Following in the footsteps of California, Virginia and Colorado, Utah has become the fourth state to pass its own comprehensive privacy law. On March 24, Utah officially signed into law the Utah Consumer Privacy Act (“UCPA”) after Utah Governor Spencer Cox signed into law the UCPA. Of all its predecessors, the UCPA requirements most closely follow the requirements of the Virginia Consumer Data Privacy Act (“VCDPA”). The UCPA will come into effect on December 31, 2023.
The UCPA protects consumers’ “personal data”, defined as “information relating or reasonably likely to be linked to an identified person or an identifiable person”. The UCPA defines “consumer” as a Utah resident acting in an individual or family context and explicitly excludes individuals acting in an employment or business context, mirroring the approach of the VCDPA and the Colorado Privacy Act ( “CPA”).
The UCPA applies to entities that (a) conduct business in Utah or produce a product or service for Utah residents; (b) have annual revenues of $25 million or more; and (c) meet one or more of the following thresholds: (i) control or process the personal data of 100,000 or more consumers or (ii) derive more than 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The UCPA provides exemptions for several entities, such as government entities, nonprofit corporations, tribes, institutions of higher education, covered entities, and business associates governed by Health Insurance Portability and Accountability Act) and air carriers. Additionally, it exempts information governed by federal laws such as HIPAA, the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), the Driver’s Privacy Protection Act, and the Family Education Rights and Privacy. (“FERPA”).
Controllers and processors
Like the VCDPA and the CPA, the UCPA distinguishes between data controllers (i.e. the entity which determines the purposes and means by which personal data is processed) and processors (i.e. i.e. the entity that processes personal data on behalf of a data controller). Controllers bear most responsibilities under the UCPA, such as having to respond to requests from consumers to exercise their rights under the UCPA, as well as having to provide consumers with a reasonably accessible and clear privacy notice that discloses the Controller’s privacy practices. Unlike the VCDPA and CPA, the UCPA does not require data controllers to conduct data processing assessments.
Processors have a direct obligation to comply with the controller’s instructions on the processing of personal data and to assist the controller in fulfilling its obligations, including obligations related to the security of the processing of personal data. and notification of a security system breach under the Utah Breach Notification Act.
Like the VCDPA and the CPA, before a processor carries out any processing on behalf of a controller, the controller and the processor must enter into a contract which clearly: (a) sets out the instructions for processing personal data, the nature and purpose of the processing, the type of data being processed, the duration of the processing, and the rights and obligations of the parties; (b) require the Processor to ensure that each Person Processing Personal Data is subject to an obligation of confidentiality with respect to the Personal Data; and (c) obligates the Processor to engage any Processor under a written contract requiring the Processor to perform the same obligations as the Processor with respect to Personal Data. However, unlike the VCDPA and the CPA, the UCPA does not require contracts with subcontractors to include provisions requiring subcontractors to authorize or assist in reasonable audits or require subcontractors to available to the data controller the information necessary to demonstrate compliance with the UCPA. Contracts with processors also do not need to require processors to delete or return all personal data to the controller at the end of the provision of services.
The UCPA provides standard consumer rights – the rights to access and delete personal data, data portability, and the right to opt out of the processing of personal data for the purpose of targeted advertising and to opt out of the sale of personal data . “Selling” under the UCPA is defined as the exchange of personal data for monetary consideration by a controller to a third party. This is much more limited than the expanded definitions of “sale” under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”) and the CPA. Additionally, the UCPA does not require controllers to recognize global opt-out signals.
Similar to the VCDPA and CPA, the UCPA requires monitors to respond to a consumer request within 45 days of receiving the request, which can be extended for an additional 45 days (for a total of 90 days) at provided that the extension is reasonably necessary and the controller informs the consumer of the extension, including the duration of the extension and the reasons for the extension. Controllers are not obligated to comply with a consumer request if they cannot authenticate the consumer request using commercially reasonable efforts.
Sensitive data; Consent
Unlike the VCDPA and CPA, which require explicit consent for the processing of sensitive personal data, the UCPA only requires data controllers to inform consumers and provide them with the opportunity to opt out of the processing of sensitive data. Under the UCPA, “sensitive data” is defined as personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status; or information regarding an individual’s medical history, mental or physical health, or medical treatment or diagnosis by a medical professional; geolocation data; and genetic personal data or biometric data if used for the purpose of identifying a specific individual. The UCPA only requires opt-in consent as part of parental consent for the processing of personal data of children under 13.
Unlike the CCPA and CPA, the UCPA definition of consent does not specifically exclude agreements obtained through dark models, which are user interfaces designed or manipulated with the substantial effect of subverting or altering the autonomy, decision-making or user choice.
Unlike the CCPA, the UCPA does not provide a private right of action and explicitly prohibits consumers from using a violation of the UCPA to support a claim under other Utah statutes, such as statutes regarding unfair or deceptive acts or practices, which has been a favorite tactic of plaintiffs’ counsel. However, the UCPA establishes the Consumer Protection Division (“Division”) to which consumers may submit complaints regarding an alleged breach of the UCPA by a controller or processor and the Division has the power to investigate the consumer’s complaint. If the Division Director has reasonable grounds to believe that there is substantial evidence that a Monitor or Contractor is violating the UCPA, the Director may refer the matter to the Utah Attorney General, who has sole authority to enforce the UCPA. This two-step application process is unique among comprehensive national privacy laws that have been passed to date. However, the Division must also provide consultation and assistance to the Attorney General in the application of the UCPA. The UCPA provides for a cure period of 30 days.
Key points to remember
At least 24 states introduced or reintroduced comprehensive privacy legislation during their 2022 sessions. Businesses should expect to see continued efforts to pass such laws and continue to closely monitor developments at state level. Unless and until the federal government passes preventative legislation, the complex patchwork of state privacy and data security laws will continue to expand and create compliance challenges for domestic businesses.
To develop a data privacy and security compliance program that is flexible and able to evolve with the ever-changing legal landscape, companies must invest in conducting robust data inventories to document the types of personal data collected. and processed by the company, where the data is stored, the business purposes for the collection and with whom the data is shared. This will enable the design and implementation of effective and scalable processes to respond to consumer rights requests, help inform priority deployment of safeguards to protect data, and facilitate accurate and comprehensive notices to consumers who comply. to the myriad of applicable requirements. Companies should also ensure that they limit the scope of personal data they collect, use or disclose to the minimum necessary to fulfill the intended purpose of the collection, use or disclosure. Additionally, companies should document their compliance efforts and maintain security procedures and practices to protect the data they collect and process.