On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.
The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.
Scope and Applicability
The UCPA applies to any controller or processor that
- Conducts business in Utah or produces a product or service that targets Utah consumers; or
- Has an annual revenue of $25 million or more
In addition to these two criteria, a controller or processor must also meet one of the following thresholds to fall under the UCPA’s jurisdiction:
- The entity must process or control personal data of 100,000 or more consumers; or
- It must derive over 50 percent of its gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.
The UCPA defines “consumer” as any resident of the state acting in an individual or household context. It tracks the Virginia and Colorado laws in defining “consumer” more narrowly than the California Consumer Privacy Act (CCPA) by excluding individuals acting in an employment or commercial capacity.
The UCPA contains several exemptions, including for governmental entities (or certain third parties under contract with a governmental entity), higher education institutions, tribes, non-profit corporations, and covered entities and business associates under HIPAA.
Notably for financial institutions, the UCPA, like the Virginia and Colorado laws, contains an exemption relating to the Gramm-Leach-Bliley Act (GLBA) that covers both financial institutions subject to the GLBA and information collected pursuant to the GLBA. The UCPA also exempts information governed by HIPAA, information subject to the Federal Credit Reporting Act (FCRA), and personal data regulated by the Family Education Rights and Privacy Act (FERPA).
Controller and Processor Obligations
The UCPA follows the EU’s GDPR and the Virginia and Colorado laws in using the terms “controller” (defined as persons under the scope of UCPA who are doing business in the state, acting jointly or alone, who determine the purpose and means of processing) and “processer” (defined as persons under the scope of UCPA who process personal data on behalf of controllers). In doing so, Utah’s law avoids the CCPA’s confusing “business” and “service provider” designations.
The key requirements for controllers include:
- Providing consumers with a reasonably accessible and clear privacy notice that includes (i) the categories of personal data processed by the controller, (ii) the purposes for which the categories of personal data are processed, (iii) how consumers may exercise a right, (iv) the categories of personal data the controller shares with third parties, and (v) the categories of third parties with whom the controller shares personal data;
- Maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data and help reduce risks of harm to the consumer relating to the processing of personal data; and
- Ensuring that consumers are not discriminated against for exercising a right under the Act.
Additionally, controllers cannot draft contracts with provisions that purport to limit or waive a consumer’s right under the UCPA—such contracts are void.
For their part, processors are required to adhere to the controller’s instructions and to assist the controller in meeting various obligations, including data security requirements, under the UCPA.
The UCPA provides covered consumers with rights of access, deletion, and portability, as well as the right to opt out of the sale of personal data and the processing of personal data if used for targeted advertising. Unlike other state privacy laws, the UCPA does not provide a right of correction or accuracy. Further, the UCPA provides covered consumers with a somewhat narrower right of deletion that applies only to personal data that the consumer provides to the controller.
As referenced above, the UCPA does not provide consumers with a right of appeals if a controller declines a consumer request, which is in line with the CCPA but departs from the Virginia CPDA and CPA, which both require a consumer appeals mechanism.
A controller cannot process sensitive data collected from a consumer without first presenting them with clear notice and opportunity to opt out of such processing. If the data subject is a child, the controller must process the child’s personal data in accordance with the Children’s Online Privacy Protection Act (COPPA).
No Private Right of Action; Enforcement
Like the Virginia and Colorado privacy laws, the UCPA expressly forecloses a private right of action, giving exclusive enforcement authority to the Utah Attorney General. (The CCPA provides a private right of action in the limited case of data breaches.) Violations of the UCPA are enforceable only by the AG, who may recover actual damages to the consumer, up to $7,500 for each violation. The UCPA creates a thirty-day cure period once the Utah AG provides written notice of an alleged violation.
* * *
It is unclear whether another new comprehensive state privacy law—an added layer to the current patchwork of privacy laws in the U.S.—will create any momentum for Congress to pass a federal privacy law, but the activity certainly remains at the state level for now. The UCPA is yet another U.S. adaptation of the European approach to privacy, which is slowly becoming a global standard. While the UCPA shares similarities with the CCPA, which was first passed in 2018 and has since been replaced by the CPRA, which comes into full effect in 2023, it is closer to the Virginia and Colorado laws, which better capture the spirit of the GDPR in terms of incorporating concepts of reasonableness and proportionality.
State legislatures across the country—from Florida to New York to Wisconsin—are considering their own comprehensive privacy bills. Ropes & Gray is closely tracking state privacy and cybersecurity law developments. Subscribe to RopesDataphiles.com for updates.