Passing a comprehensive state privacy law has proven to be no small task. Doing it in a week's span is arguably impossible. Yet after just five working days, the Utah Legislature has settled on a law.
Senate Bill 227, the Utah Consumer Privacy Act, cleared the Senate Feb. 25 on a 28-0 vote and the House followed suit with 71-0 approval March 2. There are a few formalities left in the legislative process. The bill will require concurrence with the Senate and signatures from leaders of both legislative chambers prior to 2022 session adjournment March 4. The bill will then head to Gov. Spencer Cox, R-Utah, who can sign the bill within 20 days after receipt, let it become law at the end of 20 days with no signature or veto the bill.
The UCPA's thresholds and provisions track closely with the Virginia Consumer Data Privacy Act. The primary threshold for a covered business is whether a company makes more than $25 million in annual revenue, but those companies also have to hold personal data on 100,000 Utah consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The UCPA carries standard consumer rights, several exemptions, 45-day request response periods, a 30-day cure period and unique attorney general enforcement provisions that all take effect Dec. 31, 2023. The law does not include a private right action, provisions on "dark patterns" or the Global Privacy Control, or required data protection assessments.
"This is where the rub is. The bill does not impose onerous regulations, but significantly pares back the more burdensome and confusing provisions found in similar state privacy legislation," Sen. Kirk Cullimore, R-Utah, said in the bill's final House committee hearing March 1. Cullimore has been the UCPA's sponsor the last two-and-a-half years. "The bill accomplishes a balancing act by focusing directly on Utah consumers and their guaranteed rights, not the red tape that confuses businesses and consumers alike. … It creates a workable standard for businesses and clarity for Utah consumers."
Implications near and far
Given there are no groundbreaking provisions that haven't been seen in California, Colorado or Virginia's privacy laws and the UCPA thresholds are comparable to those laws, many covered organizations aren't expected to feel the weight of compliance like a newly-regulated business might. Foley & Lardner Partner Jared Braithwaite, CIPP/US, CIPT, opined that the most difficult compliance challenge lies with trying to identify if a company is covered under the UCPA.
"The Utah bill does not make the life of a business or privacy professional a lot more difficult in trying to comply with multiple bills across states," Braithwaite said. "I don't think there's anything in this bill that makes it an outlier or something that requires special consideration."
Cullimore was candid about the box the bill was in during his final committee debate. He noted the considerable amount of stakeholder input from the end of the 2021 session, where the bill was unable to move out of the Utah Senate, and the leveling it took to accommodate the support of business and consumer advocates alike.
"We have a very delicate and fragile coalition. Any change at this point would probably lose a mass of support," Cullimore said. "That's not to say this is a perfect bill, but it's a good starting point everybody can live with. We will certainly look to tweak it as years go, I'm sure."
In addition to future changes the UCPA could undergo by way of the state legislature, the Utah attorney general's office has an opportunity to propose change via a first-of-its kind enforcement assessment that will be due July 1, 2025.
"This gives us an unusual opportunity to study how the law works and give feedback on what this law got right, and what we may need to fix," Utah Deputy Attorney General & Division on Antitrust Director David Sonnenreich, CIPP/US, said. "Maybe by that time we will see evidence that the long (response) deadlines are discouraging consumers from filing requests and we need to propose a change to improve consumer confidence. Or maybe we will determine that there are no problems related to those deadlines to report."
Cullimore's remarks on the current form of the UCPA setting a foundation has been a common refrain used by lawmakers in other states that are proposing bills that mirror what came out of Virginia last year. Many states tried to copy the California Consumer Privacy Act when it first arrived on the scene. UCPA's pending passage simply cements the new Virginia trend that's been proliferating across legislatures in 2022.
"The Virginia model may not make anyone very happy and that’s typically a sign of a good compromise," Loeb & Loeb Partner Jessica Lee, CIPP/E, CIPP/US, CIPM, said. "I think the Virginia law encompasses some of the broad privacy principles that were missing from the CCPA, has a broader scope of consumer rights, includes the specific opt-out of targeted advertising and sale that many are focused on, and requires transparency and safeguards for consumer data. These are the broad concepts that most seem to agree on."
On the other hand, Virginia's model has been deemed too business-friendly with a perceived lack of stringency and, more notably, the omission of a private right of action. With UCPA, consumer advocates are left disappointed once again.
"The Utah legislature appears poised to advance a privacy bill that falls short of protecting the privacy rights of its citizens," Consumer Reports Senior Policy Analyst Maureen Mahoney said. "The bill lacks key elements that would make it workable for consumers, like a global opt out, and its provisions likely wouldn’t rein in tech giants like Google and Facebook from their current privacy practices. Nor is there an opportunity for meaningful enforcement. If the bill fully clears the legislature, we urge the Governor to return it for further work."
Education by enforcement
The enforcement process for the UCPA is one of the few unique concepts presented in the law. Utah consumers wishing to file claims over alleged violations will face a bifurcated scheme that involves the Utah Department of Commerce's Division of Consumer Protection and the Utah attorney general's office.
Claims will first go to the consumer protection office for consideration and investigation. If a claim is deemed legitimate, it'll move to the attorney general which will either concur with the prior findings or reject the claim.
"This all means you have a couple of safeguards for businesses," Sonnenreich said. "First is that the Division of Consumer Protection needs to investigate and believe there's something to correct and then if they send the claim to the Attorney General’s Office we're left to decide if it's an enforcement-worthy violation. And if we do find it worthy, we still give the company 30 days for them to cure the violation and notify us they intend to stay cured. So it really would require a company challenging the merits of a finding by two separate agencies or being obstinate in some way for a lawsuit to actually get filed against them."
The multi-layered enforcement scheme is likely to yield few to no actions from the attorney general, which Braithwaite viewed as the ideal outcome for the enforcement office and businesses.
"They don't want to see a whole bunch of actions, but a focus on where the most potential harm lies," Braithwaite said. "It's almost as if the state has done a data protection assessment and said they're just interested in going after the abusers most likely to cause harm based on their size and number of records they have. They don't want technical violations to clog up a system."
Those frowning at perceived toothless enforcement are likely to base judgment on the lack of fines that will be produced. Lee urged fewer considerations for strength based on the sum of a penalty alone.
"The fines make headlines, but what is unseen and unreported are the resources and efforts that are devoted to complying with these laws internally," Lee said. "I think a law is seen as a failure if no one gets a huge fine, but compliance, not fines, should be the goal."
For businesses fortunate to be on-lookers to this law, Sonnenreich hopes they'll carefully watch and learn the compliance activities in anticipation for potential future regulation over their data activities.
"What I anticipate here is education, outreach and awareness," Sonnenreich said, noting he and his staff have made the rounds at various conferences over the years to outline best practices for protecting consumer data. "Most businesses want to do the right thing from what I've seen, but they are very confused about what that is in this space. They certainly don't want to wipe out their economic investment in data they've collected."
Sonnenreich added being attentive will help companies "get used to the environment in which you're living because the world is changing," noting the chance to "move forward with your customer base" under the realization the UCPA and other such laws "reflect customers' expectation" moving forward.
Editor's note: The comments of Deputy Utah Attorney General Sonnenreich are his own and do not necessarily reflect the views of Attorney General Sean Reyes or the Utah Attorney General’s Office.
Photo by Brent Pace on Unsplash
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
The IAPP created a chart comparing the comprehensive data privacy laws in California, Virginia and Colorado. It provides an overview of each law’s requirements, highlighting their similarities and differences, to assist businesses looking ahead to a January 2023 operative date for Virginia’s Consumer Data Protection Act and the majority of the provisions in the California Privacy Rights Act and a July 2023 effective date for the Colorado Privacy Act.
If you want to comment on this post, you need to login.