Utah is likely the next in line to pass a comprehensive consumer privacy law, joining the ranks of California, Colorado, and Virginia. Senate Bill 227, the Utah Consumer Privacy Act (UCPA), was passed by the Utah legislature and sent to Governor Spencer Cox’s desk on March 3. Governor Cox has 20 days in which to either sign the bill into law or veto it, and if no action is taken the bill will become law. If enacted in its current form, the UCPA would take effect December 31, 2023.
The bill shares similarities with the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (Colorado CPA) but is expected to be more business-friendly. The key features of the bill are:
- Applicability. Subject to certain exceptions, the UCPA directly applies to both organizations that determine the means and purposes of processing personal data (controllers) as well as other organizations that process personal data on their behalf (processors), and which either do business in Utah or produce a product or service that is targeted to consumers who are Utah residents, have annual revenue of $25M or more, and either (i) control or process personal data of 100,000 or more Utah consumers during a calendar year, or (ii) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers. Unlike the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the VCDPA, and the Colorado CPA, the requirement for a business to meet both a financial threshold as well as a data volume threshold is unique to the UCPA. As a result of these thresholds, combined with the relatively smaller population of Utah, the UCPA is likely to apply to much fewer businesses than those that are, or will be, subject to the CCPA, CPRA, VCDPA, or Colorado CPA.
- Exemptions. The bill does not apply to government entities, non-profits, HIPAA-covered entities and business associates, higher educational institutions (public or private) and Family Educational Rights and Privacy Act-protected data, Gramm-Leach-Bliley Act-regulated entities and data, consumer reporting agencies, and employment-related information, including for the purposes of providing benefits, among others.
- Personal data and sensitive data. Similar to the laws in California, Virginia, and Colorado, the UCPA defines personal data as information that is linked or reasonably linkable to an individual or an identifiable individual, but does not include deidentified data, aggregated data, or publicly available information (each as defined in the UCPA). Although the UCPA defines sensitive data in a similar manner as the VCDPA and other states’ consumer privacy laws, it explicitly excludes personal data that reveals racial or ethnic origin when processed by a video communication service or health-related information when processed by a person licensed to provide health care under Utah law. Further, consumer consent for processing of sensitive data is not required, unlike the Colorado CPA and VCDPA. Controllers must instead only provide consumers with a clear notice and an opportunity to opt-out of the processing of sensitive data.
- Consumers and Consumer Rights. The bill applies to data from consumers, which are individuals who are Utah residents, acting in an individual or household context. Consumers do not include individuals acting in an employment or commercial (business-to-business) context. Under the UCPA, consumers will have the right to access, correct, delete, and receive a copy of their personal data. They will also have the right to opt-out of certain processing, including the sale of personal data and the use of their personal data for targeted advertising. Consumers may only exercise these rights once in a 12 month period, and controllers must respond to requests from consumers to exercise their rights within 45 days after the day that the controller receives the request (this may be extended an additional 45 days if reasonably necessary due to complexity or volume of requests received). Controllers may charge a reasonable fee for excessive requests or if the controller reasonably believes that the primary purpose in submitting the requests was for something other than exercising the consumer’s rights or if the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller’s business. The ability for a controller to charge a fee for these latter reasons may discourage the types of nuisance requests that many businesses subject to the CCPA or GDPR have received.
- Concept of Selling. Unlike the broad definitions of sale under the CCPA, CPRA, and the Colorado CPA, the UCPA defines a sale as the exchange of personal data only for monetary consideration. The UCPA also contains several important exclusions from the definition of a sale, including disclosures of personal data:
- By a controller to a processor or one of the controller’s affiliates
- To a third party if the purpose is consistent with a consumer’s reasonable expectations, taking into account the context in which the consumer provided the personal data
- At the direction of the consumer
- For the purpose of providing a product or service requested by the consumer (or the parent or legal guardian if the consumer is a minor)
- That the consumer has intentionally made public and did not restrict to a specific audience
- As part of a merger, acquisition, bankruptcy, or other transaction of the controller
- High-Level Responsibilities of Controllers and Processors. Covered businesses have a number of obligations under the UCPA, including establishing, implementing, and maintaining reasonable security practices and providing privacy notices to consumers. These privacy notices must include the categories of personal data, the purposes for processing the personal data, how consumers may exercise their rights, and who the data is shared with or sold to. Controllers must also present consumers with clear notice of the controller’s processing of sensitive personal data and an opportunity to opt out of such processing. Controllers must enter into an agreement with their processors that:
- Includes clear instructions for processing the personal data as well as the nature, scope, and duration of the processing by the processor
- Requires the processor to ensure that each person involved in processing are subject to a duty of confidentiality
- Requires the processor to require its subprocessors to meet the same obligations
- Requires the processor to follow the controller’s instructions and to assist the controller in meeting the controller’s obligations, including obligations for security and breach notifications
- No Right of Private Action. The bill does not grant a private right of action and explicitly precludes consumers from using a violation of the UCPA to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.
- Enforcement Actions. The UCPA grants exclusive enforcement authority to the Utah attorney general after alleged violations are first investigated by the Utah Division of Consumer Protection. Before the attorney general initiates an enforcement action, however, the attorney general must first provide the business with written notice and 30 days to cure the alleged violation.
- Penalties for Non-Compliance. The attorney general may seek penalties of up to $7,500 per violation and recover any actual damages to consumers.
Guidance for Businesses
While the UCPA imposes some significant obligations on organizations that may not have previously been subject to the CCPA, CPRA, VCDPA, Colorado CPA, or the GDPR, organizations that are subject to any of these laws and have worked toward compliance will find significant overlap and have a head start in complying with the UCPA. However, organizations that will be subject to the UCPA and not previously subject to one of these laws may need to expend significant resources in compliance before the effective date of December 31, 2023. Such organizations should prioritize the following activities, many of which may be re-used across other applicable privacy regimes or that have general applicability to a mature privacy program:
- Undertake a data mapping to understand the types of data the organization stores, the purposes for which they are used, and whether all data is needed
- Update policies and procedures to comply with the new requirements and obligations of the UCPA
- Start developing business processes to allow consumers to exercise their new rights
- Ensure the organization has a reasonably accessible, clear, and meaningful privacy notice that is compliant with the requirements of the UCPA
- Review business relationships with third-party data processors to understand the role of each party and potential requirements
- Draft and adopt data privacy addenda with the clauses required under the UCPA for use when contracting with third parties
For more information about the UCPA and its requirements, please contact any of the authors or any of the partner or senior counsel members of Foley’s cybersecurity practice.