Continuing efforts at the state level to establish a data privacy framework in the US, a fourth state has passed a comprehensive consumer privacy law. Utah has joined the ranks of Colorado, California and Virginia after Governor Spencer Cox signed the Utah Consumer Privacy Act ("UCPA") on March 24, 2022. The legislation is set to take effect well after other state data privacy laws, on December 31, 2023.
The UCPA shares a number of similarities with the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act and the California Privacy Rights Act ("CPRA"), but is likely to impose a lighter touch approach that businesses may find easier to comply with. A brief summary of the general requirements and obligations on businesses, as well as key distinctions from other state data privacy laws, follows.
Subject to exceptions, the UCPA directly applies to both organizations that determine the means and purposes of processing personal data (controllers) as well as other organizations that process personal data on their behalf (processors). These entities must meet certain threshold requirements including:
(a) control or process personal data of 100,000 or more Utah consumers during a calendar year, or
(b) derive more than 50 percent% of the entity's gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.
This requirement for a business to meet both a financial threshold as well as a data volume threshold is unique among state consumer privacy laws. Due to these thresholds, the UCPA is likely to apply to many fewer businesses than those that are, or will be, subject to the California Consumer Privacy Act ("CCPA"), California Privacy Rights Act ("CPRA"), the VCDPA the or Colorado Privacy Act.
Notably, similar to laws in California, Virginia and Colorado, the UCPA provides for a number of exceptions. For example, the UCPA does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private) and Family Educational Rights and Privacy Act-protected data, Gramm-Leach-Bliley Act-regulated entities and data, consumer reporting agencies and employment-related information.
The Utah Consumer Privacy Act applies to "Personal Data," which is defined as "information that is linked or reasonably linkable to an identified individual or an identifiable individual." 2 Personal Data does not include information that is de-identified or that is publicly available. Similar to the Virginia and Colorado privacy laws, the UCPA's definition of consumer does not include individuals acting in commercial or employment contexts. 3
The Utah Consumer Privacy Act identifies and imposes obligations on "controllers" and "processors."
A controller is defined as a person that "determines the purposes for which and means by which personal data is processed." 4 Under the Utah Consumer Privacy Act, controllers are required to:
A processor is a person that processes personal data on behalf of the controller. 10 The Utah Consumer Privacy Act requires processors to adhere to the controller's instructions and assist and cooperate with the controller to comply with its obligations under the act, including its obligations regarding security of data processing and breach notification. The UCPA also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions. 11
The Utah Consumer Privacy Act protects Utah residents and grants them certain rights concerning their personal data. Specifically, the UCPA permits consumers to submit authenticated requests to data controllers to: (1) confirm if a controller is processing their personal data and to access that data; (2) delete personal data that the consumer provided to the controller; (3) if technically feasible, to obtain a copy of data that the consumer provided to the controller in a portable manner; and (4) opt-out of the processing of personal data for targeted advertising or sale. 12 Notably, unlike the CPRA, and the Virginia and Colorado privacy laws, the UCPA does not provide a right to correct inaccuracies in a consumer's data. However, similar to the California and Virginia privacy laws, data controllers must respond to an authenticated request within 45 days. 13 Also similar to the CCPA, and unlike the Virginia and Colorado privacy laws, the Utah Consumer Privacy Act does not require data controllers to establish a process by which consumers may appeal a denial of their request.
Finally, the UCPA provides broader permission for businesses to charge consumers fees when responding to requests. 14 Specifically, the UCPA allows controllers to charge a fee for a second request in a 12-month period (similar to Colorado) and for requests that are excessive, repetitive, technically infeasible or manifestly unfounded (similar to Virginia). However, the UCPA also allows controllers to charge fees if the controller reasonably believes the primary purpose for submitting a request is not to exercise a consumer right or if the request is part of an effort to harass, disrupt or impose an undue burden on the controller.
Utah's similarities with the upcoming Colorado, California and Virginia privacy laws will not create any significant unique obligations on businesses in complying with the developing state data privacy framework set to go into effect in 2023. Similar to these other state laws, entities operating in Utah should consider the following framework in assessing compliance obligations under the Utah Consumer Privacy Act:
As we have explained, certain compliance tasks should be prioritized and started earlier than others in implementing this framework. Nonetheless, given the UCPA's generally narrower scope and requirements, businesses taking steps to comply with statutory requirements in California and Virginia on January 1, 2023 and Colorado on July 1, 2023, will likely be in a relatively strong position to comply with this new privacy regime by December 31, 2023. While Utah is the latest state to pass a comprehensive privacy law, states across the US continue to consider enacting data privacy laws. We will continue to keep you apprised of new developments in this emerging data privacy framework. White & Case LLP has a team of highly experienced, global cybersecurity, data privacy and technology lawyers who can help clients prepare for upcoming compliance obligations under the Utah Consumer Privacy Act. Please reach out to any of the authors of this alert if you have questions about the steps your organization can take in this complex technical and legal environment.
Tika Basnet contributed to this publication.
1 https://le.utah.gov/~2022/bills/sbillamd/SB0227S02.pdf.
2 Bill 13-61-101(24)(a).
3 Bill 13-61-101(10)(b).
4 Bill 13-61-101(12).
5 Bill 13-61-302(1)(a).
6 Bill 13-61-302(1)(b).
7 Bill 13-61-302(2)(a)-(b).
8 Bill 13-61-302(3)(a); Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, mental or physical health condition, genetic or biometric data, or specific geolocation data. Bill 13-61-101(32).
9 Bill 13-61-101(32)(b)(i).
10 Bill 13-61-101(26).
11 Bill 13-61-301(2).
12 Bill 13-61-201(1)-(4).
13 Bill 13-61-203(2).
14 Bill 13-61-203(4)(a)-(b).
15 Bill 13-61-201(4).
16 Bill 13-61-101(31).
17 Bill 13-61-301(2).
18 Bill 13-61-305.
19 Bill 13-61-402(3)(b)(i).
20 Bill 13-61-402(3)(d).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities. This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice. © 2022 White & Case LLP