On March 4, 2022, Utah’s legislature passed the Utah Consumer Privacy Act, or “UCPA”. Upon receiving Governor Cox’s signature, which is expected, Utah will become the fourth state to have passed a comprehensive consumer data privacy law.The law will go into effect on December 31, 2023, giving covered businesses just under two years to make sure they are in compliance with the new law. The bill is generally based on the Virginia Consumer Data Protection Act (VCDPA), though with some more business-friendly aspects.
Controllers and Processors
The UCPA defines covered businesses as “controller” or “processor,” as in the European Union’s General Data Protection Regulation (GDPR) and Virginia’s and Colorado’s privacy laws:
- A controller is a business that decides the purposes or means of processing personal data.
- A processor is a business that processes personal data on behalf of and at the direction of a controller.
The UCPA applies to controllers or processors who conduct business in Utah or produce a product or service that is targeted to consumers who are residents of Utah, have annual revenue of $25 million or more, and either (1) control or process the personal data of 100k+ consumers annually, or (2) derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of 25k+ consumers.
Similar to other existing state privacy laws in Colorado and Virginia, the term “consumer” means Utah resident. The definition does not include individuals acting in an employment or commercial context; data collected in that context is currently unprotected.
Under the UCPA, there are exemptions for some specified businesses and organizations. Personal data that is regulated by federal laws such as HIPAA and the Fair Credit Reporting Act is not subject to the UCPA. The law also exempts state institutions of higher education, tribes, non-profit organizations, personal data regulated by the Children’s Online Privacy Protection Rule, and financial institutions govered by the Gramm-Leach-Bliley Act.
In addition to the large list of exemptions, the UCPA also lists some business practices that the law is not intended to restrict. Some are simple and straightforward, like following other state and federal laws. But others could be quite broad, depending on how the state chooses to interpret them. For example, the definition of the “sale” of personal data contains an exception unique to the Utah law: a sale does not occur if the disclosure to a third party is for a purpose consistent with a consumer’s reasonable expectations given the context. This exception is not found in the California, Colorado or Virginia laws; how Utah’s law will define the term “reasonable” remains to be seen.
If a controller believes that an exemption applies to them, they should consult a privacy expert to ascertain whether they qualify for one of the many exemptions provided by UCPA.
Like other comprehensive consumer privacy laws, the UCPA grants consumers certain rights to their personal data. Consumers may request to:
- access the personal data that a controller processes about them
- delete personal data that the consumer provided to the controller
- obtain a copy of the personal data in a portable format that the consumer provided to the controller
- opt out of the sale of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing of personal data for targeted advertising.
Of note is that under the UCPA, a consumer does not have to make the request themselves. Instead they can authorize another person to act on their behalf to make the request.
When a controller receives a request to exercise one of these rights, they must respond to the consumer within 45 days. However, they may extend this by another 45 days if reasonably necessary. Like Virginia’s Consumer Data Protection Act (CDPA), the UCPA does not require the controller to respond to a request if the controller cannot authenticate the request or if the personal data is pseudonymized. If this happens, the controller may request more information to authenticate the consumer.
Responsibilities of Businesses
The law requires controllers and processors to provide clear and meaningful communication to tell consumers the:
- categories of personal data collected
- purposes for collecting
- consumers’ rights and how to exercise them
- categories of personal data shared and who they share it with.
Controllers are responsible to protect the confidentiality of personal data, reduce risk of harm, and use responsible data security practices. Processors must aid controllers in meeting the controller’s requirements under the new law, including by implementing proper security, and notifying the controller of any security breaches.
To make it clear how the controller and processor divide their responsibilities, the UCPA requires that the relationship between them be governed by a contract. The contract must include provisions that address the:
- processor’s processing instructions
- nature of the processing
- purpose of the processing
- type of data being processed
- duration of processing
- confidentiality of data
- engagement of subprocessors
Neither party can contract out of any obligations given by the UCPA.
As defined by the UCPA, sensitive data includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatment or conditions, biometric or genetic data used to identify individuals, and geolocation data. Unlike the laws of Virginia and Colorado, Utah controllers do not need to obtain opt-in consent to collect and process such data. They must only provide notice and an opportunity to opt out prior to processing consumers’ sensitive data.
Unlike Virginia, Colorado, and (starting in 2023) California, Utah does not require data protection impact assessments for processing activities that could be considered “high-risk,” such as using sensitive data, conducting targeted advertising, or profiling.
Utah also does not give the attorney general rule-making power regarding the UCPA, so there will not be regulations that spell out businesses’ obligations in more detail than the text of the law. Similar to Virginia’s law, which also does not provide for regulations, Utah does require the attorney general to compile a report evaluating the effectiveness of the law. This report must be submitted to the legislature by July 1, 2025.
The UCPA gives the Utah attorney general the exclusive authority to enforce the law; there is no private right of action allowing individuals to sue businesses for violations of the UCPA. However, in a provision that is unique to Utah, the attorney general cannot initiate an enforcement action directly. Instead, the Utah Department of Commerce’s Division of Consumer Protection must first investigate a potential violation of the UCPA and, if it finds “reasonable cause to believe that substantial evidence [of a violation] exists,” refer it to the attorney general for enforcement. This two-tiered system could reduce the number of enforcement actions as compared to other states with comprehensive consumer privacy laws.
The attorney general must give notice of an alleged violation to a business with a 30-day cure period. Only after that time has elapsed and a company is still not in compliance with the law may the attorney general take enforcement measures. The attorney general can recover actual damages to consumers and up to $7,500 for each violation.
SixFifty’s Privacy toolset can help you determine how to best handle your organization’s data. We are continuously monitoring this dynamic area of the law and updating our tools with changes in real time.
The UCPA has many aspects that are similar to other privacy laws, so businesses already in compliance with other laws will be familiar with many of these new requirements. However, there are enough differences, in exemptions and compliance, that consulting a data privacy expert is highly recommended for companies conducting business in Utah. SixFifty will soon release a data privacy tool to help businesses assess whether the law applies to them and to what extent. SixFifty will provide the tools companies need to comply with the law, well before the enforcement date of January 1, 2024.
Working with SixFifty is like having top-tier privacy lawyers by your side as you work through the best way to comply with your privacy law obligations.
If you are ready to get started or have any questions, schedule a demo with SixFifty today!