On March 24, Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act into law, making Utah the fourth state to enact comprehensive consumer privacy legislation. The law goes into effect Dec. 31, 2023.
The UCPA is both similar to and different from the consumer privacy laws of California, Virginia and Colorado. Namely, it draws heavily from the Virginia Consumer Data Protection Act and several of its VCDPA-like components are also contained in the Colorado Privacy Act. At first glance, certain aspects of the law bear resemblance to the California Consumer Privacy Act. In practice, however, the substance of the UCPA takes a lighter, more business-friendly approach to consumer privacy than all three of its predecessors.
Closely resembling the scope of the VCDPA, the UCPA “applies to any controller or processor who:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
But unlike the VCDPA, which lacks an annual revenue threshold, only entities making $25 million or more in annual revenue that also satisfy at least one of the additional thresholds listed above will be subject to the UCPA. By including multiple threshold requirements, the scope of the UCPA is narrower compared to other state privacy laws on the books. The annual revenue threshold requirement means smaller entities, even if they satisfy the other thresholds, will not be subject to the UCPA. Likewise, larger entities that meet the annual revenue threshold will not fall under the law unless they also meet an additional threshold.
Some key definitions also factor into determining the scope of the law. Under the UCPA, a “consumer” is defined as “an individual who is a resident of the state acting in an individual or household context.” However, like the VCDPA and CPA, the UCPA explicitly excludes individuals “acting in an employment or commercial context.” Therefore, entities need not include the personal data of such individuals when considering whether they fall within the law’s scope.
The UCPA contains a VCDPA-like definition of “sale,” which is defined as “the exchange of personal data for monetary consideration by a controller to a third party.” Instead of drawing from the CCPA and CPA — where personal data exchanged for “monetary or other valuable consideration” constitutes a sale — an exchange of personal data under the UCPA will qualify as a sale only if the consideration is monetary. The law explicitly excludes certain types of disclosures from the definition of sale, most of which are almost identical to the exclusions contained in the VCDPA and CPA. For example, disclosures to processors and a controller’s affiliate are excluded, as are disclosures to a third party to provide a product or service requested by the consumer. However, the UCPA’s definition of sale also explicitly excludes “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.”
Like the VCDPA and CPA, the UCPA explicitly excludes deidentified data and publicly available information from its definition of “personal data.” But the UCPA goes further by also excluding “aggregated data,” which is defined as “information that relates to a group or category of consumers: (a) from which individual consumer identities have been removed; and (b) that is not linked or reasonably linkable to any consumer.”
The key takeaway is that the UCPA’s scope is narrower than the CCPA, VCDPA and CPA: It applies to a smaller set of entities and more categories of data fall outside the law’s reach.
In addition to its relatively narrow scope, the UCPA also contains broad exemptions. As with the VCDPA and CPA, the UCPA includes both entity- and data-level exemptions.
Controllers and processors that fall under an entity-level exemption need not comply with the UCPA, even if the personal data would otherwise fall within the scope of the law. Notably, the UCPA exempts institutions of higher education and nonprofits, as well as covered entities and business associates pursuant to the Health Insurance Portability and Accountability Act and financial institutions governed by the Gramm-Leach-Bliley Act. Government entities and contractors are also exempt from the law, as are tribes and air carriers.
As for the data-level exemptions, the UCPA does not apply to information subject to HIPAA, GLBA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act. Data processed or maintained in the course of employment, including job applicant data, is also exempt.
Consumers are provided four main rights under the UCPA.
Right to access. Consumers have “the right to:
- confirm whether a controller is processing the consumer’s personal data; and
- access the consumer’s personal data.”
Right to delete. Consumers have “the right to delete the consumer’s personal data that the consumer provided to the controller.” Importantly, the UCPA does not afford consumers the right to delete all personal data that a controller has about them. Under the UCPA, a consumer only has the right to delete the personal data they provided to the controller.
Right to data portability. Consumers have “the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that:
- to the extent technically feasible, is portable;
- to the extent practicable, is readily usable; and
- allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.”
Right to opt out of certain processing. Consumers have “the right to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising; or the sale of personal data.”
Unlike the VCDPA and CPA, the right to opt out of profiling is absent from the UCPA. And unlike the CPA, controllers subject to the UCPA are not required to recognize universal opt-out signals as a method for consumers to exercise their opt-out rights.
Notably absent from the UCPA is the right to correct. Unlike its counterparts in California, Virginia and Colorado, the law does not grant Utah consumers the right to correct inaccuracies in their personal data.
To exercise any of the above rights, the UCPA, like the VCDPA and CPA, states that controllers are to specify the means for consumers to submit a request. Unlike the VCDPA and CPA, however, the law has no additional requirements for controllers to consider when prescribing these means, such as reliability or taking into account the ways in which consumers normally interact with the controller.
Transparency. Like most consumer privacy laws, the UCPA requires a controller to provide consumers with a “reasonably accessible and clear privacy notice.” Privacy notices must include:
- The categories of personal data processed by the controller.
- The purposes for processing the data.
- How consumers may exercise their rights.
- The categories of personal data the controller shares with third parties, if any.
- The categories of third parties, if any, with whom the controller shares personal data.
If personal data is sold to a third party or used for targeted advertising, the controller must “clearly and conspicuously disclose” the means for consumers to exercise their opt-out rights.
Consent to process children’s personal data. Controllers processing the personal data of consumers known to be under the age of 13 are required to obtain verifiable parental consent and process such data in accordance with the Children’s Online Privacy Protection Act.
Under the UCPA, processing children’s data is the only activity that requires affirmative consent. Unlike the VCDPA and CPA, the UCPA does not require consent to process a consumer’s sensitive data. The law merely requires controllers to provide consumers “clear notice and an opportunity to opt out” before processing their sensitive data.
Security. As with the CCPA, VCDPA and CPA, controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.”
Nondiscrimination. Controllers are prohibited from “discriminat(ing) against a consumer for exercising a right by:
- denying a good or service to the consumer;
- charging the consumer a different price or rate for a good or service; or
- providing the consumer a different level of quality of a good or service.”
Controllers may, however, offer “a different price, rate, level, quality, or selection of a good or service to a consumer” if the consumer opted out of targeted advertising or if the offer relates to the consumer’s voluntary participation in a bona fide loyalty program.
Responding to consumer requests. Unless an exception applies, controllers are obligated to respond to a consumer’s request within 45 days. When reasonably necessary, a controller may extend the response period by an additional 45 days, provided they “inform the consumer of the extension, including the length of the extension (and reasons for it),” within the initial 45-day response period. Controllers must also notify consumers of any action — or inaction — taken regarding a request before the response period expires.
The UCPA prohibits controllers from charging a fee for responding to a request. A controller may, however, charge a reasonable fee if:
- The request is a consumer’s “second or subsequent request during the same 12-month period.”
- The request is “excessive, repetitive, technically infeasible, or manifestly unfounded.”
- The controller “reasonably believes the primary purpose in submitting the request was something other than exercising a right.”
- The request “harasses, disrupts, or imposes undue burden on the resources of the controller’s business.”
Although the VCDPA and CPA require controllers provide an appeal process for consumers whose requests have been denied, this obligation is not included in the UCPA.
Data processing contracts. As is the case under the VCDPA and CPA, processing activities performed by a processor on behalf of a controller must be governed by contract. While the enumerated terms that must be included in a data processing contract are similar to those found in the VCDPA and CPA, the UCPA imposes fewer requirements. For instance, a data processing contract under the UCPA need not include a provision requiring a processor to comply with reasonable audits by a controller.
Unlike the VCDPA and CPA, the UCPA does not require controllers to conduct data protection assessments to evaluate the risks associated with data processing activities.
The UCPA does not provide for a private right of action, nor does it allow a consumer to use a violation of the law to support a claim under other Utah laws.
As with the VCDPA, the attorney general has exclusive enforcement authority. The enforcement process itself, however, takes a novel, multi-layered approach. The UCPA tasks the Division of Consumer Protection with “administer(ing) a system to receive consumer complaints” and empowers the division to investigate whether an alleged violation has merit. Referral to the attorney general is required if the director of the division has “reasonable cause to believe that substantial evidence (of a violation) exists.” If the attorney general decides to take action on a referred matter, the office must first provide written notice to the controller or processor. Controllers and processors then have 30 days to cure the violation and provide the attorney general with an “express written statement that the violation has been cured and no further violation of the cured violation will occur.” The attorney general may initiate an enforcement action and impose penalties — actual damages and fines up to $7,500 per violation — if a controller or processor fails to cure the violation or continues to violate the law after providing a written statement otherwise.
Although the UCPA extends VCDPA-like rights and obligations specifically for Utah consumers and businesses, the law is not likely to add special considerations to an entity’s existing privacy compliance obligations. Facially, the law is narrower and more lenient than its counterparts in California, Virginia and Colorado. Understanding the UCPA as passed, however, is only the beginning. As indicated by its sponsor, Sen. Kirk Cullimore, R-Utah, the UCPA’s current form is intended as a starting point. Depending on how the law works in practice, future amendments are a possibility, especially since the UCPA requires the Utah attorney general and the Division of Consumer Protection to submit a report evaluating its effectiveness by July 1, 2025. The IAPP will continue to monitor any developments and update you accordingly.
Photo by Brent Pace on Unsplash
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
The IAPP created a chart comparing the comprehensive data privacy laws in California, Virginia and Colorado. It provides an overview of each law’s requirements, highlighting their similarities and differences, to assist businesses looking ahead to a January 2023 operative date for Virginia’s Consumer Data Protection Act and the majority of the provisions in the California Privacy Rights Act and a July 2023 effective date for the Colorado Privacy Act.
If you want to comment on this post, you need to login.