News

Utah recently passed the Utah Consumer Privacy Act (“UCPA”), which goes into effect December 31, 2023.

While the UCPA combines many of the same concepts that appear in consumer privacy laws enacted over the last several years in California, Virginia, and Colorado, it is narrower and more business-friendly than its contemporaries.

The Scope

Entities are required to comply with the UCPA if they conduct business in Utah or produce products or services that are targeted to Utah residents and both

• have annual revenue of $25,000,000 or more; and
• satisfy one or more of the following thresholds:
  • during a calendar year, the entity controls or processes the personal data of 100,000 or more consumers; or
  • the entity derives over 50% of its gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.

Because the UCPA contains both an annual revenue threshold and requires that entities satisfy one of the additional elements, large businesses (i.e., those with more than $25 million in annual revenue) will not be automatically subject to the UCPA based on their revenue alone. Likewise, smaller businesses with less than $25 million in annual revenue will not be subject to the UCPA, even if they satisfy the other thresholds.

In addition to its relatively limited scope, the UCPA also provides several entity-level exemptions, including institutions of higher education, nonprofits, government entities and contractors, tribes, and air carriers. Financial institutions governed by the Gramm-Leach-Bliley Act and HIPAA covered entities and business associates are also excluded. Further, like California, Virginia, and Colorado, the UCPA expressly exempts specific categories of data that are subject to certain federal and state laws, including HIPAA.

Additional Limits

The UCPA only applies to the personal data of Utah residents acting in an individual or household capacity, and the law specifically excludes individuals acting in a commercial or employment context.

Additionally, much like Virginia, the UCPA definition of “sale” requires a monetary exchange for personal data. In contrast, in California and Colorado, an exchange of consumer personal data may still be considered a “sale,” even if the entity providing the personal data receives “other valuable consideration,” rather than money.

Consumer Rights

The UCPA provides consumers with four main rights: (1) the right to access; (2) the right to delete; (3) the right to data portability; and (4) the right to opt-out of certain processing. 

Unlike its counterparts in California, Virginia, and Colorado, the law does not grant Utah consumers the right to correct inaccuracies in their personal data or the right to opt-out of profiling. Additionally, the UCPA does not explicitly address universal opt-outs as a method for allowing consumers to exercise their opt-out rights. In contrast, Colorado requires controllers to recognize universal opt-out signals, and California provides controllers with the option of doing so.

Like California, Virginia, and Colorado, with respect to certain types of requests, controllers are generally obligated to respond to a consumer’s request within 45 days and can extend the period to respond by an additional 45 days where reasonably necessary. While controllers cannot typically charge a fee for responding to a request, the UCPA allows controllers to charge a reasonable fee under certain circumstances, including where the request is “excessive, repetitive, technically infeasible, or manifestly unfounded.”  Notably, unlike most of its counter parts, the UCPA does not enable consumers to appeal a denied request.

Other Notable Details

• Transparency (i.e., privacy policies). Like most consumer privacy laws, the UCPA requires that if personal data is sold to a third party or used for targeted advertising, the controller must “clearly and conspicuously disclose” the means for consumers to exercise their opt-out rights. The law also requires that controllers provide consumers with a “reasonably accessible and clear” privacy policy that contains certain provisions. The privacy policy provisions required under the UCPA are functionally identical to the Virginia requirements.
• Affirmative consent. Unlike Virginia and Colorado, the UCPA does not require consent to process a consumer’s sensitive data. Instead, it merely requires controllers to provide consumers “clear notice and an opportunity” to opt-out before processing their sensitive data. Under the UCPA, processing children’s data is the only activity that requires affirmative consent.
• Data processing contracts.  While the UCPA requires that controllers and processors enter into contracts that govern the processing of personal data, the UCPA has fewer requirements than California, Virginia, or Colorado and does not require controller audits.

Security and the Added Incentive to Meet Utah’s Cyber Safe Harbor Requirements

Like California, Virginia, and Colorado, the UCPA requires controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data” and processors to reasonably assist controllers in meeting these security obligations.

Significantly, last year, Utah passed the Utah Cybersecurity Affirmative Defense Act, which provides entities with an affirmative defense against certain data breach-related claims in state courts (the “safe harbor provision”) if the entity has a written cybersecurity program that satisfies specified requirements.

Viewed together, Utah businesses now have an even greater incentive to take the relatively straightforward steps necessary to qualify for the safe harbor provisions and put in place necessary security policies and practices.

Enforcement

Like Virginia and Colorado, the UCPA does not provide for a private right of action, nor does it allow a consumer to use a violation of the law to support a claim under other state laws. The Utah Attorney General has the exclusive authority to enforce the UCPA. However, the UCPA has a unique enforcement process. The UCPA creates the Division of Consumer Protection, which will receive and investigate consumer complaints. If the Division reasonably believes a complaint contains substantial evidence of a violation, the Division is required to refer its investigations to the Attorney General.

Violations of the law can carry civil penalties of up to $7,500 for each violation.  However, there is a 30-day cure period, in which an entity can cure any alleged violations before any action will commence.

Conclusion

If the process from enactment to enforcement for the UCPA is anything like the California law, it is reasonable to expect significant changes to the UCPA and any underlying regulations between now and December 31, 2023. Michael Best will continue to monitor and provide updates on the progress of the UCPA. For additional information on the UCPA as well as assistance in complying with existing privacy laws, please contact a member of our Privacy & Cybersecurity Team.

Michael Best Advantage

Our Privacy & Cybersecurity Team is experienced in assisting companies through all stages of developing a compliant privacy and cybersecurity law program, from drafting public-facing privacy policies, to developing internal organization-wide policies, conducting round table and table-top exercises, and assisting in operationalizing and implementing security and privacy requirements. Pricing is customized. We also provide fixed fee pricing or other alternative fee arrangements, which gives our clients cost predictability. Please reach out to us if you are seeking support for your consumer data privacy law compliance objectives.