Today, Utah joins the ranks as the fourth state to pass comprehensive privacy legislation, taking the most business-friendly approach to date. The Utah Consumer Privacy Act (“UCPA”) easily passed both Republican-held chambers and became law on March 24, 2022. The UCPA goes into effect on December 31, 2023.
The UCPA closely tracks the Virginia Consumer Data Protection Act but provides businesses with greater insulation from enforcement. The primary sponsor, Senator Kirk Cullimore, stated that “[t]he bill does not impose onerous regulations, but significantly pares back the more burdensome and confusing provisions found in similar state privacy legislation.”
The UCPA applies to controllers or processors that conduct business in the state or produce a product or service targeted at residents of Utah. The business must have an annual revenue of at least $25 million and satisfy one of the following: (a) control the personal data of 100,000 residents or (b) derive 50% of revenue from selling the data of more than 25,000 consumers. There are broad exemptions for B2B data, employee data, government entities, nonprofits, higher education institutions, and GLBA or HIPAA regulated entities, among others.
Key Provisions and Omissions
Key provisions include:
- Privacy Notice: Controllers are required to provide clear and accessible information on how personal data is used, including categories of personal data collected and shared, purposes of processing the personal data, and the categories of third parties with which the personal data is shared, and how consumers may exercise their rights.
- Data Subject Rights: The new law provides consumers the right to access, delete and port personal data and the right to opt-out of the sale of their personal data and targeted advertising. Controllers must respond to such requests within 45 days. Unlike the CCPA, the UCPA limits the definition of “sale” to monetary consideration, opposed to “monetary or other valuable consideration.”
- Processor Obligations and Contracts: Processors must adhere to the controller’s instructions and assist the controller in meeting its obligations under the UCPA. Before a processor performs processing, the processor and controller must enter into a written contract that includes processing instructions, confidentiality obligations, and imposes the same contractual requirements on any subcontractors.
- Sensitive Data: Controllers are required to offer consumers notice and opt-out before processing sensitive data.
- Exemptions: In addition to the exemptions mentioned above, de-identified, aggregated, and publicly available data are excluded from the definition of “personal data.” The law also provides further carve-outs for pseudonymized data, including exempting such data from the right to access, delete, or port data, so long as certain conditions are met.
Unlike other comprehensive state privacy laws, the UCPA does not give consumers the right to correct their data, does not prohibit dark patterns, nor create special rights to and requirements for processing the data of children ages 13-16. Additionally, it does not require controllers to recognize global or mechanized opt-out signals nor allow the right to opt-out of profiling.
The UCPA creates a unique enforcement scheme that requires three steps before any attorney general enforcement actions could take place. First, consumers must file their complaints with the Department of Commerce’s Division of Consumer Protection, where the Division may investigate. Second, if the Division investigates and has reasonable cause to believe there is a substantial violation, the Division must refer the matter to the Attorney General. Third, the Attorney General may initiate an enforcement action. If they initiate an enforcement action, the Attorney General must provide the entity with a 30-day cure period. If, after those steps, the violation remains unfixed, then the Attorney General can enforce the chapter with up to $7,500 per violation or actual damages.