Utah Set to Become Fourth State to Pass Comprehensive Consumer Privacy Law | Foley & Lardner LLP
Utah is likely next to pass a comprehensive consumer privacy law, joining the ranks of California, Colorado and Virginia. Senate Bill 227, the Utah Consumer Privacy Act (UCPA), was passed by the Utah Legislature and sent to Governor Spencer Cox’s office on March 3. Governor Cox has 20 days to sign the bill or veto it, and if no action is taken the bill will become law. If enacted in its current form, the UCPA would come into force on December 31, 2023.
The bill shares similarities with the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (Colorado CPA), but is expected to be more business-friendly. The main features of the bill are as follows:
- Applicability. Subject to certain exceptions, the UCPA applies directly to organizations that determine the means and purposes of processing personal data (controllers) as well as other organizations that process personal data on their behalf (processors ), and either doing business in Utah or producing a product or service for consumers who are Utah residents, have annual sales of $25 million or more, and either (i) controls or processes the personal data of 100,000 or more Utah consumers in a calendar year, or (ii) derives more than 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah Consumers. Unlike the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the VCDPA, and the Colorado CPA, the requirement for a company to meet both a financial threshold and a data volume threshold is unique to the UCPA. . Because of these thresholds, combined with Utah’s relatively smaller population, the UCPA is likely to apply to significantly fewer businesses than those that are or will be subject to the CCPA, CPRA, VCDPA, or Colorado CPA.
- Exemptions. The bill does not apply to government entities, non-profit organizations, HIPAA-covered entities and business associates, higher education institutions (public or private), and Family Educational protected data. Rights and Privacy Act, to entities regulated by the Gramm-Leach-Bliley Act and data, consumer reporting agencies and employment-related information, including for the purposes of providing benefits, among others.
- Personal data and sensitive data. Similar to the laws of California, Virginia and Colorado, the UCPA defines personal data as information relating or reasonably relating to an individual or an identifiable individual, but does not include anonymized data, aggregated data or information accessible to the public (each defined in the UCPA). Although the UCPA defines sensitive data in the same way as the VCDPA and consumer privacy laws of other states, it explicitly excludes personal data that reveals racial or ethnic origin when it is processed by a video communications service or health information when processed by a licensed person. to provide health care under Utah law. Additionally, consumer consent for the processing of sensitive data is not required, unlike the Colorado CPA and VCDPA. Instead, data controllers should only provide consumers with clear notice and an opportunity to opt out of processing sensitive data.
- Consumers and consumer rights. The bill applies to the data of consumers, who are individuals residing in Utah, acting in an individual or family context. Consumers do not include individuals acting in an employment or business-to-business context. Under the UCPA, consumers will have the right to access, correct, delete and receive a copy of their personal data. They will also have the right to refuse certain processing, in particular the sale of personal data and the use of their personal data for the purposes of targeted advertising. Consumers can only exercise these rights once in a 12-month period, and Controllers must respond to Consumer requests to exercise their rights within 45 days of the day the Controller receives the request (this may be extended an additional 45 days if reasonably necessary due to the complexity or volume of requests received). Controllers may charge a reasonable fee for excessive requests or if the controller reasonably believes that the main purpose for submitting the requests was other than the exercise of consumer rights or if the request, individually or in the part of an organized effort, harasses, disrupts, or imposes an unreasonable load on the controller’s corporate resources. The ability for a controller to charge a fee for these latter reasons can discourage the kinds of nuisance requests that many businesses subject to CCPA or GDPR have received.
- Sale Concept. Unlike the broad definitions of sale under the CCPA, CPRA, and Colorado CPA, the UCPA defines a sale as the exchange of personal data solely for monetary purposes. The UCPA also contains several important exclusions from the definition of a sale, including disclosures of personal data:
- By a controller to a processor or one of the controller’s affiliates
- To a third party if the purpose is consistent with a consumer’s reasonable expectations, having regard to the context in which the consumer provided the personal data
- At the request of the consumer
- For the purpose of providing a product or service requested by the consumer (or parent or legal guardian if the consumer is a minor)
- That the consumer has intentionally made public and not limited to a specific audience
- In connection with a merger, acquisition, bankruptcy or other controller transaction
- High-level responsibilities of controllers and contractors. Covered businesses have a number of obligations under the UCPA, including establishing, implementing, and maintaining reasonable security practices and providing privacy notices to consumers. These privacy notices should include the categories of personal data, the purposes for processing personal data, how consumers can exercise their rights, and with whom the data is shared or sold. Controllers should also clearly inform consumers about the controller’s processing of sensitive personal data and give them the opportunity to opt out of such processing. Controllers must enter into an agreement with their subcontractors that:
- Includes clear instructions for the processing of personal data as well as the nature, extent and duration of the processing by the processor
- Obliges the processor to ensure that each person involved in the processing is subject to an obligation of confidentiality
- Obliges the sub-processor to require its subsequent sub-processors to comply with the same obligations
- Requires processor to follow controller’s instructions and assist controller in fulfilling its obligations, including security obligations and breach notifications
- No right of private action. The bill does not grant a private right of action and explicitly bars consumers from using a violation of the UCPA to support a claim under other Utah statutes, such as the Acts Acts Acts. or unfair or deceptive practices.
- Enforcement measures. The UCPA grants exclusive enforcement authority to the Utah Attorney General after the alleged violations were first investigated by the Utah Division of Consumer Protection. Before the Attorney General initiates enforcement action, however, the Attorney General must first provide the company with written notice and 30 days to remedy the alleged violation.
- Penalties for non-compliance. The Attorney General can seek fines of up to $7,500 per violation and recover any actual harm to consumers.
Orientation for companies
Although the UCPA imposes significant obligations on organizations that may not have previously been subject to the CCPA, CPRA, VCDPA, Colorado CPA, or GDPR, organizations that are subject to the Anyone with one of these laws and who have worked on compliance will find significant overlap and have a head start in complying with the UCPA. However, organizations that will be subject to the UCPA that were not previously subject to any of these laws may need to devote significant resources to compliance prior to the December 31, 2023 effective date. These organizations should prioritize the following activities, many of which can be reused in other applicable privacy regimes or which have general applicability to a mature privacy program:
- Undertake data mapping to understand the types of data the organization stores, the purposes for which it is used, and whether any data is necessary
- Update policies and procedures to comply with new UCPA requirements and obligations
- Start developing business processes to enable consumers to exercise their new rights
- Ensure the organization has a reasonably accessible, clear, and meaningful privacy notice that complies with UCPA requirements
- Review business relationships with third-party data processors to understand each party’s role and potential requirements
- Draft and adopt data privacy addenda with UCPA required clauses for use when entering into contracts with third parties