The fourth state to pass a consumer data privacy law in the U.S., Utah took only 35 days to sign the Utah Consumer Privacy Act (UCPA) into law. Officially signed on March 24, 2022, the UCPA joins California, Virginia, and Colorado in the growing patchwork of state privacy laws. The UCPA shares many similarities to California’s Consumer Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), Colorado’s Privacy Act (CPA), and Connecticut's recently passed Data Protection Act (CTDPA), but also differs in a number of areas, which will require businesses in Utah to reassess how they collect and use consumer personal information in order to comply with this new law.
Below, we take a closer look at some of the key provisions of the UCPA and how this the new laws compares to the CPRA, CDPA, and CPA.
Background of the UCPA
On February 17, 2022, Senate Bill 227 (now known as the UCPA) was introduced to the Utah Legislature. After only eight days, the UCPA cleared the Senate on February 28, 2022, in a 28-0 vote. The House followed suit with a 71-0 approval vote on March 2, 2022, two days before Utah’s legislative session was set to end. When the bill reached Governor Spencer Cox on March 15, 2022, he had 20 days to either sign the bill, veto the bill, or take no action and let it become law without a signature. However, on March 24, 2022, just nine days later, the Utah governor signed the UCPA into law, making Utah the fourth state to enact a consumer data privacy law.
The UCPA will take effect on December 31, 2023, the last of the five recently passed state privacy laws (including the Connecticut Data Protection Act) to go into effect.
Key Provisions of the UCPA
Although only the fourth state in the U.S. to pass a consumer data privacy law, the UCPA is considered the most business-friendly privacy law so far. The new law’s requirements are narrower and more lenient than its counterparts in other states, following the privacy principles found in Virginia’s CDPA closely. While the UCPA also shares many provisions with the CCPA, CPRA, and CPA, such as its exemptions for employee data and the inclusion of sensitive personal information, there are a few key differences, including the UCPA’s definition of “sale.”
Here’s a breakdown of the UCPA and how its requirements compare to the privacy laws in California, Virginia, and Colorado.
The UCPA applies to controllers and processors that conduct business in Utah or produce products or services that are targeted at Utah residents. Organizations fall under the scope of the UCPA if they have an annual revenue of over $25 million and meet one of the following threshold requirements:
- Annually control or process the personal data of 100,000 or more consumers; or
- Derive over 50% of their gross revenue from the “sale” of personal data and control or process the personal data of 25,000 or more consumers.
The scope of the UCPA mirrors the requirements of the CPRA and has only minimal differences from the CDPA and CPA. For example, both the CDPA and CPA lack the gross revenue threshold of $25 million, and the CPA does not include the requisite that businesses that derive over 50% of their gross revenue from the sale of personal data must also comply.
Personal data under the UCPA is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” Unlike the CDPA and CPA, the UCPA excludes deidentified, aggregated, or publicly available information from its definition of personal data. Organizations that process the personal data of consumers must safeguard that data and provide clear information for how that data is being used.
Sale of Personal Data
According to the UCPA, a sale of personal data occurs when personal data is exchanged for monetary consideration by a controller to a third party. The CDPA shares the same definition, whereas under the CCPA, CPRA, and CPA, a sale occurs when personal data or information is exchanged for "other valuable consideration" on top of monetary consideration. The UCPA excludes certain types of disclosures from the definition of sale, which are almost identical to those found in the CDPA and CPA, including disclosures to processors and a controller's affiliates and disclosures to a third party for the purpose of providing products or services requested by the consumer. In addition, a sale does not occur if the disclosure to a third party is for the purpose consistent with a consumer’s reasonable expectations.
As in other state laws, the UCPA grants consumers certain rights to their personal data.
Right to Access.
Consumers have the right to confirm if a controller is processing their personal data and access the personal data that a controller is processing about them.
Right to Delete.
Consumers have the right to delete the personal data they have provided to a controller. Under the UCPA, consumers can only request the deletion of personal data that they have directly provided to the organization, rather than all the personal data a controller has about them.
Right to Data Portability.
Consumers have the right to obtain a copy of their personal data from the controller in a portable and readily usable format that allows them to transfer the data to another entity or platform.
Right to Opt-Out
Consumers have the right to opt out of the "sale" of personal data or the processing of personal data for targeted advertising. This differs slightly from the CDPA and CPA, which also includes the opportunity for consumers to opt out of profiling.
Unlike the laws in California, Virginia, and Colorado, the UCPA does not grant consumers the right to correct the inaccuracies in their personal data. Utah consumers also do not have a right against automated decision-making like the consumers of Colorado and Virginia do.
For each consumer request, controllers have 45 days to respond, and an additional 45-day extension available if reasonably necessary for the business to comply – a process identical to the CDPA. Although the first consumer rights request is free, controllers can charge a fee for any subsequent requests in a 12-month period, or if a consumer request places an excessive burden on business resources. In certain cases, like if a controller cannot authenticate a consumer's identity, the controller can decline to comply with a consumer's request.
Sensitive Data and Consent
Sensitive data under the UCPA refers to personal information regarding racial or ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatment or conditions, biometric or genetic data used to identify individuals, and specific geolocation data. Unlike the CDPA and CPA, the UCPA limits its definition of sensitive data to exclude personal data that reveals an individual's racial or ethnic origin when processed by a video communication service (which is currently undefined), or to certain healthcare workers.
One of the unique provisions of the UCPA is its requirements relating to the processing of sensitive data. Unlike the provisions of the CDPA and CPA, data controllers do not need to obtain consent from consumers to process sensitive personal data. Controllers only need to provide consumers with a clear notice and opportunity to opt out prior to processing a consumer's sensitive data, similar to the CPRA. Consent is only required when processing the sensitive personal data of children under 13 (in accordance with the Children’s Online Privacy Protection Act).
Processing Obligations for Controllers
The processing obligations for controllers under the UCPA closely resemble those found in the CDPA and CPA, with a few minor differences.
- Transparency: Controllers must provide consumers with a reasonably accessible privacy notice that covers: 1) The categories of personal data processed by the controller; 2) The purposes for processing; 3) How consumers can exercise the rights granted by the UCPA; 4) The categories of personal data that the controller shares with third parties; 5) The categories of third parties with whom a controller shares personal data.
- Security: Controllers must establish and maintain reasonable administrative, technical, and physical data security practices. These practices must safeguard the confidentiality and integrity of a consumer’s personal data and reduce reasonably foreseeable risks relating to that processing.
- Nondiscrimination: A controller cannot deny a good or service, charge a separate price, or provide a different level of quality to a consumer that exercises their rights in accordance with the UCPA. However, controllers can offer different prices, quality, or selection of a good or service if a consumer has opted out of targeted advertising, or if the offer is related to the consumer’s participation in a loyalty, rewards, or discount program.
- : A controller is not required to provide a product, service, or functionality to a consumer if the consumer’s personal data is reasonably necessary for the controller to provide that product, service, or functionality, and the consumer did not provide the personal data or allow the controller to process their personal data.
Processing Obligations for Processors
Under the UCPA, processors are required to adhere to the controller instructions and use appropriate technical and organizational measures to assist the controller in meeting its obligations, comparable to other state privacy laws. All processing should be governed by a contract between the controller and processor that outlines relevant processing instructions and obligations. Unlike the CDPA and CPA, there is not a requirement that processors must allow for audits or inspections by controllers or designated auditors of controllers.
Similar to the CDPA, the UCPA does not provide for a private right of action. Instead, enforcement of the UCPA will be at the discretion of the Utah Attorney General. However, before any claims reach the attorney general, they must first be deemed valid by the Utah Department of Commerce’s Division of Consumer Protection.
The consumer protection office will first investigate and review consumer complaints to decide if these claims are legitimate and if it’s an enforcement worthy violation. If there is substantial evidence that a violation exists, the claim will be referred to the attorney general to either reject the claim or issue the violation. Controllers and processors that are found to have violated the provisions of the UCPA will then have a 30-day cure period to fix the violation, the same length of time as provided by the CDPA and CCPA. The cure period for the UCPA is not expected to sunset, unlike that of the CPA, which will do so two years after its effective date. A written statement must also be provided to the Attorney General declaring that the violation has been cured and that no further violations shall occur.
If the issue is not resolved or additional violations occur after providing this written statement, organizations can face actual damages to the consumer and fines of up to $7,500 per violation. The money collected from these fines will be deposited into a Consumer Privacy Account to be used in future administrative and investigation costs.
This novel, multi-layered approach provides several safeguards for businesses. Since two separate agencies (i.e., the Division of Consumer Protection and the attorney general) must find reasonable evidence of a violation, there will likely be fewer actions taken against companies. Compliance, not fines, is the goal of the agencies enforcing the UCPA, so they will likely be more focused on taking action against the violations that will cause the most harm based on size and number of records, rather than pursuing technical violations.
Within the UCPA, there are a number of entities and data that are exempted from its scope, much like those found in the CDPA and CPA. These include publicly available data, de-identified data, and data regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Driver's Privacy Protection Act, and the Family Education Rights and Privacy Act (FERPA). The UCPA also includes broad exemptions for entities and businesses covered by the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA). The UCPA will not apply to non-profit organizations or higher education institutions, much like the CDPA and CPA, as well as tribes, air carriers, and government bodies.
Since its approval, Utah lawmakers have been adamant that the UCPA’s current version is simply a starting point, and that future amendments and revisions are a real possibility. This is further emphasized by the fact that the UCPA requires that the Attorney General and the Division of Consumer Protection submit a report by July 1, 2025, that evaluates the liability and enforcement provisions of the new law. The report will also detail the effectiveness of the attorney general and the division’s efforts to enforce the law and summarize the data protected and not protected by the law.
As the last of the five currently passed state privacy laws to go into effect (CPRA and CDPA in January 2023 and CPA and CTDPA in July 2023), organizations should be in a relatively strong position to comply with the UCPA’s requirements by December 31, 2023. However, since the UCPA has several additional privacy provisions, waiting to prepare for compliance will leave organizations scrambling to meet the deadline.