their compliance efforts with other national privacy laws provide an important foundation for implementing the UCPA as they prepare for its entry date. effective December 31, 2023.