Utah Joins the Comprehensive State Privacy Law Club

by Avi GesserJohanna N. Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On March 24, 2022, Utah enacted a comprehensive consumer privacy law, the Utah Consumer Privacy Act (“UCPA”). The UCPA, effective on December 31, 2023, is largely consistent with other comprehensive state privacy laws, but includes several key differences. The UCPA is set to be reviewed by the attorney general who must submit a report to the legislature by July 1, 2025.

In prior posts, we have written about the evolving state privacy law landscape, including how to prepare for state privacy laws coming into effect in 2023 here; various aspects of the CCPA and CPRA, including here and here; and the Virginia Consumer Data Protection Act (“VCDPA”) here. For purposes of this post, we refer collectively to the CCPA/CPRA, VCDPA, and ColoPA as the “State Privacy Laws.”

While the UCPA appears to be business-friendlier than its predecessors, companies will need to consider the Utah law as they work to comply with state privacy laws coming into effect in 2023. This post reviews the UCPA with an eye toward identifying key differences in scope and net-new or different requirements so companies can focus their efforts to comply with the UCPA’s December 31, 2023, effective date. 

Narrower Applicability

The UCPA has a narrower applicability than the State Privacy Laws. The UCPA applies to data controllers or processors who conduct business in Utah or produce a product or service that is targeted to Utah residents.  In order for the UCPA to apply to a data controller or processor, such business must have annual revenue of $25 million or more, and satisfy at least one of the following thresholds: (i) during a calendar year, control or process personal data of 100,000 or more consumers resident in Utah; or (ii) derive over 50% of its gross revenue from the sale of personal data and control or processes personal data of 25,000 or more consumers resident in Utah. UCPA § 13-61-102. While the State Privacy Laws consider either a minimum annual revenue (CCPA) or a data processing threshold (VCDPA; ColoPA), the UCPA incorporates both criteria. The UCPA also provides certain data-based and entity-based exemptions. The UCPA provides entity-based exemptions for the following: institutions of higher education, nonprofit corporations, covered entities and business associates under HIPAA, GLBA-covered financial institutions, government entities and contractors, tribes, and air carriers. Additionally, the UCPA does not apply to data subject to HIPAA, GLBA, the FCRA, the Driver’s Privacy Protection Act, the FERPA, and the Farm Credit Act.

Bottom Line: While the applicability threshold requires a fact-specific analysis, some companies subject to other State Privacy Laws may be exempt from the UCPA based on their more limited footprint in Utah.

More Limited Consumer Rights

The UCPA gives consumers rights to access, to data portability, and to deletion. However, the UCPA does not include the right to correct that is found in the State Privacy Laws. And unlike the CCPA/CPRA and ColoPA, the UCPA’s right to data portability does not contain a twice per year restriction. Under the UCPA, like the ColoPA, however, businesses may charge a reasonable fee for consumer requests that occur more than once per year.

The UCPA’s rights to access and deletion are also more limited than the corollary rights in the State Privacy Laws. The UCPA requires entities to provide a copy of and delete only the data that consumers provided to the business—and does not cover, for example, data purchased from data brokers. The rights to access and deletion are different under the VCDPA and ColoPA. Under the VCDPA the right to access is limited to personal data previously provided to the controller, and the right to deletion extends to the consumer’s data generally, and under ColoPA the rights to access and deletion cover personal data concerning the consumer.

The UCPA does not require controllers to provide mechanisms to appeal decisions regarding consumer rights requests. Unlike the UCPA, the VCDPA and ColoPA require controllers to provide consumers with a right to appeal, and under the CCPA/CPRA “[i]f the business does not take action on the request of the consumer . . . the business shall inform the consumer … [of] any rights the consumer may have to appeal the decision.”

Bottom Line: While the narrower scope of consumer rights under the UCPA may ease compliance burdens, companies will need to determine whether they will be able to take a standardized approach for offering consumer rights under the UCPA and State Privacy Laws, or whether they will need to address rights on a state-by-state basis.    

Opt-Out Requirements for Targeted Advertising or Sales

Like the State Privacy Laws, the UCPA provides opt-out rights for targeting advertising or sales of personal data. Nonetheless, these UCPA opt-out rights are narrower than the State Privacy Laws. 

The UCPA defines “sales” more narrowly than the CCPA/CPRA and ColoPA and consistent with the VCDPA. The UCPA defines a “sale” of personal data as “the exchange of personal data for monetary consideration by a controller to a third party.” UCPA § 13-61-101(31)(a). The UCPA also provides a net-new exemption to “sales,” permitting “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.” UCPA§ 13-61-103(31)(b)(iii). Unlike the State Privacy Laws, the UCPA does not provide an opt-out right for data used for profiling.

Bottom Line: The UCPA’s definition of “sale” is more limited than the definition under CCPA/CPRA and ColoPA. These differences may require companies to assess the operational benefit of providing different consumer rights under State Privacy Laws.    

Sensitive Data

The UCPA also provides an opt-out right for the processing of “sensitive data,” which is defined similarly to sensitive data under ColoPA and VCDPA and includes data that reveals an individual’s race, ethnic origins, religious beliefs, genetic and biometric data, and specific geolocation data.  The UCDPA right differs from the opt-in right under the VCDPA and ColoPA. To comply with the UCPA, businesses must “present[] the consumer with clear notice and an opportunity to opt out of the processing,” or comply with the Children’s Online Privacy Protection Act before processing sensitive data from a “known child.” UCPA § 13-61-302(3).

Bottom LineCompanies complying with the other State Privacy Laws may more easily comply with the UCPA, although companies will need to assess the risks and benefits of applying a common, across-the-board approach to sensitive data.   

No Requirement to Conduct Risk Assessments or Data Protection Impact Assessments

Under the UCPA, businesses are not required to conduct risk assessments related to their processing or control of personal data. This contrasts with the VCDPA and ColoPA, which both require businesses to conduct a data protection impact assessment in certain situations, such as when data processing presents a heightened risk of harm to consumers. The UCPA also contrasts with the CCPA/CPRA, which will require risk assessments with respect to businesses processing of personal information and a specific analysis of the benefits and risks of such processing.

Additional Grounds for Recovering Fees from Consumers

The UCPA permits businesses to charge consumers a reasonable fee for complying with access requests. Under the UCPA, businesses may charge such fees (i) if requests are excessive, repetitive, technically infeasible, or manifestly unfounded; (ii) if more than one request is made within a 12-month period; (iii) if the business reasonably believes the primary purpose in submitting the request was something other than exercising a right; or (iv) if the request harasses, disrupts or creates an undue burden on the business. UCPA § 13-61-203(4).

Privacy Notice 

The UCPA requires controllers to provide a “reasonably accessible and clear” privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purposes for which the categories of personal data are processed; (iii) how consumers may exercise a right; (iv) the categories of personal data that the consumer controller shares with third parties; and (v) the categories of third parties with whom the controller shares data.

Bottom Line: While the UCPA’s privacy notice requirements are similar to the State Privacy Laws, companies should carefully review their privacy policies and notices to ensure they are complying with each state’s requirements and, where appropriate, providing sections dedicated to specific state laws and consumer rights.

Contracting Requirements for Processors and for Subcontractors

The UCPA requires that when a processor performs data processing on behalf of a controller, the parties enter a contract that (a) clearly sets forth instructions for processing personal data, the nature and purpose processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations; (b) requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and(c) requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to personal data. UCPA § 13-61-301(2). The VCDPA and ColoPA require contractual provisions similar to the UCPA and include several additional requirements. Businesses that comply with VCDPA and ColoPA may more easily comply with the UCPA’s contractual requirements.

Enforcement Authority

The UCPA delegates enforcement authority to the Utah Attorney General (“UAG”). The UCPA does not include a private right of action, but does establish the Division of Consumer Protection (the “Division”) within the Utah Department of Commerce. The Division has the authority to investigate consumer complaints to determine whether a controller or processor has violated the UCPA. The UCPA requires the director of the Division to refer a matter to the UAG if the director has reasonable cause to believe a person is in violation of the UCPA. The UCPA also requires that the Division, upon request, provide consultation and assistance to the UAG in enforcing the UCPA. 

Similar to the current CCPA, the UCPA includes a 30-day right to cure for businesses that receive a notice of a UCPA violation from the UAG. If the UAG successfully brings an action under the UCPA, the UAG may recover actual damages to consumer(s) and up to $7,500 per violation. Any money recovered by the UAG will be deposited into a Consumer Privacy Account. UCPA § 13-61-402.

***

States continue to consider and adopt comprehensive privacy laws with different requirements and burdens, which means that companies need to analyze their privacy obligations on a law-by-law basis.  This has led some companies to renew their call for federal legislation, but that path is by no means clear. 

Avi Gesser is a partner, Johanna Skrzypczyk is counsel, and Michael R. Roberts and Alessandra G. Masciandaro are associates, at Debevoise & Plimpton. This post originally appeared on Debevoise’s Data Blog.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.