Utah has become the fourth state in the United States to pass a comprehensive consumer data privacy law—the most business-friendly state privacy law yet.
After passing both houses of Utah’s state legislature in February and March—with overwhelming bipartisan support—the Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox on March 24, 2022. The UCPA shares a number of similarities with the consumer privacy laws in California, Colorado, and Virginia, but has a few key differences that make fewer companies doing business in Utah subject to the law.
The UCPA will take effect December 31, 2023, and will require companies doing business in Utah to reassess their collection and use of consumer personal information and modify their business practices to comply with the law. Below we discuss a few noteworthy features of the UCPA, including how the new law compares to the recently enacted state consumer privacy laws in California, Colorado, and Virginia, and steps that businesses should take to ensure compliance prior to the law going into effect.
Among regulated entities, the UCPA creates different responsibilities for data “controllers”—those doing business in the state who determine the purpose and means by which personal data is processed—and “processors”—those who process personal data on behalf of a controller.
The UCPA applies to any controller or processor who (1) conducts business in Utah or produces a product or service that is targeted to Utah residents; (2) has annual revenue of $25 million or more; and (3) either (a) controls or processes personal data of 100,000 or more consumers in a calendar year, or (b) derives more than 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. Consumers are defined as residents of Utah acting in an individual or household context; individuals acting in an employment or commercial context are specifically excluded.
The UCPA regulates the use and processing of “personal data,” which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. Data that cannot be linked to a consumer, such as de-identified data and aggregate data, and publicly available information are excluded from the UCPA’s coverage. The UCPA also excludes the processing of personal data for purely personal or household purposes.
The UCPA also does not apply to certain other categories of data and entities, including certain information already regulated by federal laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act; regulations related to substance abuse and human subjects research; and information related to the Health Care Quality Improvement Act and Patient Safety and Quality Improvement Act.
With respect to excluded entities, the UCPA does not apply to governmental entities (or government contractors, when acting on behalf of the government entity), tribes, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, nonprofit corporations, covered entities and business associates as defined in HIPAA regulations, and air carriers.
Like the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA), the UCPA lacks a standalone revenue threshold, such as the $25 million annual gross revenue threshold present in the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Rather, the UCPA imposes an annual revenue threshold of $25 million in addition to the thresholds related to the processing of consumer data.
The UCPA also defines “consumer” more narrowly than the CCPA and CPRA by permanently excluding any persons acting in a commercial or employment context.
Taken together, the absence of any independent revenue threshold and a narrow definition of consumer mean that fewer businesses will be subject to the UCPA than other state privacy regimes.
The UCPA provides consumers with certain rights related to their personal data that they may invoke by submitting a request to a controller. These include the rights to (1) confirm whether a controller is processing the consumer’s personal data and to access that personal data; (2) delete the consumer’s personal data that the consumer provided to the controller; and (3) obtain a copy of the consumer’s personal data that the consumer previously provided to the controller.
Consumers are also able to opt out of the processing of their personal data for two purposes:
Like the CCPA, CPRA, CPA, and VCDPA, the UCPA requires controllers to take action on consumer requests and inform the consumer accordingly within 45 days after receipt of a request; controllers are allowed one 45-day extension when reasonably necessary due to the complexity of the request or volume of requests received.
A controller must provide information in response to a consumer’s request free of charge, up to one time annually per consumer. The 45-day window does not apply if a controller reasonably suspects a request is fraudulent and cannot authenticate the request, but the controller must inform the consumer of the reasons for not taking action. Likewise, if a controller cannot authenticate a request, it is not required to comply and may request additional information.
Controllers may not discriminate against consumers for exercising a right by denying goods or services, charging different prices, or providing different levels of quality. However, controllers may offer different prices, quality, or selections of a good or service if the consumer has opted out of targeted advertising or if the offer is related to participation in a loyalty or rewards program.
In addition, controllers are not required to provide products or services to consumers if the consumer’s personal data is reasonably necessary for the controller to provide the product or service, and the consumer does not provide or allow the controller to process the consumer’s personal data.
The consumer rights established by the UCPA are largely similar to those established by the CCPA, CPRA, CPA, and VCDPA, although there are some key differences:
Like the other state consumer privacy laws, the UCPA contains several notice requirements for controllers.
First, controllers must provide consumers with a reasonably accessible and clear privacy notice that includes the categories of personal data processed by the controller, the purposes for processing personal data, how consumers may exercise their rights, the categories of personal data that the controller shares with third parties, and the categories of third parties with whom the controller shares personal data.
Second, if a controller sells a consumer’s personal data to a third party or uses it for targeted advertising, the controller must clearly and conspicuously disclose how consumers may exercise their opt-out rights.
Controllers must also establish and maintain “reasonable administrative, technical, and physical data security practices” to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. Controllers subject to the UCPA, similar to those subject to the CCPA, CPRA, CPA, and VCDPA, must “use data security practices that are appropriate for the volume and nature of the personal data at issue,” taking into consideration the controller’s size, scope, and type, and limit the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
The UCPA also creates additional rules for the processing of certain “sensitive” data, which includes (1) personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health condition, or medical treatment or diagnosis; (2) genetic or biometric data processed for the purpose of identifying a specific individual; or (3) precise geolocation data.
In order to process such sensitive data, the controller must first present the consumer with “clear notice and an opportunity to opt out,” or, for a known child under age 13, must proceed in accordance with the federal Children’s Online Privacy Protection Act.
Sensitive data does not include personal data that reveals an individual’s racial or ethnic origin if the personal data is processed by a video communication service, or certain medical data processed by licensed healthcare providers. Unlike the CPA and VCDPA, and similar to the CPRA, the UCPA does not require that controllers obtain consent prior to processing sensitive data.
The UCPA’s requirements expressly do not restrict a controller’s ability to comply with federal, state, or local laws or legal process; provide a product or service requested by a consumer; and detect, prevent, or respond to security incidents or other illegal activity, among other limitations.
Unlike other state consumer privacy laws, the UCPA does not require that businesses conduct data protection assessments.
Under the UCPA, whether a person is acting as a controller or processor with respect to a specific processing of data is a “fact-based determination.” However, a processor that adheres to a controller’s instructions with respect to a specific processing remains a processor.
Data processors must adhere to the controller’s instructions and assist the controller in meeting the controller’s obligations, taking into account the nature of the processing and information available to the processor.
Similar to the CCPA, CPRA, CPA, and VCDPA, before a processor performs any processing on behalf of a controller, the processor and controller must enter into a contract governing how the data is to be processed.
The UCPA requires that processor agreements (1) set forth instructions for processing personal data and other information related to such processing; (2) require the processor to ensure each person processing the personal data is subject to a duty of confidentiality; and (3) require the processor to engage any subcontractor pursuant to a written contract requiring the subcontractor to meet the same obligations.
The UCPA grants the Utah attorney general “exclusive” enforcement authority and, unlike the CCPA and CPRA, expressly provides that there is no private right of action. It preempts local ordinances, rules, and regulations.
The UCPA requires the Division of Consumer Protection (the Division) to establish and administer a system to receive consumer complaints. The Division may investigate complaints to determine if a processor or controller violated the UCPA and, with reasonable cause, shall refer violations to the attorney general. Upon referral, the attorney general may initiate an enforcement action.
Under the UCPA’s right-to-cure provision, the attorney general must provide a business 30 days’ written notice that identifies the specific provisions allegedly being violated before initiating an enforcement action. If within the 30-day period the business cures the violation, the attorney general will not initiate an action. If the controller or processor continues to violate the UCPA, the attorney general may initiate an action. The attorney general may recover actual damages and a civil penalty of up to $7,500 per violation.
By July 1, 2025, the attorney general and the Division must compile a report evaluating the liability and enforcement provisions of the UCPA and summarizing the data protected and not protected.
As a threshold matter, businesses should consider whether the UCPA will apply to them. Because the UCPA imposes an annual revenue threshold of $25 million, even those businesses that otherwise fit the definition of “controller” under the UCPA (i.e., companies doing business in Utah that process personal data of 100,000 or more consumers in a calendar year, or that derive more than 50% of their gross revenue from the sale of personal data and process personal data of 25,000 or more consumers) will not be subject to the new law.
Fortunately, the UCPA does not establish any new requirements not seen in other consumer privacy laws. Its similarity to the CCPA, CPRA, CPA, and VCDPA means that those companies that have been building compliance programs for those state consumer privacy laws will be well positioned to comply with the UCPA.
For those companies that have not yet built compliance programs for state consumer privacy laws and that meet the thresholds to be considered controllers under the UCPA, it will be important to tailor compliance programs to the UCPA well ahead of December 1, 2023.
Businesses subject to the UCPA should ensure that they have a mechanism for Utah consumers to submit requests regarding their personal information, as well as a plan for responding to those requests. They should also assess current privacy practices, revise privacy notices, and update commercial contracts with vendors to ensure compliance with the UCPA.
The UCPA represents a trend toward the enactment of “copycat” state privacy laws that we are likely to see continue in the months and years to come, and businesses will need to continue to tailor their compliance programs as new laws are enacted.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Mark L. Krotoski