Utah Becomes Fourth US State to Enact Broad Consumer Data Privacy Law
On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (the UCPA or the Act), making Utah the fourth state in the US to enact major comprehensive data privacy legislation. Although the UCPA will not take effect until December 31, 2023, businesses should begin now to assess how the Act applies and map out a plan for compliance. Much like the California Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), the UCPA will obligate businesses engaging in commerce in Utah to provide state residents with notices about the collection, use and disclosure of personal information as well as the right to opt out of such collection, use and disclosure. The Act is most similar to—albeit narrower than—the VCDPA, which is broadly more favorable to businesses than the CCPA and CPA. Notably, the UCPA is the first comprehensive privacy law to pass both chambers of a Republican-controlled state.
The UCPA is enforceable by Utah’s attorney general and, like the VCDPA and CPA, does not grant Consumers (as defined below) a private right of action. The Act additionally affords controllers and processors a 30-day cure period following notice of an alleged violation before the attorney general may initiate an enforcement action. For comparison, the VCDPA also provides for a 30-day cure period while the CPA’s cure period is 60 days.
Who is Subject to the UCPA?
As under Europe’s General Data Protection Regulation (GDPR), VCDPA and CPA, the UCPA applies to “controllers” and “processors” of “personal data.” Controllers are persons doing business in Utah who determine the purposes for which and the means by which Consumers’ personal data are processed, while processors are those who process such personal data on a controller’s behalf. These terms roughly correspond to the CCPA’s definitions of “businesses” and “service providers.” Controllers and processors that are regulated under the Act are those that (1) either conduct business in Utah or target Consumers in the state, (2) have $25 million or more in annual revenue and either (A) process or control personal data of 100,000 or more Consumers during a calendar year or (B) derive more than 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Consumers.
The scope of application tracks closely to, but more narrowly than, all three of the other similar state laws. Under the VCDPA, an entity may be a “controller” regardless of its annual revenue. Under the UCPA, a controller includes an entity that controls or processes personal data of at least 25,000 consumers and derives any gross revenue from the sale of personal data. And the CCPA (subject to statutory exemptions) is even more expansive, regulating any business that annually has gross revenue of $25 million in the preceding calendar year regardless of the number of consumers whose personal data is processed. Like the CCPA and VCDPA, the UCPA exempts nonprofit organizations from its scope.
A “Consumer” under the UCPA means a resident of Utah, but only in the context of their role as an individual or household, expressly excluding an individual acting in an employment or commercial context. In this respect, an individual who represents a company in a business-to-business context, or an individual employed by or seeking a job from a company, is not a Consumer who would be included in any company’s calculation of the number of Consumers whose personal information it processes for purposes of determining whether that company is subject to the UCPA.
What Information is Covered?
The UCPA employs the same definition of “personal data” used in the CPA and VCDPA (which is similar to corresponding terms in the CCPA and GDPR): “[I]nformation that is linked or reasonably linkable to an identified individual or an identifiable individual” excluding de-identified data, aggregated data or publicly available information.
“Aggregated data” includes information relating to a group or category of Consumers “from which individual Consumer identities have been removed” and “that is not linked or reasonably linkable to any Consumer.” The CCPA similarly expressly provides that businesses may collect, use and disclose aggregate consumer information (in addition to de-identified information).
While “aggregated data” relates to groups of Consumers, “de-identified data” concerns individual records, which are defined as “data that (a) cannot reasonably be linked to an individual or to an identifiable individual, and (b) are possessed by a controller who: (i) takes reasonable measures to ensure that a person cannot associate the data with an individual, (ii) publicly commits to maintain and use the data only in deidentified form and not attempt to reidentify the data, and (iii) contractually obligates any recipients of the data to comply with” these aforementioned requirements.
“Publicly available information” is broadly defined under the UCPA. In addition to covering information that a person lawfully obtains from a record of a governmental entity and that a person reasonably believes a Consumer has made available to the general public, the UCPA’s definition covers information that a person reasonably believes widely distributed media has lawfully disclosed to the general public as well as information that a person “if the Consumer has not restricted the information to a specific audience, obtains from a person to whom the Consumer disclosed the information.”
What Exemptions Apply?
Similar to the CCPA, VCDPA and CPA, the UCPA contains a number of exemptions that significantly limit its scope. In particular, the UCPA exempts certain entities regulated under federal privacy laws, such as financial institutions subject to Title V of the Gramm-Leach Bliley Act and covered entities and business associates subject to the HIPAA privacy and security regulations. The Act also broadly exempts certain other entities without any regulatory limitation, such as institutions of higher education, air carriers, nonprofit corporations (as discussed above), tribes, governmental entities, and third parties under contract with a governmental entity when the third party is acting on behalf of the governmental entity. Moreover, the UCPA excludes a number of categories of personal information subject to their own sectoral privacy legislation, such as personal data protected by the Family Educational Rights and Privacy Act, children’s data collected in compliance with the Children’s Online Privacy Protection Act and identifiable private information for purposes of the Federal Policy for the Protection of Human Subjects.
What Obligations Does the UCPA Impose?
The UCPA imposes a number of obligations on controllers and processors. In particular, controllers are required to provide Consumers with a “reasonably accessible and clear privacy notice” that, among other things, specifies the purposes for which categories of personal data are processed as well as the categories of personal data that the controller shares with third parties, if any. Controllers and processors are also required to enter into a written contract that sets forth certain details of processing, such as the nature and purpose of such processing and the type of data subject to processing. Processors are required to follow controllers’ instructions with respect to processing personal data and must also contractually obligate any subcontractors to adhere to the same obligations it does with respect to the personal data. Notably, unlike the CCPA (as amended by the California Privacy Rights Act (CPRA), VCDPA and CPA, the UCPA does not require controllers conduct and document risk assessments about their internal data processing practices.
The UCPA also provides that controllers cannot process the “sensitive data” of any Consumer without first providing the Consumer with “clear notice and an opportunity to opt out of the processing” or, where children’s data is being processed, processing the data in accordance with the federal Children’s Online Privacy Protection Act.
“Sensitive data” is personal data that reveals racial or ethnic origin (except where such personal data are processed by a video communication service, a carveout not included in the CCPA, VCDPA or CPA), religious beliefs, an individual’s sexual orientation, an individual’s citizenship or immigration status, information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health professional, the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual, or specific geolocation data. This definition also goes a step further than existing broadly applicable privacy legislation by expressly excluding information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional to the extent such personal data are processed by a person licensed to provide health care under the Health Care Facility Licensing and Inspection Act.
The UCPA’s opt-out approach to processing sensitive data is similar to that in the CCPA (as amended by the CPRA), which gives consumers an opt-out right to limit businesses’ use or disclosure of “sensitive” personal information. It marks a notable departure from the opt-in approaches adopted by Virginia and Colorado, which prohibit the processing of “sensitive data” without first obtaining the consumer’s consent.
What Rights Can Consumers Exercise Under the UCPA?
The UCPA, similar to the VCDPA, CPA and CCPA, enumerates a list of privacy rights Consumers have with respect to their personal data. The UCPA empowers Consumers with the right to access, delete and obtain a copy of their personal data, as well as the right to opt out of the sale of their personal data or processing for targeted advertising (but does not grant a similar right with respect to the use of personal information for “profiling,” as do the VDCPA, CPA and CCPA (as amended by the CPRA)). Unlike existing comprehensive privacy legislation, the UCPA does not grant Consumers the right to correct inaccuracies in their personal data.
In addition to allowing a controller to charge a fee when responding to “excessive, repetitive, technically infeasible, or manifestly unfounded” Consumer requests (similar to the VCDPA) as well as second or subsequent requests made during the 12-month period after the initial Consumer request (similar to the CPA), a controller may also charge a fee when it “reasonably believes the primary purpose in submitting the request was something other than exercising a right” or when the request harasses, disrupts or imposes undue burden on the controller.
Unlike the CCPA and CPA, which impose complex rulemaking obligations on each state’s attorney general, the UCPA mandates the Utah attorney general’s office shall submit a report to the Business and Labor Interim Committee before July 1, 2025 that, among other things, evaluates the liability and enforcement provisions of the UCPA. The Act’s passage is likely to only accelerate the degree to which other states might adopt legislation and, although Congress may consider enacting a federal law, in the near term, it seems states will likely continue to be the innovators. As dozens of other states actively consider their own consumer privacy legislation, companies should continue to anticipate what changes they might need to make to their business practices as this legislative framework grows increasingly more complex.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.