Update March 31, 2022: Utah Governor Spencer Cox signed the bill into law March 24, 2022.
With passage of the Utah Consumer Privacy Act (UCPA), Utah will become the fourth state to adopt omnibus consumer privacy legislation—following California, Virginia, and Colorado— when Utah Governor Spencer Cox signs the bill. Governor Cox has 20 days to sign the bill or take no action (after which it will become law), or veto the bill. The UCPA shares many similarities with other state laws, particularly the Virginia Consumer Data Privacy Act (VCDPA), and businesses operating in or serving consumers in Utah will need to build for compliance by the December 31, 2023, effective date.
The UCPA applies to for-profit entities ("controllers" or "processors") that (1) conduct business in Utah or target products and services to consumers who are residents of the state, (2) have annual revenues of at least $25 million, and (3) meet one of two threshold requirements:
- Annually control or process the personal data of 100,000 or more Utah residents ("consumers"); or
- Derive over 50 percent of gross revenue from the "sale" of personal data and control or process personal data of 25,000 or more consumers.
The law exempts certain types of data and entities, including publicly available data, de-identified data, and data subject to the Health Insurance Portability and Accountability Act, the Driver's Privacy Protection Act, and the Family Education Rights and Privacy Act. The UCPA also includes broad entity-based exemptions for entities and businesses covered by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, as well as non-profit entities, higher education institutions, tribes, and government bodies.
The UCPA mirrors the Virginia and Colorado (CPA) definitions of "personal data," defining the term to broadly apply to any data that is "linked or reasonably linkable" to an individual. Unlike the California Privacy Rights Act, which amends the CCPA and becomes effective next January, the UCPA applies only to consumer data and expressly excludes personal data collected in an employment or business-to-business context.
As in other state laws, the UCPA grants consumers certain rights to their personal data. Specifically, consumers may request to:
- Access the personal data that a controller processes about them;
- Delete personal data that the consumer provided to the controller;
- Obtain a copy of the personal data, in a "portable" format, that the consumer provided to the controller; and
- Opt out of the "sale" of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing of personal data for targeted advertising.
Controllers have 45 days to respond to a request, with a 45-day extension if reasonably necessary. While controllers must handle requests free, they may charge a fee for second or subsequent requests in a 12-month period, or if certain other circumstances apply (e.g., the request poses an undue burden on the business's resources). Controllers may deny a request if they cannot authenticate the request or if the personal data is pseudonymized.
Obligations of Controllers and Processors
The UCPA adopts the "controller" and "processor" framework used in the EU's General Data Protection Regulation (GDPR) and in Virginia's and Colorado's privacy laws. Controllers determine why and how personal data is processed, while processors process personal data on behalf of a controller.
Controllers and processors must enter into a written contract that sets out the details of processing, such as the personal data to be processed, the purpose of processing, and the parties' rights and obligations. Processors must follow controllers' instructions when processing personal data, and they must engage subprocessors via a written agreement that flows down the processor's obligations.
Controllers must post a privacy notice that contains similar disclosures about their personal data practices to those under other state laws, such as the categories of personal data processed, purposes of processing, categories of disclosures to third parties, and how consumers may exercise their rights.
Unlike Virginia and Colorado, controllers must only provide notice and an opportunity to opt out prior to processing consumer's sensitive data (or comply with the Children's Online Privacy Protection Act (COPPA) for the sensitive data of children under 13) as opposed to obtaining opt-in consent to collect and process such data. Sensitive data includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatment or conditions, biometric or genetic data used to identify individuals, and geolocation data.
The UCPA provides exemptions not found in the Virginia or Colorado laws, however. Specifically, the UCPA's provisions regarding "sensitive data" will not apply to information that reveals racial or ethnic origin when processed by a video communication service, which the UCPA does not define, or certain healthcare workers.
In addition, controllers must implement appropriate security mechanisms, and may not discriminate against consumers who exercise their rights under the law. However, controllers may offer bona fide loyalty, rewards, and discount programs and offer a different price or quality of product or service if a consumer opts out of targeted advertising.
Limitations and Enforcement
The UCPA contains significant substantive exemptions that mirror those under Virginia and Colorado law, including that nothing in the law will restrict, among other things, a controller's or processor's ability to comply with law or legal process; provide a product or service requested by the consumer; perform a contract with the consumer; repair technical errors or protect security; conduct internal analytics or other research to develop, improve, or repair a product, service or technology; or perform an internal operation that is reasonably aligned with consumer expectations or compatible with processing to provide a product or service.
The Utah Division of Consumer Protection may investigate consumer complaints under the UCPA and refer complaints to the attorney general. The attorney general holds exclusive enforcement authority and must provide entities with written notice of an alleged violation and a 30-day opportunity to cure. The attorney general may bring an action for uncured violations and recover actual damages to the consumer and $7,500 per violation in civil penalties. There is no private right of action, and the law expressly preempts state and local privacy laws.
The attorney general and the Division of Consumer Protection must report on the effectiveness of the enforcement provisions and the data protected and not protected by the law, but do not have explicit rulemaking authority.
Differences From Other State Privacy Laws
Longtime readers will recognize the close kinship between the UCPA and Virginia's and Colorado's privacy laws. While we noted at the outset that the UCPA most closely resembles the VCDPA, there are subtle differences between them. These differences include:
- $25 million threshold: Whereas the UCPA applies only to entities that have annual revenues of $25 million or more (and that meet another threshold requirement), the VCDPA does not contain a revenue-based requirement. California's law establishes $25 million in annual revenues as one possible threshold, not as a requirement for all entities.
- Narrow right to delete: Unlike the VCDPA (but like the CCPA), the UCPA limits a consumer's right to delete personal data to any data that the consumer has provided to the controller.
- Exception to sale: The UCPA includes an additional exception to "sale": a sale does not occur if the disclosure to a third party is for a purpose consistent with a consumer's reasonable expectations given the context.
- No right to appeal: Unlike the VCDPA, the UCPA does not give consumers the right to appeal denials of requests to exercise their rights.
- No requirement to conduct data protection assessments: Also unlike the VCDPA, the UCPA does not require controllers to conduct data protection assessments of certain processing activities.
- Opt out of profiling: The UCPA does not contain a concept of "profiling" and therefore, unlike the VCDPA, does not give consumers a right to opt out of profiling.
- Sensitive data: While the VCDPA and Colorado require that consumers affirmatively opt in to the processing of their sensitive data, the UCPA contains a CCPA-like requirement that controllers present a consumer with notice and an opportunity to opt out prior to processing their sensitive data or, with respect to children's data, comply with COPPA. In addition, as noted above, the UCPA includes a significant carve-out for personal data processed by a "video communication service" (undefined) and certain health care workers.
Businesses subject to the UCPA will generally find that their compliance efforts for other state privacy laws offer a significant foundation for UCPA implementation as they build for its December 31, 2023, effective date.