Utah is on the verge of enacting the Utah Consumer Privacy Act (UCPA), thereby becoming (perhaps surprisingly) the fourth state to enact a comprehensive consumer privacy law. Modeled somewhat after Virginia’s Consumer Data Privacy Act (VaCDPA), but having more exceptions and a “slimmer” scope than the Virginia law, UCPA is more business friendly than its predecessor state consumer privacy laws. If signed by the governor, UCPA will become effective on December 31, 2023. 

In brief, the law will grant consumers – defined as Utah residents, with some exceptions – rights of data access, portability, notice/opt-out, and deletion, but does not grant the right to correction of data. The legislation provides a 45-day response period for consumer data requests – with the right of one extension - and a 30-day cure period for violations. It also lacks a private right of action. In addition, UCPA codifies mandatory data security and data processing requirements when contracting with other parties. Here is a brief snapshot of some UCPA highlights:

-- Same threshold as Virginia, no employment or B2B data, and a host of exceptions to its scope.

UCPA shares the same thresholds as VaCDPA. It applies to any controller or processor (a) who conducts business in the state or (b) who produces a product or service that:

• is targeted to Utah residents,
• has annual revenue of $25,000,000 or more, and
• either: (i) during a calendar year, controls or processes personal data of 100,000 or more consumers, or (ii) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

UCA § 13-61-102(1).

Like VaCDPA and Colorado Privacy Act,  UCPA exempts personal data generated within the employment and business-to-business contexts. The Act expressly does not apply to personal data “processed or maintained … in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual’s role.” UCA § 13-61-102(2)(o)(i). The definition for consumer also excludes “an individual acting in an employment or commercial context.” Id. at § 13-61-101(10)(b).

UCPA broadly defines “personal data” as “information that is linked or reasonably linked to an identified or identifiable individual.” UCA § 13-61-101(24)(b). It defines “identifiable individual” as “an individual who can be readily identified, directly or indirectly.”  Id. at § 13-61-101(20). “Personal data” does not include deidentified or aggregate data, but does include pseudonymous data. Id. at §§ 13-61-101(24)(b), (28).

Also, like CCPA and the VaCDPA, but unlike the Colorado Privacy Act, UCPA does not apply to non-profits. UCA § 13-61-102(2). However, UCPA also does not apply to a host of other organizations, including institutions of higher education, governmental entities or their contractors, tribal nations, covered entities and business associates under HIPAA, financial institutions or their affiliates governed by GLBA, consumer reporting agencies acting pursuant to FCRA, or to organizations or data governed by FERPA. Id.

-- No private right of action, a 30-day cure period, and statutory penalties.

There is no private right of action. UCA § 13-61-305. Instead, UCPA vests the Utah Office of Attorney General (OAG) with exclusive enforcement rights. Id. at §§ 13-61-401, 402.

Penalties per violation include the actual damages to the consumer and an amount up to $7,500 for each violation, which includes:  (i) the failure to cure a violation after receiving written notice from the attorney general prior to the attorney general’s initiation of an enforcement action, and (ii) the continued violation of chapter 402 after curing a noticed violation and providing a written statement.  UCA § 13-61-402(3). The statute has a 30-day cure period. Id.

-- Grants consumer rights of data access, portability, and deletion; grants the right to opt-out of the sale of personal data, but has a narrower definition of sale; no right to correction.

UCPA defines a “controller” as a person doing business in Utah who “determines the purposes for which and the means by which personal data is processed, regardless of whether the person makes the determination alone or with others.” UCA § 13-61-101(12). It defines a “processor” as an organization “who processes personal data on behalf of a controller.” Id. at § 13-61-101(26). Like under GDPR and other privacy regimes, “processing” means “an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” Id. at § 13-61-101(25). Determining whether a person is acting as a controller or processor with respect to a specific processing of data “is a fact-based determination” that depends upon the context in which personal data is processed. Id. at § 13-61-301(3).

 The Act grants consumers the right of data access, portability, and deletion. UCA § 13-61-201(1)-(3). There is no right of correction.  Organizations have 45 days to respond to a consumer request, with one available extension for another 45 days. Id. at § 13-61-203(2). A controller has no obligation to reidentify deidentified data or pseudonymous data in order to respond to a request. Id. at § 13-61-303(1). Nor do the rights apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept separately and is subject to “appropriate technical and organizational measures” to ensure the personal data are not attributed to an individual. Id. at § 13-61-303(2).

The Act grants the right to opt-out of the processing of their personal data for purposes of targeted advertising or sale. Id. at § 13-61-201(4). The term “sale,” however, is defined more narrowly than in other privacy regimes. The term is defined as “the exchange of personal data for monetary consideration by a controller to a third party.” Id. at § 13-61-101(31)(a). The definition expressly excepts the following from the meaning a controller’s disclosure of personal data to an affiliate, disclosures that are consistent with the consumer’s reasonable expectation, or disclosure to a processor who processes the data on behalf of the controller’s behalf. Id. at § 13-61-101(31)(b). It also excludes disclosures directed by the consumer, performed to provide a product or service to the consumer, or made as part of a proposed or actual merger, an acquisition, or assumption of assets in bankruptcy. Id.

-- Nonwaivable rights of transparency, data security, and non-discrimination.

Transparency. Controllers must post privacy notices that are “reasonably accessible and clear,” and disclose

• the categories of personal data processed by the controller;
• the purposes for which the categories of personal data are processed;
• how consumers may exercise a right;
• the categories of personal data that the controller shares with third parties, if any; and
• the categories of third parties, if any, with whom the controller shares personal data.

UCA § 13-61-302(1)(a). If the controller “sells” personal data to a third party or engages in targeted advertising, the controller must “clearly and conspicuously” disclose how the consumer may exercise the right to opt out. Id. at § 13-61-302(1)(b). In general, a controller may not process “sensitive data collected from a consumer without:

• first presenting the consumer with clear notice and an opportunity to opt out of the processing; or
• for personal data of a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act.

Id. at § 13-61-302(3).

Data security. Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that are designed to (i) protect the confidentiality and integrity of personal data; and (ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. UCA § 13-61-302(2)(a). The nature of the data security program is flexible in that it should reflect the “controller’s business size, scope, and type,” as well as “the volume and nature of the personal data at issue.” Id. at § 13-61-302(2)(b).

Non-Discrimination. A controller also may not discriminate against a consumer for exercising his or her rights. UCA § 13-61-302(4).

-- Adherence to instructions, data security and cooperation, required data processing agreements.

Instructions. Under the Act, a processor must comply with the controller’s processing instructions.  UCA § 13-61-301(1)(a).

Data security. In addition, “taking into account the nature of the processing and information available to the processor,” and through the implementation and maintenance of “appropriate technical and organizational measures” that are “reasonably practicable,” processors are required to assist the controller in meeting its privacy obligations, including those relating to data security and data breach notification requirements, if implicated. UCA § 13-61-301(1)(b).  

Data processing agreements. Before a processor processes personal data on the controller’s behalf, the parties must execute a data processing agreement that:

• clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations;
• requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and
• requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

UCA § 13-61-301(2).