Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward.

By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth US state to enact comprehensive data privacy legislation. The UCPA was introduced on February 17, 2022, and sped through the state legislature, receiving final passage on March 3, 2022.

The UCPA, which is set to take effect on December 31, 2023, builds off existing and forthcoming privacy legislation in California, Colorado, and Virginia, but lightens some of the compliance burdens on businesses. The UCPA does not impose any new privacy obligations on businesses that are not already required in California, and businesses will be familiar with the UCPA’s requirements — all of which have appeared in existing and forthcoming state data privacy laws. In a welcome change for businesses, however, the UCPA is narrower in certain respects as compared to its analogues in California (CCPA/CPRA), Colorado (CPA), and Virginia (VCDPA). (See, e.g., Virginia Consumer Data Protection Act: Second US State Passes Comprehensive Data Privacy Legislation.)

The UCPA represents the latest in a string of state privacy laws that seek to fill a nationwide gap while Congress continues to debate the merits of a federal data privacy law. The UCPA marks a slightly different variation, as it appears to have been more directly informed by industry groups such as TechNet and the State Privacy Security Coalition. These industry groups are working toward a uniform set of privacy laws in the United States, and Utah could set an example for additional states.

This blog post discusses some of the UCPA’s key provisions.

Scope

The UCPA will apply to Utah businesses that have an annual revenue of at least US$25 million and either (1) control or process personal data of 100,000 or more consumers per year or (2) derive over 50% of the business’s gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.[1]

Consumer Rights

Like other data privacy laws, the UCPA guarantees consumers certain personal data rights that may be exercised against a controller. Consumers are limited to Utah residents who are “acting only in an individual or household context” — the law explicitly provides that Utah residents acting in a commercial or employment context do not qualify.[2] Controllers shall “take action” on a consumer’s request within 45 days and inform them of any action taken on the consumer’s request. A controller may extend the 45-day period by another 45 days if reasonably necessary.[3]

Notably, all of the consumer rights guaranteed by the UCPA already exist in other state data privacy laws. In addition to notice, the UCPA provides consumers the following rights:

  • Right of access: Confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.[4]
  • Right to delete: Delete personal data that the consumer provided to the controller.[5]
  • Right to data portability: Obtain a copy of the consumer’s personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity without hindrance.[6]
  • Right to opt out: Opt out of the processing of the personal data concerning the consumer for purposes of (1) targeted advertising or (2) the sale of personal data.[7]

Unlike California, Virginia, and Colorado, however, under the UCPA, Utah consumers do not have the right to correct their personal data, nor do they have the right to opt out of the processing of personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Furthermore, the UCPA provides additional clarity over the scope of a Utah consumer’s right to opt out of processing for purposes of targeted advertising.

Sale of Personal Data

The UCPA’s definition of “sale” largely conforms with the definitions laid out under both the VCDPA and CPA. The new law defines a “sale” as the “exchange of personal data for monetary consideration by a controller to a third party.”[8] Like in the VCDPA and CPA, the UCPA language excludes the broader “valuable consideration” language found in the CCPA.

The UCPA excludes the following exchanges of personal data from the definition of a sale:

(1) disclosure of personal data to a processor that processes personal data on behalf of the controller;

(2) disclosure of personal data to an affiliate of the controller;

(3) considering the context in which the consumer provided the personal data to the controller, disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations;

(4) disclosure of personal data when a consumer (a) directs the controller to disclose the data (b) or interacts with one or more third parties;

(5) disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and does not restrict to a specific audience; or

(6) disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.[9]

Sensitive Personal Data

Like other data privacy laws, the UCPA explicitly creates additional protections surrounding “sensitive data.” Under the UCPA, the following are considered sensitive data:

(1) personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional;

(2) processing of genetic personal data or biometric data for the purpose of identifying a specific individual; and

(3) specific geolocation data.[10]

While the sensitive data definition is similar to those in the VCDPA and CPA, the UCPA provides a more relaxed consent requirement. In both the VCDPA and CPA, controllers may not process sensitive personal data unless consumers opt in. In Utah, however, controllers may process sensitive data as long as they provide consumers with clear notice and an opportunity to opt out.[11]

Trade Secrets

Like the CPA, the UCPA explicitly provides that controllers and processors are not required to disclose trade secrets in response to a consumer request[12] — though notably the Office of the California Attorney General recently recognized that the CCPA does not require this either.[13]

Data Protection Assessments

Unlike the CCPA, the CPA, or the VCDPA, the UCPA does not require data protection assessments for certain data processing activities.

Investigation, Enforcement, and Private Actions

The UCPA continues the trend in state data privacy laws of explicitly disavowing a private right of action.[14] Instead, the UCPA vests enforcement powers in Utah’s Division of Consumer Protection (the Division) and Attorney General through a unique two-tier enforcement structure that divides investigatory and enforcement power between the Division and the Attorney General.

Under the UCPA, the Division has the authority to investigate consumer complaints to determine whether a violation has occurred. If the Division has “reasonable cause to believe that substantial evidence exists” in support of a violation of the UCPA, the Division “shall” refer to the matter to the Attorney General.[15] But the Division has no enforcement authority.

The UCPA then provides the Attorney General with the exclusive authority to enforce the law. [16] But the Attorney General’s ability to bring an enforcement action appears to be conditioned on a referral from the Division: “Upon referral from the division, the attorney general may initiate an enforcement action against a controller or processor for a violation of this chapter.”[17]

Prior to bringing an enforcement action, the Attorney General must notify the controller or processor of the potential violation.[18] The controller then has 30 days to cure the violation.[19] The Attorney General may not initiate an action if the controller or processor cures the violation and provides an express written statement that the violation has been cured and no further violation will occur.[20] However, the Attorney General may bring an enforcement action against businesses that fail to cure a violation or continue to violate the law after providing a written statement.[21] The Attorney General can recover up to US$7,500 for each violation.[22]

Regulations

The UCPA does not authorize the Attorney General or the Division to promulgate regulations to supplement the UCPA.

Conclusion

With Utah’s approach to balancing consumer privacy alongside operational business considerations, the UCPA provides a new take on the current crop of state privacy laws and may serve as a bellwether of legislation to come. For example, Iowa is currently moving forward with a similar data privacy bill. We expect to see additional states adopt Utah’s model, though state regulation will continue to remain a patchwork system.

Endnotes

[1] Utah Code Annotated § 13-61-102(1).

[2] Id. § 13-61-101(10)(b).

[3] Id. § 13-61-203(2)(a)-(c).

[4] Id. § 13-61-201(1).

[5] Id. § 13-61-201(2).

[6] Id. § 13-61-201(3).

[7] Id. § 13-61-201(4).

[8] Id. § 13-61-101(31)

[9] Id. § 13-61-101(31).

[10] Id. § 13-61-101(32).

[11] Id. § 13-61-302(3).

[12] Id. § 13-61-304(5).

[13] Opinion of Office of the Attorney General, State of California, No. 20-303 (Mar. 10, 2022), available at https://oag.ca.gov/system/files/opinions/pdfs/20-303.pdf.

[14] UCA § 13-61-305.

[15] Id. § 13-61-401(2).

[16] Id. § 13-61-402(1).

[17] Id. § 13-61-402(2).

[18] Id. § 13-61-402(3)(a).

[19] Id.

[20] Id. § 13-61-402(3)(b).

[21] Id. § 13-61-402(3)(c).

[22] Id. § 13-61-402(3)(d).