Utah Next in Line, Enacts Comprehensive Privacy Law

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”), which previously flew through the Utah House of Representatives and Senate, unanimously passing in both chambers. In enacting the UCPA, Utah joins Colorado, Virginia, and California on the list of states to have enacted comprehensive privacy laws. The UCPA will take effect on December 31, 2023, rounding out a notable year in privacy, with the Colorado Privacy Act (“ColoPA”) taking effect on July 1, 2023 and both the Virginia Consumer Data Protection Act (“VA CDPA”) and the California Privacy Rights Act (“CPRA”) taking effect on January 1, 2023. The UCPA is substantially similar to these laws, as well as to existing comprehensive privacy laws, such as the California Consumer Privacy Act of 2018 (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”). Below is a summary of the key provisions of the UCPA.

Applicability

The UCPA applies to entities that conduct business or produce products or services that are targeted to Utah residents, have annual revenue of at least $25,000,000, and meet one or both of the following thresholds:

  1. controls or processes personal data of 100,000 or more consumers per calendar year; or
  2. derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 consumers.

The UCPA’s applicability thresholds are essentially a combination of those in the CCPA, the VA CDPA, and ColoPA. Of note, the UCPA does not apply to, among others, (i) personal data governed by certain state and federal laws, such as HIPPA; (ii) governmental entities or third parties acting on their behalf; (iii) personal data maintained for employment records; (iv) financial institutions governed by the Gramm-Leach-Bliley Act (“GLBA”); (v) covered entities or business associates subject to HIPAA and HITECH; (vi) non-profit organizations; and (vii) institutions of higher education. Additionally, like the VA CDPA and ColoPA, the UCPA expressly does not restrict a business’s ability to comply with law, provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract.

Key Definitions

The UCPA defines “consumer” to mean a natural person who is a Utah resident acting only in an individual or household context in providing personal data, which is analogous to the VA CDPA’s and ColoPA’s definition of consumer. The UCPA’s definition of consumer specifically excludes an individual acting in a commercial or employment context.

Under the UCPA, “personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data, aggregated data, or publically available information. Like the GDPR, the CPRA, the VA CDPA, and ColoPA, the UCPA also recognizes a special category of personal data known as “sensitive data”, which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or information regarding medical history, mental or physical health condition, or medical treatment or diagnosis; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; or (iii) specific geolocation data.

The UCPA narrowly defines “sale” to mean the exchange of personal data for monetary consideration by the controller to a third party, which is the same as the VA CDPA’s definition, but more narrow than the CCPA’s and ColoPA’s definitions of sale. Additionally, under the UCPA, there are broad exceptions to the definition of “sale,” such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, to a third party for the purpose of providing a product or service requested by a consumer, and to a third party consistent with a consumer’s reasonable expectations.

Compliance

The UCPA is similar to the GDPR, the VA CDPA, and ColoPA in that it divvies up compliance obligations between two main roles: the controller and the processor. The controller is someone doing business in Utah who determines the purposes and means for processing of personal data. On the other hand, the processor is someone who processes personal data on behalf of the controller.

Under the UCPA, controllers must provide consumers with a reasonably accessible and clear privacy notice that must include, among other things, the categories of personal data processed, the purposes for processing that data, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom the controller shares that data. Additionally, if the controller sells personal data or engages in targeted advertising, it must clearly and conspicuously disclose how a consumer can opt out of such sale or processing for targeted advertising. Of note, unlike the VA CDPA and ColoPA, the UCPA does not require controllers to perform any data protection assessment of any processing activities.

The UCPA requires processing by a processor to be governed by a contract between the controller and processor setting forth, among other things, the processing instructions for the processor, the nature and purpose of the processing, the type of data subject to processing, confidentiality obligations, and subcontracting requirements.

Consumer Rights and Requests

Like the comprehensive privacy laws that precede it, the UCPA grants consumers certain rights with respect to their personal data. However, the rights under the UCPA do not include the right to correct inaccuracies in their personal data. The consumer rights under the UCPA include the right for consumers to request to (1) opt-out of certain types of processing; (2) access their personal data; (3) delete their personal data; and (4) obtain a copy of their personal data in a portable format. The UCPA’s opt-out rights are similar to those in the VA CDPA and ColoPA and allow consumers to opt-out of processing of their personal data for purposes of targeted advertising and the sale of personal data. Unlike the CCPA, there is no required method for making consumer requests under the UCPA, rather, the controller has discretion to prescribe the request method. “Targeted advertising” is defined in the UCPA as advertising to a consumer based on personal data obtained from the consumer’s activities across non-affiliated websites or online applications to predict the consumer’s preferences or interests. Targeted advertising does not include, among other things, advertisements based on activities within a controller’s own website or processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary. Unlike the VA CDPA and ColoPA, the UCPA does not mandate an appeals process for denial of a consumer’s request. Also unlike the VA CDPA and ColoPA, the UCPA broadens the ability for a controller to charge a reasonable fee for consumers making requests, including the ability to charge such a fee if the controller reasonably believes the primary purpose of submitting the request was something other than exercising a right or if the request disrupts or imposes undue burden on the controller’s resources.

Enforcement and Penalties

The Utah Attorney General has exclusive authority to enforce the UCPA. Importantly for businesses, there is no private right of action under the UCPA. Upon receipt of a notice of a violation under the UCPA from the Attorney General, a controller or processor has 30 days to fix the violation. If it does not, the Utah Attorney General may recover actual damages and fines of up to $7,500.00 per violation.

Conclusion

Although its passage was quick, the UCPA’s passage was not a surprise. The UCPA is part of a recent wave of state privacy legislation that is not expected to slow down unless a federal law is enacted to supersede state laws. Businesses that may be subject to the UCPA should review the UCPA and make a plan for compliance, including evaluation options to consolidate compliance efforts among the various comprehensive privacy laws that may apply, such as the CCPA, the CPRA, the GDPR, the VA CDPA, and ColoPA.

If you would like assistance with, or have any questions about, complying with the UCPA and other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys.