Utah recently became the fourth state in the United States, after California, Virginia and Colorado, to pass comprehensive privacy legislation. The Utah Consumer Privacy Act (the “UCPA”), passed by the Utah legislature as Senate Bill 227 and was signed by Governor Spencer Cox on March 24, 2022.
The provisions of the UCPA are generally comparable to the California Consumer Privacy Act (the “CCPA”), Virginia’s Consumer Data Protection Act (the “VCDPA”), and Colorado’s Privacy Act (the “CPA”). One deviation is the narrower applicability of UCPA to businesses because the statute does not apply to businesses that do not meet both the revenue and the processing requirement. Specifically, the UCPA applies to controllers and processors that conduct business in Utah or target Utah consumers, generate an annual revenue threshold of $25 million, and either (i) process or control personal data of 100,000 or more Utah residents or (ii) process or control personal data of at least 25,000 Utah residents and derive 50% or more of their profits from the processing or controlling of that data.
Employee, B2B and other Exemptions.
Importantly, the UCPA exempts employee and business to business relationships. Other exemptions include non-profit businesses, entities and information covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protect Act of 1994 (DPPA), the Family Education Rights and Privacy Act (FERPA), and financial institutions and information covered under the Gramm-Leach-Bliley Act (GLBA).
Enforcement. No Private Right of Action.
Like the VCDPA and the CPA, UCPA does not contain a private right of action, but the Utah attorney general may seek statutory damages up to $7,500 per violation and actual damages to the consumer. Unique to the Utah legislation is the bifurcated enforcement approach which requires consumers to first file claims for alleged violations with the Utah Department of Commerce’s Division of Consumer Protection’s office for consideration and investigation. If deemed legitimate, the claim will move to the Utah attorney general’s office which will either concur with the Consumer Protection Office’s conclusions or reject the claim. If the Utah attorney general’s office decides it is a valid claim, then the business will have 30 days to cure the violation and to notify the attorney general that they intend to stay cured. The Utah legislation also requires that the Utah attorney general's office compile an assessment report and propose changes to the legislation which will be due July 1, 2025.
The consumer rights provided to Utah residents under UCPA are similar to existing state comprehensive privacy laws. The UCPA includes the right for consumers to know, access and delete their personal data, opt-out of processing for the purposes of targeted advertising or the sale of personal data, and to obtain a portable copy of their personal data. Notably missing from the UCPA is the consumer right to opt out of profiling and the consumer right to correction of their personal data. Different from the opt-in requirements of the CPA and VCDPA, the UCPA also does not require opt-in consent to process sensitive data, unless the data is related to a known child. Instead, UCPA requires controllers to present the consumer with clear notice and an opportunity to opt-out of sensitive data processing.
The UCPA also does not require appointment of a data protection officer, a data protection assessment or maintenance of records. However, the controller does have specific burdens of proof – for example that processing was done under an enumerated exception to the UCPA—and therefore maintenance of records will be important even without a statutory mandate.
The responsibilities of processors are also not as onerous under the UCPA. Although the UCPA does require controllers to have a binding contract with each of its processors that sets forth the applicable instructions for processing personal data and include provisions for imposing confidentiality obligations on individuals processing personal data and enter into contracts with subcontractors that meet the same obligations as the processor, it does not require the contract to contain a provision that the personal data will be deleted and returned to the controller by the processor at the end of the services or that prior notice and opportunity to object is required for the use of subcontractors. The UCPA does obligate processors to assist the controller in meeting its obligations under the UCPA, including taking appropriate technical and organization measures to assist the controller in responding to individual rights requests and helping to meet the controller’s obligations related to the security of processing personal data and in connection with security breaches. The UCPA does not require the processor to provide information to the controller to conduct a data protection assessment or contribute to audits and inspections by the controller.
The UCPA will become effective December 31, 2023.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.