Utah Becomes The Fourth State To Enact Comprehensive Consumer Privacy Legislation

As an update to our earlier alert, Utah became the fourth state to enact comprehensive privacy legislation when, on March 24, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law. The UCPA shares most similarities with the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), following a trend towards enacting more business-friendly privacy laws, especially in comparison to the California Consumer Privacy Act (CCPA). Here are some important points to keep in mind before the UCPA goes into effect on December 31, 2023.

To Whom Does It Apply?

The UCPA applies to businesses with annual revenue of $25,000,000 or more that conduct business in Utah or produce products or services that target Utah residents and that:

  • Control or processes personal data of 100,000 or more consumers; or
  • Derive over 50% of gross revenue from the sale of personal data of more than 25,000 consumers.

Notably, the UCPA does not apply to, among others:

  • Government entities;
  • Higher Education institutions;
  • Non-profits;
  • Businesses that are covered entities pursuant to HIPAA; and
  • Information subject to HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or the Drivers Privacy Protection Act.

Scope

The UCPA defines personal data as “information that is linked or reasonably linked to an identified individual or an identifiable individual.” The UCPA specifies that deidentified data, aggregated data, or publicly available information does not constitute personal data. Under the UCPA, publicly available information is “information that a person (a) lawfully obtains from a record of a governmental entity, (b) reasonably believes a consumer or widely distributed media has lawfully made available to the general public, or (c) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.” In addition, the UCPA, like the VCDPA, defines sale as the “exchange of personal data for monetary consideration by a controller or a third party.”

Consumer Rights

Similar to the VCDPA, the UCPA provides consumers with several rights, including:

  • Right to confirm whether a controller is processing the consumer’s personal data;
  • Right to obtain a copy of consumer’s personal data that the consumer previously provided to the controller;
  • Opt-out of the processing of personal data for purposes of targeted advertising or the sale of personal data; and
  • Data deletion.

Exercising Consumer Rights

A consumer may exercise a right by submitting a request to a controller, specifying which right the consumer intends to protect. Once a consumer submits a request, the controller has 45 days to:

  • Take action on the consumer’s request and inform the consumer of any action taken; or
  • Inform the consumer of any reasons the controller is not taking action in response to the consumer’s request; or
  • Extend the initial 45-day period by an additional 45 days if reasonably necessary due to the complexity or volume of the consumer’s request and inform the consumer of the reason and length of the extension.

A controller may not charge the consumer a fee in response to the request unless it is the consumer’s second request in a 12-month period. A controller may, however, charge a “reasonable fee to cover the administrative costs of complying with the request.”

Data Controller Obligations

Similar to the European General Data Protection Regulation, the UCPA establishes “controller” and “processor” roles, which differentiate how entities handle personal data. Controllers are those who determine the purposes and means of processing personal data, while processors are entities that process personal data on behalf of a controller and at the controller’s direction. The law assigns different obligations based on an entity’s status as a controller or processor. The UCPA imposes several obligations on controllers, including:

  • Providing consumers with privacy notices;
  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and accessibility of personal data; and
  • Outlining contractual requirements in engaging data processors.

Sensitive Data

Under the UCPA, controllers are prohibited from processing “sensitive data” without first giving the consumer explicit notice and providing an opportunity to opt-out of processing. Sensitive data includes:

  • Racial or ethnic origins;
  • Religious beliefs;
  • Sexual orientation;
  • Citizenship/immigration status;
  • Biometric information; and
  • Health information.

Enforcement

Similar to the VCDPA, the UCPA does not provide for a private right of action. However, unlike VCDPA, which grants enforcement authority solely to the Attorney General, the UCPA provides for a bifurcated enforcement scheme. First, the Utah Department of Commerce Division will investigate companies based on consumer complaints, and it then sends cases it deems legitimate to the Attorney General’s office. Before initiating an enforcement action, the Attorney General must first provide the business with (1) written notice 30 days before and (2) an opportunity to cure within 30 days from receipt of the notice.

Looking Ahead

The UCPA extends VCDPA-like rights and obligations for Utah consumers and businesses. Companies covered by this law or the VCDPA and CPA (set to be effective January 1, 2023 and July 1, 2023 respectively) should begin to assess their compliance to-do list. While there is significant overlap between the different privacy regimes, nuanced differences do exist and will require a careful review to ensure compliance with all applicable privacy rules. We will continue to monitor the evolution of privacy laws across the country, and we are available to assist in developing compliant privacy programs that proactively account for the dynamism of U.S. privacy law.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.