Utah Set to Become Fourth State to Pass Comprehensive Consumer Privacy Law

Utah is likely the next in line to pass a comprehensive consumer privacy law, joining the ranks of California, Colorado, and Virginia. Senate Bill 227, the Utah Consumer Privacy Act (UCPA), was passed by the Utah legislature and sent to Governor Spencer Cox’s desk on March 3. Governor Cox has 20 days in which to either sign the bill into law or veto it, and if no action is taken the bill will become law. If enacted in its current form, the UCPA would take effect December 31, 2023.

UCPA Requirements

The bill shares similarities with the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (Colorado CPA) but is expected to be more business-friendly. The key features of the bill are:

Applicability. Subject to certain exceptions, the UCPA directly applies to both organizations that determine the means and purposes of processing personal data (controllers) as well as other organizations that process personal data on their behalf (processors), and which either do business in Utah or produce a product or service that is targeted to consumers who are Utah residents, have annual revenue of $25M or more, and either (i) control or process personal data of 100,000 or more Utah consumers during a calendar year, or (ii) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers. Unlike the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the VCDPA, and the Colorado CPA, the requirement for a business to meet both a financial threshold as well as a data volume threshold is unique to the UCPA. As a result of these thresholds, combined with the relatively smaller population of Utah, the UCPA is likely to apply to much fewer businesses than those that are, or will be, subject to the CCPA, CPRA, VCDPA, or Colorado CPA.
Exemptions. The bill does not apply to government entities, non-profits, HIPAA-covered entities and business associates, higher educational institutions (public or private) and Family Educational Rights and Privacy Act-protected data, Gramm-Leach-Bliley Act-regulated entities and data, consumer reporting agencies, and employment-related information, including for the purposes of providing benefits, among others.
Personal data and sensitive data. Similar to the laws in California, Virginia, and Colorado, the UCPA defines personal data as information that is linked or reasonably linkable to an individual or an identifiable individual, but does not include deidentified data, aggregated data, or publicly available information (each as defined in the UCPA). Although the UCPA defines sensitive data in a similar manner as the VCDPA and other states’ consumer privacy laws, it explicitly excludes personal data that reveals racial or ethnic origin when processed by a video communication service or health-related information when processed by a person licensed to provide health care under Utah law. Further, consumer consent for processing of sensitive data is not required, unlike the Colorado CPA and VCDPA. Controllers must instead only provide consumers with a clear notice and an opportunity to opt-out of the processing of sensitive data.
Consumers and Consumer Rights. The bill applies to data from consumers, which are individuals who are Utah residents, acting in an individual or household context. Consumers do not include individuals acting in an employment or commercial (business-to-business) context. Under the UCPA, consumers will have the right to access, correct, delete, and receive a copy of their personal data. They will also have the right to opt-out of certain processing, including the sale of personal data and the use of their personal data for targeted advertising. Consumers may only exercise these rights once in a 12 month period, and controllers must respond to requests from consumers to exercise their rights within 45 days after the day that the controller receives the request (this may be extended an additional 45 days if reasonably necessary due to complexity or volume of requests received). Controllers may charge a reasonable fee for excessive requests or if the controller reasonably believes that the primary purpose in submitting the requests was for something other than exercising the consumer’s rights or if the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller’s business. The ability for a controller to charge a fee for these latter reasons may discourage the types of nuisance requests that many businesses subject to the CCPA or GDPR have received.
Concept of Selling. Unlike the broad definitions of sale under the CCPA, CPRA, and the Colorado CPA, the UCPA defines a sale as the exchange of personal data only for monetary consideration. The UCPA also contains several important exclusions from the definition of a sale, including disclosures of personal data:
1. By a controller to a processor or one of the controller’s affiliates
2. To a third party if the purpose is consistent with a consumer’s reasonable expectations, taking into account the context in which the consumer provided the personal data
3. At the direction of the consumer
4. For the purpose of providing a product or service requested by the consumer (or the parent or legal guardian if the consumer is a minor)
5. That the consumer has intentionally made public and did not restrict to a specific audience
6. As part of a merger, acquisition, bankruptcy, or other transaction of the controller
High-Level Responsibilities of Controllers and Processors. Covered businesses have a number of obligations under the UCPA, including establishing, implementing, and maintaining reasonable security practices and providing privacy notices to consumers. These privacy notices must include the categories of personal data, the purposes for processing the personal data, how consumers may exercise their rights, and who the data is shared with or sold to. Controllers must also present consumers with clear notice of the controller’s processing of sensitive personal data and an opportunity to opt out of such processing. Controllers must enter into an agreement with their processors that:
1. Includes clear instructions for processing the personal data as well as the nature, scope, and duration of the processing by the processor
2. Requires the processor to ensure that each person involved in processing are subject to a duty of confidentiality
3. Requires the processor to require its subprocessors to meet the same obligations
4. Requires the processor to follow the controller’s instructions and to assist the controller in meeting the controller’s obligations, including obligations for security and breach notifications
No Right of Private Action. The bill does not grant a private right of action and explicitly precludes consumers from using a violation of the UCPA to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.
Enforcement Actions. The UCPA grants exclusive enforcement authority to the Utah attorney general after alleged violations are first investigated by the Utah Division of Consumer Protection. Before the attorney general initiates an enforcement action, however, the attorney general must first provide the business with written notice and 30 days to cure the alleged violation.
Penalties for Non-Compliance. The attorney general may seek penalties of up to $7,500 per violation and recover any actual damages to consumers.

Guidance for Businesses

While the UCPA imposes some significant obligations on organizations that may not have previously been subject to the CCPA, CPRA, VCDPA, Colorado CPA, or the GDPR, organizations that are subject to any of these laws and have worked toward compliance will find significant overlap and have a head start in complying with the UCPA. However, organizations that will be subject to the UCPA and not previously subject to one of these laws may need to expend significant resources in compliance before the effective date of December 31, 2023. Such organizations should prioritize the following activities, many of which may be re-used across other applicable privacy regimes or that have general applicability to a mature privacy program:

Undertake a data mapping to understand the types of data the organization stores, the purposes for which they are used, and whether all data is needed
Update policies and procedures to comply with the new requirements and obligations of the UCPA
Start developing business processes to allow consumers to exercise their new rights
Ensure the organization has a reasonably accessible, clear, and meaningful privacy notice that is compliant with the requirements of the UCPA
Review business relationships with third-party data processors to understand the role of each party and potential requirements
Draft and adopt data privacy addenda with the clauses required under the UCPA for use when contracting with third parties

For more information about the UCPA and its requirements, please contact any of the authors or any of the partner or senior counsel members of Foley’s cybersecurity practice.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.