FREE CONSULTATION
FREE CONSULTATION

Utah has joined the growing number of States with Comprehensive Privacy Law

On March 24, 2022, the Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) bill into law. Utah is the fourth state in the USA to adopt omnibus consumer privacy legislation. 

Scope

The UCPA applies to data controllers” or “data processors” that:

(1) conduct business in Utah or target products and services to consumers who are residents of the state, 

(2) have annual revenues of at least $25 million, and 

(3) meet one of two requirements:

  • Annually control or process the personal data of 100,000 or more Utah residents (“consumers”); or
  • Derive over 50 percent of gross revenue from the “sale” of personal data and control or process personal data of 25,000 or more consumers.

This is pretty all-encompassing, as is sure to have a ripple effect on organizations nationwide, as “conducting business in Utah” could include organizations online.

This Utah privacy law follows privacy laws already in existence in three States, namely: California (California Consumer Privacy Act), Virginia (Virginia Consumer Data Privacy Act), and Colorado (Colorado Privacy Act). The UCPA shares many similarities with other state laws, particularly the Virginia Consumer Data Privacy Act (VCDPA), and businesses operating in or serving consumers in Utah will need to build for compliance by the December 31, 2023, effective date. Reflecting on the time spent to implement the CCPA, coupled with the inclusion of the CPRA, this seems to be a ambitious goal.

Not surprisingly, this law provides exemptions to some personal data:

  1. publicly available data, 
  2. de-identified data, and 
  3. data subject to the Health Insurance Portability and Accountability Act, the Driver’s Privacy Protection Act, and the Family Education Rights and Privacy Act. 

In addition, the UCPA also includes exemptions for certain entities and businesses covered by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, as well as non-profit organizations, tertiary education institutions and government agencies.

With relation to the similarities in privacy legislation, the UCPA resembles the Virginia and Colorado (CPA) definitions of “personal data,”; they define the term to broadly apply to any data that is “linked or reasonably linkable” to an individual. Another similarity that the UCPA exhibits, is that it grants consumers certain rights to their personal data. Specifically, consumers may request to:

  • Access the personal data that a controller processes about them;
  • Delete personal data that the consumer provided to the controller;
  • Obtain a copy of the personal data, in a “portable” format, that the consumer provided to the controller; and
  • Opt out of the “sale” of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing of personal data for targeted advertising.

Controllers have 45 days to respond to a request, with a 45-day extension if reasonably necessary. In my opinion, this timeline is stringent for the role out of such new legislation. While controllers must handle requests for free, they may charge a fee for second or subsequent requests in a 12-month period, or if certain other circumstances apply (e.g., the request poses an undue burden on the business’s resources). Controllers also have the right to deny a request if they cannot authenticate the request or if the personal data is pseudonymized.

One remarkable difference between the current the UCPA and the California Privacy Rights Act (CPRA), which amends the CCPA, is it only applies to consumer data; it excludes personal data collected in an employment or business-to-business context. This is a stark difference as a lot of organizations will be required to determine the parameters of this law, in addition to this, another difference in the laws revolve around the $25 million threshold. The UCPA applies only to entities that have annual revenues of $25 million or more (and that meet another threshold requirement), but the VCDPA does not contain this revenue-based requirement. In contrast, California’s law establishes $25 million in annual revenues as one threshold, not necessarily a requirement for all entities.

Another difference exhibited by the UCPA is its narrow right to delete. In sharp contrast to the VCDPA (but like the CCPA), the UCPA limits consumers right to delete personal data to only data that the consumer has provided to the controller.

Additional noteworthy differences are:

  1. Exception to sale: The UCPA includes an additional exception to “sale”: a sale does not occur if the disclosure to a third party is for a purpose consistent with a consumer’s reasonable expectations given the context.
  2. No right to appeal: Unlike the VCDPA, the UCPA does not give consumers the right to appeal denials of requests to exercise their rights.
  3. No requirement to conduct data protection assessments: Also unlike the VCDPA, the UCPA does not require controllers to conduct data protection assessments of certain processing activities.
  4. Sensitive data: While the VCDPA and Colorado require that consumers affirmatively opt in to the processing of their sensitive data, the UCPA contains a CCPA-like requirement that controllers present a consumer with notice and an opportunity to opt out prior to processing their sensitive data or, with respect to children’s data, comply with COPPA. In addition, as noted above, the UCPA includes a significant carve-out for personal data processed by a “video communication service” (undefined) and certain health care workers.

In conclusion, although the UCPA extends similar rights and obligations also found in the VCDPA, the law is unlikely to add distinct considerations to an entity’s existing privacy compliance obligations. From the outset, the law

  1. Processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  2.  When data is pseudonymized, the information that can point to the identity of a subject is replaced by “pseudonyms” or identifiers. This prevents the data from specifically pinpointing the user.

appears to be more narrow and lenient than the privacy legislation in California, Virginia and Colorado. Understandably, this law has just been signed, so the developments of the UCPA will continue to unfold. There are several factors that will influence the structure the UCPA will eventually take, this will depending on how the law works in practice, future amendments and additional interpretation by businesses at large. 

Share this post:

Related Articles