Utah Passes Comprehensive Consumer Privacy Legislation

On March 24, 2022, Utah became the fourth U.S. state to adopt consumer data privacy legislation after Utah Gov. Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”).  The UCPA is largely based on the Virginia Consumer Data Protection Act (“VCDPA”). It regulates how a controller (defined by the UCPA as a person doing business in Utah who determines the purposes and means by which personal data are processed) processes personal data concerning consumers residing in Utah. The UCPA will take effect on December 31, 2023.

For businesses that are developing their national privacy strategies on one or more of the three other upcoming comprehensive state privacy law frameworks (California, Virginia or Colorado), the UCPA does not impose additional or significant compliance burdens. But businesses that tailor their privacy compliance to each individual state will need to pay close attention to the specific provisions set forth in the UCPA.

The UCPA is the least onerous of the four state data privacy laws passed to date. While the UCPA includes many of the same obligations as the other state privacy laws, it is unique in that it: (i) has a narrower scope of applicability; (ii) has limited consumer data privacy rights; (iii) has less stringent requirements for data processor agreements; and (iv) lacks a risk assessment requirement for the processing of certain types of data.

UCPA’S SCOPE

The scope of the UCPA is narrower than that of the VCDPA, California Consumer Privacy Act (and as amended, the California Privacy Rights Act) (collectively, the “CCPA/CPRA”), and Colorado Privacy Act (“CPA”). Importantly for small businesses, the UCPA does not apply to controllers that generate less than $25,000,000 in annual revenue, regardless of the amount of consumer personal data processed.

The UCPA applies only to controllers that: (a) conduct business in Utah or offers a product or service that is targeted to consumers who are residents of Utah; (b) has annual revenue of $25,000,000 or more; and (c) satisfies one or more of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more consumers; or
  2. Derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Like the other state privacy frameworks, the UCPA does not apply to non-profit entities, institutions of higher education or government entities, or to entities that process personal data subject to certain federal privacy laws, including the Gramm-Leach-Bliley Act (“GLBA”); the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); the Fair Credit Reporting Act (“FCRA”); or the Family Educational Rights and Privacy Act (“FERPA”).

The UCPA also does not apply to personal data of employees or business contacts, de-identified or pseudonymous data, aggregated data or publicly available information.

OBLIGATIONS OF CONTROLLERS AND PROCESSORS

FAMILIAR TRANSPARENCY AND SECURITY REQUIREMENTS

The UCPA requires controllers to provide consumers with a privacy policy that includes similar disclosures as required under the other state frameworks. However, in contrast to the CCPA/CPRA, VCDPA, and CPA, the UCPA does not require controllers to conduct any formal data processing risk assessments prior to processing certain personal and sensitive data. And unlike the CCPA/CPRA and CPA, the UCPA does not include provisions on “dark patterns.”

But security does feature within the UCPA. The UCPA requires controllers to implement reasonable administrative, technical, and physical data security practices, relative to the controllers’ size, scope, volume and nature of processing, to protect personal data and to reduce reasonably foreseeable risks of harm to consumers.

A LIGHT TOUCH APPROACH TO DATA PROCESSING AGREEMENTS

The UCPA requires a controller to execute an agreement with a processor, defined as a person who processes personal data on behalf of a controller. Such an agreement must include specific instructions from the controller to the processor regarding the nature and purpose of the processing, the type of data subject, the duration of the processing, and the parties’ rights and obligations. The UCPA also requires a processor to ensure that each person processing personal data on its behalf is subject to a duty of confidentiality, and to only engage a subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor. However, unlike CCPA/CPRA and CPA, the UCPA does not require data processing agreements to include provisions that allow controllers to audit processors, or give controllers the right to object to a processor’s use of a subcontractor.

CONSUMER PRIVACY RIGHTS AND SENSITIVE DATA

The UCPA grants consumers familiar rights to access and delete personal data, but in contrast to the other state privacy laws, it does not offer consumers the right to correct personal data. Additionally, in response to a data deletion request, the UCPA requires controllers only to delete personal data that a consumer provided to the controller. It is likely that personal data a controller derives or infers from a consumer’s personal data, and potentially, any data the controller obtains from a third party, will be exempt from deletion requirements.

Like the VCDPA and CPA, the UCPA requires controllers to provide an opt out for “targeted advertising” and the “sale” of personal data. The definition of targeted advertising aligns with the definitions under the VCDPA and CPA, but there is no provision that allows or requires controllers to fulfill this right by responding to a universal opt out mechanism/global privacy control (as is the case under the CPA and CCPA/CPRA).

The UCPA also relaxes requirements for processing “sensitive data” compared to the VCDPA and CPA. Unlike under those other frameworks, controllers may process sensitive data on an opt out rather than opt in basis. Data concerning children does not appear in the definition of sensitive data under the UCPA, but is subject to similar opt out requirements.

ENFORCEMENT

The Utah Attorney General’s Office and Utah Division of Consumer Protection is responsible for investigating UCPA violations and enforcing the law. Consumers are required to submit complaints regarding UCPA violations to the Utah Division of Consumer Protection, which will investigate such complaints and refer them to the Attorney General’s Office if there is reasonable cause to believe that a violation has occurred.

In line with the other state privacy laws, the UCPA has a right to cure provision, which allows first-time violators to avoid civil penalties if they cure their violation within 30 days of notice.  After the 30-day cure period, if a controller or processor remains in breach, the Utah Attorney General could seek to recover actual damages to the consumer and up to $7,500 for each violation.

The UCPA does not provide consumers with a private right of action – not even a limited right, as there is under the CCPA/CPRA.

WHAT’S NEXT?

The UCPA takes effect on December 31, 2023.  The passage of the UCPA may influence more states to pass similar data privacy laws. Until a national law is passed, businesses that process personal data of consumers across state lines will have to continue to closely monitor new state law developments and be prepared to build out their privacy practices in compliance with multiple applicable state laws.