Utah is the latest state to enact a comprehensive privacy law after the governor signed the Utah Consumer Privacy Act (“UCPA”) on March 24 of this year. UCPA goes into effect on December 31, 2023. California, Virginia, and Colorado have passed similar laws in the past few years, with the California Consumer Privacy Act (CCPA) already in effect.
UCPA’s core requirements are similar to those in the other privacy state laws, including a requirement to publish a privacy policy and provide certain data subject rights to individuals whose information is collected by an entity that is subject to the law. As with the laws in Colorado and Virginia, UCPA excludes a private right of action. Instead, UCPA is enforced by Utah’s Attorney General with fines up to $7,500 per violation, provided the offending entity has not cured the violation within 30 days of receiving the Attorney General’s written notice. Consumer rights, such as the right to opt out of targeted advertising and sale of personal data, are substantially similar across UCPA and the laws in Colorado and Virginia.
The UCPA’s scope is the narrowest of the state privacy laws. UCPA applies to any for-profit entity that (i) conducts business in Utah or targets residents of Utah, (ii) has annual revenue of $25 million or more, and (iii) either (a) annually controls/processes personal data of 100,000 or more consumers or (b) derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. This scope is narrower than the scope of the CCPA and the Colorado Privacy Act (CPA), which are applicable to entities that meet a revenue threshold regardless of information collection. UCPA’s scope is also narrower than the scope of the Virginia Consumer Data Privacy Act (VCDPA), which applies to entities that control or process a certain amount of personal data regardless of revenue.
Among UCPA’s notable requirements, an entity must provide the consumer with clear notice and an opportunity to opt out of processing of geolocation data or sensitive data more generally. By way of comparison, the laws in Colorado and Virginia require an opt-in consent prior to the processing of sensitive data.
Unlike the laws in Colorado and Virginia, UCPA does not require data protection assessments. Where such assessments are required under the Colorado and Virginia laws, entities must evaluate and document the costs and benefits of some activities, such as targeted advertising or processing sensitive data. Additionally, UCPA does not direct entities to inform consumers of a means to appeal consumer access requests.
One additional notable feature of UCPA is the definition of data “sale,” which is defined as “the exchange of personal data for monetary consideration by a controller to a third party.” This definition offers welcome clarity compared to the CCPA’s definition of a sale, which includes the exchange of personal information for “monetary or other valuable consideration.”
As nearly every state has or is actively considering a comprehensive privacy bill, the latest development in Utah represents a less aggressive model for comprehensive privacy requirements, which noticeably omits a private right of action. While a handful of states are considering bills with a private right of action, for example, New York, Pennsylvania, and Massachusetts, this provision continues to be the most notable sticking point in the legislative process.
As stated above, UCPA is not effective until December 31, 2023. UCPA does not provide for or require any implementing regulations. Likewise, the VCDPA does not require regulations before its effective date of January 1, 2023. Comparatively, the Colorado Attorney General is already seeking informal comment on the CPA, which will go into effect on July 1, 2023.
Relatedly, the California Privacy Protection Agency, which is responsible for promulgating regulations for the California Privacy Rights Act (CPRA), amending the CCPA, recently convened pre-rulemaking informational sessions but anticipates final CPRA regulations in the third or fourth quarter of 2022.
