At last count, at least 39 states have introduced (or passed) comprehensive privacy legislation. After what was previously a watch-and-wait game of legislative whack-a-mole, we are now seeing this legislation get passed and implemented more regularly and with greater speed.
Case in point, within two months of entering the new year, Senate Bill 227, titled the Utah Consumer Privacy Act (UCPA), passed both houses of the Utah Legislature and is now awaiting signature from Utah Gov. Spencer J. Cox as of March 3. Once on his desk, Gov. Cox can sign or veto the UCPA before it becomes law after 20 days. If enacted, Utah will quickly become the fourth state to enact general data privacy legislation in the United States, following California, Colorado, and Virginia. The UCPA would take effect on December 31, 2023.
The UCPA closely resembles the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (CPA), but also shares provisions with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
You can read the full text of the UCPA here.
What does this mean for your business? We highlight key aspects of the UCPA below:
What Businesses Are Affected?
The UCPA would apply to all for-profit controllers and processors who generate annual revenue of at least $25 million by either (a) conducting business in the state or (b) producing products or services that are targeted to state residents, and satisfy one of two thresholds:
- In a calendar year, processes personal data of at least 100,000 state residents, or
- Derives over 50% of its gross revenue from the sale of personal data, and processes the personal data of at least 25,000 state residents.
The UCPA’s $25 million threshold adds an additional component to consider (namely an annual revenue and processing requirement), unlike the singular components of the CCPA/CPRA, VCDPA, or CPA.
Personal Data vs. Sensitive Data
Like the CCPA/CPRA, VCDPA, and CPA, the UCPA differentiates between “personal data” and “sensitive data.” The UCPA defines “sensitive data” as personal data revealing racial or ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, medical history or health information, biometric data, and specific geolocation data. However, the UCPA exempts the collection of personal data revealing racial or ethnic origins when processed by a “video communication service,” an undefined term. This carve-out has been in the UCPA since the Utah Legislature’s 2021 proposed bill.
Unlike the CPA and VCDPA, the UCPA does not require consent before a controller may lawfully process sensitive data, only that “clear notice” and an “opportunity to opt out” be provided beforehand.
The UCPA provides similar rights to existing state privacy laws:
- Right to Know/Access: Consumers may request whether a controller is processing their personal data and get access to the personal data.
- Right to Delete: Consumer can direct the controller to delete the personal data provided by the consumer.
- Right to Transmit/Port: Similar to the VCDPA, a consumer can have the controller transfer their personal data to another controller where the processing is carried out by automated means.
- Right to Opt-Out: Consumers can opt out of the processing of their personal data for the purposes of targeted advertising and the sale of their personal data. Additionally, while not listed under the right to opt out, consumers also have the right to opt out of any processing of their sensitive data, barring any exemptions, as mentioned above.
Notably absent from the UCPA is the right to correction, in contrast to the other three states that all granted consumers the right to correct inaccuracies in their personal data processed by the controller.
No Data Protection Assessment Obligations
The UCPA does not require any risk or data protection assessment before processing consumer personal data. The CPA and VCDPA both require completion of data protection assessments where any processing presents a “heightened risk of harm to a consumer.” Similarly, the CCPA/CPRA directs the implementation of regulations for businesses to conduct “risk assessments” on a regular basis and a “cybersecurity audit” where processing “presents significant risk to consumers’ privacy or security.”
Penalties, Investigations and Amendment Procedures
In what is largely a point of contention for states seeking to enact privacy legislation, the UCPA does not grant a private right of action for any UCPA violation. Only the Utah attorney general may enforce the UCPA. Violating entities have a 30-day cure period before the Utah AG may initiate an action. In instituting an action, the Utah AG may recover actual damages to the consumer of at most $7,500 for each UCPA violation. If multiple controllers or processors are involved in the same violation, each may be liable for the percentage of their respective fault.
Similar to the VCDPA, the UCPA does not grant any rulemaking authority to the Utah AG. However, the UCPA directs the Utah AG to compile a report that (a) evaluates the liability and enforcement provisions of UCPA, and (b) summarizes the data protected and not protected from UCPA. The Utah AG must then deliver this report to the Utah Legislature’s Business and Labor Interim Committee by July 1, 2025. This report will inform the Legislature if any amendments are warranted.
The UCPA has a multitude of exemptions. Below is a list of noteworthy entities and information inapplicable to the UCPA:
- Employee and Business-to-Business (B2B) Exemption: The UCPA only applies to personal data concerning state residents who are acting in an individual or household context. This is in contrast to the CCPA, whose exemptions are slated to expire when the CPRA takes effect January 1, 2023.
- Financial institutions, affiliates of financial institutions, and information regulated under GLBA
- Covered entities, business associates, and protected health information regulated under HIPAA
- Information regulated under FERPA
- Non-profit businesses
Given that another state data privacy law was passed so swiftly in 2022, Utah is certainly not going to be the last piece of legislation we will see this year. To date, Florida, Indiana, Oklahoma, and Wisconsin already have proposed privacy bills moving across their respective houses. It is likely only a matter of time before we are inundated with a complex patchwork of state laws that privacy experts have theorized would occur for years.