The Utah Consumer Privacy Act: Utah Becomes Fourth US State with Comprehensive Privacy Law
10 min read
Continuing efforts at the state level to establish a data privacy framework in the US, a fourth state has passed a comprehensive consumer privacy law. Utah has joined the ranks of Colorado, California and Virginia after Governor Spencer Cox signed the Utah Consumer Privacy Act ("UCPA") on March 24, 2022. The legislation is set to take effect well after other state data privacy laws, on December 31, 2023.
The UCPA shares a number of similarities with the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act and the California Privacy Rights Act ("CPRA"), but is likely to impose a lighter touch approach that businesses may find easier to comply with. A brief summary of the general requirements and obligations on businesses, as well as key distinctions from other state data privacy laws, follows.
Who does the UCPA apply to?1
Subject to exceptions, the UCPA directly applies to both organizations that determine the means and purposes of processing personal data (controllers) as well as other organizations that process personal data on their behalf (processors). These entities must meet certain threshold requirements including:
- Conducting business in Utah or producing a product or service that is targeted to consumers who are Utah residents;
- Have an annual revenue of $25M or more; and either
(a) control or process personal data of 100,000 or more Utah consumers during a calendar year, or
(b) derive more than 50 percent% of the entity's gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.
This requirement for a business to meet both a financial threshold as well as a data volume threshold is unique among state consumer privacy laws. Due to these thresholds, the UCPA is likely to apply to many fewer businesses than those that are, or will be, subject to the California Consumer Privacy Act ("CCPA"), California Privacy Rights Act ("CPRA"), the VCDPA the or Colorado Privacy Act.
Notably, similar to laws in California, Virginia and Colorado, the UCPA provides for a number of exceptions. For example, the UCPA does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private) and Family Educational Rights and Privacy Act-protected data, Gramm-Leach-Bliley Act-regulated entities and data, consumer reporting agencies and employment-related information.
What does the Utah Consumer Privacy Act apply to?
The Utah Consumer Privacy Act applies to "Personal Data," which is defined as "information that is linked or reasonably linkable to an identified individual or an identifiable individual."2 Personal Data does not include information that is de-identified or that is publicly available. Similar to the Virginia and Colorado privacy laws, the UCPA's definition of consumer does not include individuals acting in commercial or employment contexts.3
Who Does the Utah Consumer Privacy Act apply to?
The Utah Consumer Privacy Act identifies and imposes obligations on "controllers" and "processors."
A controller is defined as a person that "determines the purposes for which and means by which personal data is processed."4Under the Utah Consumer Privacy Act, controllers are required to:
- Provide consumers with a "reasonably accessible and clear privacy notice," that includes: (i) categories of personal data processed by the controller; (ii) the purposes for processing; (iii) how consumers can exercise the rights granted by the UCPA; (iv) categories of personal data that the controller shares with third parties; and (v) categories of third parties with whom a controller shares personal data5
- Disclose in a clear and conspicuous manner any sale of consumer data or engagement in targeted advertising, and the manner in which a consumer may opt out of the sale of personal data or processing for targeted advertising6
- Implement and maintain reasonable administrative, technical and physical data security practices appropriate for the volume and nature of the data7
- Present consumers with clear notice and opportunity to opt out of the processing of sensitive data.8 This is similar to the California Privacy Rights Act but unlike the laws in Virginia and Colorado, which require controllers to obtain opt-in consent before processing sensitive personal data. Notably, the UCPA limits its definition of sensitive data to exclude personal data that reveals an individual's "racial or ethnic origin, if the personal data is processed by a video communication service"9
A processor is a person that processes personal data on behalf of the controller.10 The Utah Consumer Privacy Act requires processors to adhere to the controller's instructions and assist and cooperate with the controller to comply with its obligations under the act, including its obligations regarding security of data processing and breach notification. The UCPA also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.11
Who Does the Utah Consumer Privacy Act Protect?
The Utah Consumer Privacy Act protects Utah residents and grants them certain rights concerning their personal data. Specifically, the UCPA permits consumers to submit authenticated requests to data controllers to: (1) confirm if a controller is processing their personal data and to access that data; (2) delete personal data that the consumer provided to the controller; (3) if technically feasible, to obtain a copy of data that the consumer provided to the controller in a portable manner; and (4) opt-out of the processing of personal data for targeted advertising or sale.12 Notably, unlike the CPRA, and the Virginia and Colorado privacy laws, the UCPA does not provide a right to correct inaccuracies in a consumer's data. However, similar to the California and Virginia privacy laws, data controllers must respond to an authenticated request within 45 days.13 Also similar to the CCPA, and unlike the Virginia and Colorado privacy laws, the Utah Consumer Privacy Act does not require data controllers to establish a process by which consumers may appeal a denial of their request.
Finally, the UCPA provides broader permission for businesses to charge consumers fees when responding to requests.14 Specifically, the UCPA allows controllers to charge a fee for a second request in a 12-month period (similar to Colorado) and for requests that are excessive, repetitive, technically infeasible or manifestly unfounded (similar to Virginia). However, the UCPA also allows controllers to charge fees if the controller reasonably believes the primary purpose for submitting a request is not to exercise a consumer right or if the request is part of an effort to harass, disrupt or impose an undue burden on the controller.
Key aspects of the Utah Consumer Privacy Act
- Opt-Out Right: The UCPA provides for a slightly narrower right to opt out of the processing of personal data than its counterparts in Virginia and Colorado. Specifically, the UCPA only allows consumers to opt out of processing their personal data for: (1) targeted advertising; and (2) the sale of personal data,15 where Virginia's and Colorado's privacy laws also included an opt-out for profiling. The UCPA follows the Virginia Consumer Data Protection Act and defines a sale more narrowly as, "the exchange of personal data for monetary consideration by a controller to a third party."16 Notably, the UCPA does not consider disclosures of personal information to third parties a sale if the purpose is consistent with the consumer's reasonable expectations in the context in which the consumer provided such personal data to the controller.
- Data Protection Impact Assessment: Notably, unlike the CPRA, the VCDPA and the Colorado Privacy Act, the UCPA does not require data controllers to conduct and document data protection impact assessments of each of its processing activities involving personal data.
- Processor/Service Provide Agreements: Like its counterparts in California, Virginia and Colorado, the UCPA requires businesses (data controllers) to enter into contracts with data processors that regulate how processors process data. However, as with other aspects of the law, the UCPA takes a more limited approach to contract requirements. Under the UCPA, contracts between controllers and processors must provide clear instructions for processing data and identify the nature and purpose of processing, the type of personal data to be processed, the duration of processing and the parties' rights and obligations.17 Contracts must also contain a duty of data confidentiality for processors. The UCPA does not require additional provisions on deleting or returning personal data to controllers, as in Virginia and Colorado.
- Enforcement: Also similar to the Virginia and Colorado privacy laws, the UCPA does not provide for a private right of action.18 However, it allows the Division of Consumer protection to accept and investigate consumer complaints regarding the processing of personal data and authorizes the Office of the Attorney General to take enforcement action and impose penalties. The UCPA provides a 30-day cure period of alleged violations.19 The UCPA also provides for a recovery of actual damages to the consumer and the penalty up to $7,50020as imposed in Virginia and California.
Utah Consumer Privacy Act Compliance Checklist
Utah's similarities with the upcoming Colorado, California and Virginia privacy laws will not create any significant unique obligations on businesses in complying with the developing state data privacy framework set to go into effect in 2023. Similar to these other state laws, entities operating in Utah should consider the following framework in assessing compliance obligations under the Utah Consumer Privacy Act:
- Confirm That Your Business is Subject to the Utah Consumer Privacy Act. Entities must determine whether they meet the jurisdictional threshold of the Utah Consumer Privacy Act, which notably includes both a financial threshold and data volume threshold.
- Revise Privacy Policies. Revise privacy policies to reflect personal data processing activities, communicate the new rights available to consumers, and identify the mechanisms implemented for consumers to exercise those rights.
- Implement Reasonable Data Security Practices. Assess cybersecurity policies, practices and controls to ensure they are aligned with industry-recognized standards.
- Enable Consumer Opt-Out of Personal Information Processing (when applicable). Create a mechanism to enable Utah residents to exercise their opt-out rights to the extent the business sells their personal data or uses it for targeted advertising.
- Implement Mechanism for Collecting Sensitive Information. Businesses may not collect sensitive data without first presenting consumers with clear notice and an opportunity to opt out. Businesses should develop appropriate opt-out mechanisms to meet this requirement.
- Facilitate Receipt and Response to Consumer Requests. Develop mechanisms for accepting, tracking, verifying and honoring consumer requests to exercise their access and deletion rights under the Utah Consumer Privacy Act.
As we have explained, certain compliance tasks should be prioritized and started earlier than others in implementing this framework. Nonetheless, given the UCPA's generally narrower scope and requirements, businesses taking steps to comply with statutory requirements in California and Virginia on January 1, 2023 and Colorado on July 1, 2023, will likely be in a relatively strong position to comply with this new privacy regime by December 31, 2023. While Utah is the latest state to pass a comprehensive privacy law, states across the US continue to consider enacting data privacy laws. We will continue to keep you apprised of new developments in this emerging data privacy framework. White & Case LLP has a team of highly experienced, global cybersecurity, data privacy and technology lawyers who can help clients prepare for upcoming compliance obligations under the Utah Consumer Privacy Act. Please reach out to any of the authors of this alert if you have questions about the steps your organization can take in this complex technical and legal environment.
Tika Basnet contributed to this publication.
2 Bill 13-61-101(24)(a).
3 Bill 13-61-101(10)(b).
4 Bill 13-61-101(12).
5 Bill 13-61-302(1)(a).
6 Bill 13-61-302(1)(b).
7 Bill 13-61-302(2)(a)-(b).
8 Bill 13-61-302(3)(a); Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, mental or physical health condition, genetic or biometric data, or specific geolocation data. Bill 13-61-101(32).
9 Bill 13-61-101(32)(b)(i).
10 Bill 13-61-101(26).
11 Bill 13-61-301(2).
12 Bill 13-61-201(1)-(4).
13 Bill 13-61-203(2).
14 Bill 13-61-203(4)(a)-(b).
15 Bill 13-61-201(4).
16 Bill 13-61-101(31).
17 Bill 13-61-301(2).
18 Bill 13-61-305.
19 Bill 13-61-402(3)(b)(i).
20 Bill 13-61-402(3)(d).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP