Scope and Applicability
The UCPA will apply to any “controller” or “processor” that conducts business in Utah or produces products or services that are targeted to Utah residents, that has an annual revenue of $25 million or more, and meets one of the following thresholds: (i) controls or processes the personal data of at least 100,000 Utah residents in a year; or (ii) derives over 50 percent of its gross revenue from the “sale” of personal data and controls or processes the personal data of at least 25,000 Utah residents.
Like the VCDPA and the Colorado Privacy Act (CPA), the UCPA covers “controllers” and “processors” where a “controller” is defined as a “natural or legal person that … determines the purpose and means of processing personal data” and a “processor” is defined as a “natural or legal entity that processes personal data on behalf of a controller.” The UCPA defines the entities’ obligations using these terms accordingly.
Notably, like the VCDPA, the UCPA also exempts a large list of entities – including nonprofits, governmental entities, higher education institutions, HIPAA covered entities and business associates, and financial institutions governed by Title V of the GLBA – and it also does not apply to various types of personal data – such as protected health information under HIPAA, personal data processed or disclosed in accordance with Title V of the GLBA, and personal data regulated by FERPA. Additionally, the UCPA does not cover data that is processed or maintained in the employment context – the definition of “consumer” specifically excludes “an individual acting in an employment or commercial context.”
Consumer Rights and Business Obligations
The UCPA creates consumer rights similar to those created by the VCDPA and other state privacy laws. Specifically, the UCPA grants Utah consumers rights to confirm whether a controller is processing their personal data, to access their personal data, to obtain a portable copy of their personal data, to delete their personal data, to no discrimination, and to opt-out of targeted advertising or the sale of personal data. Notably, UCPA limits the rights to obtain a copy of and to delete personal data to the personal data that the consumer provided to the controller, and not to all personal data the controller obtained about the consumer. The UCPA defines “sale” as “the exchange of personal data for monetary consideration”, in line with the VCDPA. Unlike the VCDPA, however, the UCPA does not create the right to correct inaccuracies in the consumer’s personal data.
Like the VCDPA, the UCPA includes a definition of sensitive data, which includes information that reveals racial or ethnic origin, religious beliefs, sexual orientation, medical history, mental or physical health, biometric or genetic data, and geolocation data. However, this definition excludes an individual’s racial or ethnic origin if the personal data is processed by a video communication service (which is not defined), or if the personal data is processed by a person licensed to provide health care. Also, the UCPA requires clear notice and an opportunity to opt-out before a business may process sensitive data, unlike the VCDPA and the CPA, which have a higher burden and explicitly require controllers to obtain consent prior to collecting and processing sensitive data.
Like the VCDPA, the UCPA requires a controller to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. However, the UCPA does not require controllers to implement a process for a consumer to appeal the controller’s decision when it denies a request.
Enforcement
The UCPA does not provide for a private right of action. While the UCPA is exclusively enforced through actions by the Utah attorney general, the enforcement process is quite different from that of the other previously enacted state privacy acts. The UCPA grants the Utah Department of Commerce’s Division of Consumer Protection investigation powers. Utah consumers can file a claim with the Division of Consumer Protection, which will consider and investigate the claim. If the director of the Division of Consumer Protection has “reasonable cause to believe that substantial evidence exists” of a violation of the UCPA, the director must refer the matter to the attorney general. The attorney general may initiate an enforcement action and the business will have 30 days to cure the violation. Enforcement will be funded by the fines imposed under the UCPA, but that enforcement fund is capped at $4 million, whereas the California Privacy Rights Act (CPRA) has a cap of $10 million in its enforcement fund.
Key Takeaways and Trends
As we previously discussed in our articles comparing the VCDPA to the CPRA and comparing the CPA to the VCDPA, there are many nuances in each state’s privacy law and the UCPA is no exception. Also, the UCPA’s passage accentuates a trend in state privacy laws in not following California’s heighted standards, but are instead gravitating towards the path set by Virginia, including limiting data access rights and using a number of exceptions and limitations to narrow the scope of the law. There are currently 23 states with pending privacy bills, with 4 bills having passed at least one chamber. Businesses should continue to analyze and work through differences in the state laws and consider the impact of operating in multiple states that have such privacy laws as businesses are developing, implementing, and maintaining their privacy program.
In advance of the effective dates of the various state data privacy laws, businesses should start:
- Updating their data inventories taking into account the new definitions of certain categories of data;
- Analyzing and updating, where needed, their privacy policies;
- Implementing or evaluating existing processes related to targeted advertising and responding to data subject requests; and
- Evaluating and updating their data protection addendums with vendors that process or have access to personal data.
In-depth 2022-093