The Utah Consumer Privacy Act (UCPA) is on the verge of becoming law after recently passing both chambers of the Utah legislature with no dissenting votes. Unless Utah’s governor vetoes the bill, Utah will become the fourth state in the nation with a comprehensive consumer privacy law, following the California Consumer Privacy Act of 2018 (CCPA) and California Privacy Rights Act (CPRA) in California, the Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).
The good news for businesses is that the UCPA is a somewhat less onerous version of the CPDA and CPA with a business-friendly approach that is in line with the state’s prominent display of the word “industry” on its state flag. The UCPA’s core requirements are aligned with the CDPA and CPA (with some helpful paring back) and importantly do not introduce any new or additional requirements as compared to those laws.
This post summarizes several key takeaways from the UCPA.
Application and scope is aligned with the Virginia and Colorado statutes.
The UCPA applies to controllers and processors that:
(a) conduct business in Utah or otherwise produce products or services targeted at Utah residents,
(b) have annual revenue of $25,000,000 or more, and
(c) either (i) in a calendar year controls or processes personal data of 100,000 or more Utah residents or (ii) control or process personal data of 25,000 or more Utah residents and derive over 50% of gross revenue from the sale of Utah residents’ personal data.
The law also includes broad entity-level exceptions for financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education.
Like the CDPA and CPA, the UCPA also personal data as “information that is linked or reasonably linkable to an identified individual or an identifiable individual,” with similar exclusions for deidentified and publicly-available information.
UCPA requirements for consumer rights, notices, and processor contracts are aligned to, but somewhat less onerous than, the Virginia and Colorado statutes.
The UCPA provides Utah residents (1) rights to access, amend, or delete personal data, (2) a data portability right, and (3) opt-out rights for targeted advertising and sales of personal data. The law notably does not include the rights to correction or to opt out of “profiling” included in the Virginia and Colorado laws, which allows residents of those states to opt-out out of certain automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to the consumer. The Utah statute also provides more bases for charging fees for responses for requests than the CDPA or the CPA.
The UCPA’s consumer notice requirements generally track those of Virginia and Colorado. Controllers are required to make disclosures about the categories of personal data processed and disclosed to third parties, personal data processing purposes, how consumers can exercise their rights, including clear and conspicuous opt-outs for sales and targeted advertising processing, and the categories of third parties who receive personal data. But the UCPA only requires an opt-out for sensitive data processing, unlike the Virginia and Colorado laws, which require opt-in consent for such processing.
Like the Virginia and Colorado laws, the UCPA also requires that processor contracts contain GDPR-style processing details, and provide that the processor will ensure each person processing personal data is subject to a duty of confidentiality and flow the same written contractual obligations regarding personal data down to its subcontractors.
But unlike the Virginia and Colorado statutes, processors need not agree to return and delete all personal data, provide information requested by controllers to demonstrate the processor’s legal compliance, or allow for and cooperate with assessments by controllers.
The UCPA does not require data protection assessments.
The UCPA does not require data protection assessments for any personal data processing activities. That is a noticeable deviation from Virginia and Colorado, which require data protection assessments for various activities such as targeted advertising, personal data sales, sensitive data processing, and processing that presents a heightened risk of harm to consumers.
The UCPA tracks Virginia’s narrow definition of “sales” of personal data.
The UCPA and CDPA both define “sales” as “the exchange of personal data for monetary consideration by a controller to a third party.” That’s in contrast to the Colorado and California laws, which also include exchanges for “other valuable consideration” within the definition of “sale.”
A unique UCPA feature is an enforcement process requiring review by two separate regulators, with no private right of action.
The UCPA requires the Utah Department of Commerce’s Division of Consumer Protection to create a process through which it will receive and investigate complaints about violations of the law. If that division has “reasonable cause to believe that substantial evidence exists” of a UCPA violation, it must refer the matter to the Utah Attorney General, who has exclusive enforcement authority. The Attorney General may initiate an enforcement action based on the referral.
Any enforcement by the Utah Attorney General, however, is still subject to a 30-day notice-and-cure period. If a controller or processor does not cure the violation or continues to violate the UCPA following the cure period, the Utah attorney general can pursue an enforcement action for actual damages and statutory damages up to $7,500.
The statute also expressly provides that it does not create a private right of action.
Effective on December 31, 2023.
Organizations will have a little over a year and a half to address the requirements of the UCPA, which becomes effective on December 31, 2023.
***
While somewhat less onerous and more business-friendly than other general state privacy laws, the UCPA nonetheless represents another entry in the rapidly-expanding patchwork of US privacy legal requirements for companies and their lawyers to address.
