Round 4! Utah to Become Fourth State to Pass Comprehensive U.S. Privacy Legislation

With rapid developments out of the Utah Legislature over the past two weeks, Utah is slated to become the fourth state to enact comprehensive privacy legislation in the United States. The Utah House and Senate have both passed the Utah Consumer Privacy Act (UCPA), with the final bill having received the necessary signatures by the Senate President and Speaker of the House on March 3, 2022.

The UCPA will now be sent to Governor Spencer J. Cox who will have 20 days to sign, take no action, or veto the bill. If the Governor signs or takes no action on the bill, the UCPA will take effect on December 31, 2023. 

The good news is that businesses who are currently gearing up for 2023 legislation enforcement under Virginia’s VCDPA, California’s CPRA, and Colorado’s ColoPA will not have to implement significant changes to their readiness plans to comply with the UCPA. With no private right of action and many similarities to the VCDPA, Utah’s new privacy law is not expected to drastically change the landscape of U.S. privacy legislation. Our biggest takeaway is that the UCPA predominantly narrows individual’s rights as compared to other state privacy legislation, meaning that businesses who are subject to California, Virginia, or Colorado will not be faced with too many challenges when operationalizing compliance. However, businesses who have not met the threshold requirements under other state laws should take a close look at the scope of the UCPA to determine whether the thresholds imposed by the Utah law trigger compliance requirements that may not have been met with California, Virginia, and Colorado legislation.

What is the Scope of the UCPA? Similar to the VCDPA, the legislation includes the concepts and obligations for “controllers” and “processors” of information. The UCPA applies to any controller or processor who:

1. Conducts business in Utah or produces a product or service that is targeted to Utah consumers

2. Has an annual revenue of $25 million or more; and

3. Either (i) controls or processes the personal data of at least 100,000 Utah residents in a calendar year or (ii) derives over 5o% of its gross revenue from the “sale” of personal data and controls or processes personal data of at least 25,000 Utah residents. 

Who and What is Exempted from Application under the UCPA? The UCPA exempts several entities and types of data from applicability under the law. Utah’s privacy law does not apply to (i) deidentified, aggregated, or publicly available data and information, (ii) government entities, (iii) tribes, (iv) higher education institutions, (v) nonprofits, (vi) data subject to the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act, certain activities under the Fair Credit Reporting Act, the Farm Credit Act, (vii) private individuals processing personal data for purely personal or household purposes, and (viii) air carriers. 

What is the Definition of “Sale” Under the UCPA? Utah’s law imposes a narrower definition of “sale” of personal data as compared to Virginia, California and Colorado. While the sale must be for “monetary compensation” as similarly outlined in the VCDPA, the UCPA contains an exception which allows for a controller’s disclosure of consumer personal data to third parties if it is for a purpose consistent with the consumer’s reasonable expectations in the context in which the consumer provided such personal data to the controller.   

What Rights do Consumers Have Under the UCPA? Businesses have 45 days (which can be extended for an additional 45-day period) to respond to an authenticated request from a consumer who is exercising the following rights:

• The right to confirm whether a business is processing their personal data;

• The right to access their personal data;

• The right to request the deletion of the personal data they have provided to the business (see below);

• The right to obtain a copy of the personal data they have provided to the business, in a format that is feasible, portable, practicable, readily usable, and allows the consumer to transmit the data to another business without issue (see below); and

• The right to opt-out of the use of their information for the purposes of targeted advertising and/or the sale of their personal data

What Rights and Requirements Have Changed Under the UCPA as Compared to Other States or Should Otherwise be Noted? 

Sensitive Data: While the UCPA defines “sensitive data” similar to the VCDPA and ColoPA, the new bill does not similarly require an explicit opt-in for the processing of sensitive data. The UCPA instead models the CPRA requiring (i) clear notice to the consumer and (ii) an opportunity to opt-out of the processing.

Limited Right to Delete and Obtain: A consumer under the UCPA only has the right to obtain a copy and/or request deletion of the personal data they specifically provide to the controller. 

No Private Right of Action: Utah has not incorporated a private right of action under the UCPA.

No Right to Opt-Out of Profiling: While other state laws provide consumers with an opt-out right of automated decision-making technology and/or profiling specifically, the UCPA does not provide this right to consumers. 

No Right to Correct: The UCPA does not follow other privacy legislation in providing consumers a right to correct any inaccuracies in their personal data.

No Data Processing Impact Assessments (DPIA): Unlike other state privacy legislation, DPIA’s are not required under the UCPA.

No B2B or Employment Application: The Utah legislature has followed suit with Virginia and Colorado and does not apply to situations where employee data or business to business (B2B) data is collected. 

How will the UCPA be Enforced? The Utah Division of Consumer Protection has authority under the UCPA to investigate consumer complaints and refer such complaints to the Utah Attorney General. The Attorney General has exclusive authority to enforce the UCPA. 

If a business does not cure a violation under the UCPA within a 30-day period, the Attorney General has authority to seek civil penalties, including actual damages and a maximum fine of $7,500 per violation. 

Final Takeaways

The Utah law closely parallels Virginia’s VCDPA with additional similarities to California and Colorado legislation. At the same time, Utah has narrowed the threshold of applicability and certain rights afforded to consumers under the UCPA. For businesses who are already preparing for 2023 privacy legislation enforcement, compliance under the UCPA may be straightforward. For those businesses who may not have been subject to other state privacy legislation but meet the threshold requirements under the UCPA, it is important to begin compliance preparation well in advance of the December 31, 2023 enforcement date. 

With new comprehensive state privacy legislation continually being brought forth, it will be important to monitor whether additional states continue mirroring existing legislation or whether additional significant consumer rights are on the horizon.