Following the lead of California, Virginia and Colorado (as previously discussed here, here and here respectively), on March 24, 2022, Utah became the fourth state to enact an omnibus privacy law, creating compliance obligations for businesses that collect and process personal data of Utah residents and providing such residents more control over their data.
Conveniently, the UCPA largely tracks the laws passed in Virginia (i.e. the Virginia Consumer Data Protection Act or the “VDPA”) and Colorado (i.e. the Colorado Privacy Act or the “ColoPA”) last year (effective January 1, 2023 and July 1, 2023 respectively), meaning that organizations subject to these laws will be able to leverage their VDPA and/or ColoPA compliance efforts for purposes of UCPA compliance. Further, as compared to other states’ laws and even the Europe Union’s General Data Protection Regulation (the “GDPR”), the UCPA is arguably the least commercially restrictive, containing fewer consumer rights to control uses of their personal and sensitive data and more limited compliance obligations for businesses that collect and process such data.
While enactment of the UCPA will mean certain businesses not previously covered by state privacy legislation or the GDPR will now face novel data protection compliance obligations, it is the most business-friendly of such laws and should not require particularly onerous changes to business’ existing privacy compliance programs. Below we summarize key elements of the Act while highlighting its similarities and differences with the California Privacy Rights Act of 2020 (the “CPRA”), which amends and expands the California Consumer Privacy Act (the “CCPA”), VDPA, ColoPA and GDPR.
Who must comply?
Adopting a similar approach to previously enacted state privacy laws, the UCPA contains certain thresholds that trigger the Act’s applicability, but unlike the CCPA/CPRA which contain alternative triggering mechanisms based on jurisdiction, revenue or volume of data collection or processing and the VDPA and ColoPA which do not contain a triggering mechanism based on revenue, the UCPA applies only to controllers or processors who meet all of the following requirements:
- Either (i) conducts business in the state or (ii) produces a product or service that is targeted to consumers who are residents of the state;
- Has an annual revenue of $25 million or more; and
- Either (i) during a calendar year, controls or processes personal data of 100,000 or more consumers or (ii) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.
As expected, the UCPA contains certain broad exemptions similar to other state privacy legislation, narrowing applicability of the Act with respect to certain entities or types of data, including: (i) deidentified, aggregated or publicly available data; (ii) governmental entities; (iii) tribes; (iv) higher education institutions; (v) nonprofit corporations; (vi) entities regulated by and data subject to the Health Insurance Portability and Accountability Act; (vii) entities regulated by data subject to the Gramm-Leach-Bliley Act; (viii) data subject to the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act and the Farm Credit Act; (viii) certain activities under the Fair Credit Reporting Act; (ix) private individuals processing personal data for purely personal or household purposes; and (x) air carriers.
What data is protected?
The UCPA applies to “personal data”, defined as information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data, aggregated data or publically available information. This definition tracks ColoPA identically, and therefore gives rise to the same discrepancies contained in ColoPA’s drafting. For example, like ColoPA, the UCPA’s definition of “consumer” is defined to include residents of the state acting in an individual or household context, and thus arguably data relating to Utah “consumers” may not constitute “personal data” if it relates to a number of individuals within a household but is incapable of being linked with one specific consumer within the household. For a more in depth discussion of the discrepancies described above, see here.
The UCPA also provides additional protections for sensitive data, defined to include (i) data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status or information regarding an individual’s medical history, mental or physical health condition or medical treatment or diagnosis by a healthcare professional; (ii) the processing of genetic personal data or biometric data if the processing is for the purpose of identifying a specific individual or (iii) specific geolocation data.
- In one of the larger departures from the GDPR, VDPA and ColoPA, each of which requires affirmative, unambiguous consent prior to the processing of sensitive data, the UCPA merely requires that an entity that collects and processes sensitive data provide notice of such activities to consumers and provide an opportunity to opt-out of such processing, the mechanisms for which remain somewhat unclear as further discussed below.
What obligations are placed on covered entities?
Like the GDPR, VDPA and ColoPA, the Act distinguishes between data controllers (i.e., a person doing business in the state who determines the purposes for which and the means by which personal data is processed, regardless of whether the person makes the determination alone or with others) and data processors (i.e., a person that processes personal data on behalf of a controller) providing specific requirements for each with respect to the processing of personal data.
The obligations placed on controllers and processors are largely similar to those contained in VDPA and ColoPA, including (i) obligations on data controllers and processors to enter into data processing agreements akin to those required under Article 28 of the GDPR clearly setting forth instructions for processing personal data and requiring the processor to both ensure employees are subject to a duty of confidentiality when handling personal data and engage subcontractors pursuant to a written contract requiring the subcontractor to meet the same obligations as the processor, (ii) separate requirements on processors to (a) adhere to a controller’s instructions when processing personal data and (b) assist the controller in meeting its obligations, including obligations related to the security of processing personal data and notification of a breach of security system and (iii) requiring controllers to (a) provide consumers with clear notice about its data collection and processing practices, (b) implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality and integrity of personal data and (c) refrain from discriminating against consumers who exercise their personal data rights.
While these obligations are largely reminiscent of controllers and processors’ obligations under other data protection laws, there are a few noteworthy differences with respect to a controller’s compliance obligations:
- Privacy Notices Require Disclosure of Targeted Advertising Practices. The UCPA requires controllers to disclose not only “sales” of consumer data but also whether the controller engages in targeted advertising, and if so, to provide consumers with notice of their right to opt out of such uses.
- Notice of and Right to Opt-Out of Processing of Sensitive Data/Children’s Personal Data. A controller may not process sensitive data collected from a consumer without (a) first presenting the consumer with clear notice and an opportunity to opt out of the processing or (b) in the case of processing the personal data concerning a known child under the age of thirteen (13), processing the data in accordance with the federal Children’s Online Privacy Protection Act and its implementing regulations and exemptions.
- Offering Incentives for Targeted Advertising or Loyalty Programs. Despite the UCPA’s prohibition on discriminating against consumers who exercise their UCPA rights, the UCPA does not prohibit controllers from offering a different price, rate, level, quality or selection of a good or service to consumers if (a) the consumer has opted out of targeted advertising or (b) the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
- No Requirement to Conduct Data Protection Assessments. Unlike the VDPA, ColoPA and CPRA, the UCPA does not require controllers to conduct data protection assessments for each of its processing activities involving personal data that present a heightened risk of harm to consumers.
What rights do Utah consumers have under the Act?
In line with the other recent state privacy laws and the GDPR, the UCPA provides consumers with many of the same now well-known rights, including the right to (1) confirm whether a business is processing their personal data, (2) access their personal data, (3) request deletion of their personal data, (4) obtain a copy of their personal data and (5) opt out of certain processing of their personal data. Such rights are not only limited by reasonable business exemptions (e.g., detecting fraud or complying with legal obligations) as provided under similar state laws, but are also subject to certain nuances that provide consumers with less control over their personal data:
- Rights to Deletion and Data Portability are Narrowly Tailored. Under the UCPA, consumers have a right to request that a controller delete personal data “that the consumer has provided to the controller.” This language suggests a more narrow construction than the approach under similar recent U.S. privacy laws which generally provide a broad deletion right to any personal data the controller has collected about such consumer. Additionally, the Act contains no requirement that such deletion requests are passed along from data controllers to data processors as is the case with other such laws. This limiting language is also contained within a consumer’s right to data portability, where consumers are only provided the right to obtain of a copy of their personal data that they have previously provided to the controller.
- No Right to Correction. The UCPA does not provide consumers with the right to correct their data, a departure from rights provided to consumers under the CPRA, VDPA, ColoPA and GDPR.
- Limited Opt-Out Rights. In addition to the right to opt out of a controller’s processing of sensitive data, consumers are permitted under the Act to opt out of the processing of their personal data for targeted advertising purposes or sales of their data. Notably, the opt-out right omits the right to opt out of the processing of personal data for the purposes of automated “profiling”, a right provided to consumers under the CPRA, VDPA, ColoPA and GDPR.
- Broad “Sale” Exemptions. Like the VDPA and Nevada’s online privacy notice statute, “sales” under the UCPA are defined narrowly to include only an exchange of information for monetary consideration. However, unlike other laws passed to date, the UCPA provides even broader carve outs with respect to the types of activities exempt from this definition. For example, the controller’s disclosure of personal data to a third party may not be a “sale” “if the purpose of disclosure is consistent with a consumer’s reasonable expectations”.
- Lack of Obligation to Comply with Global Privacy Control. Unlike the CPRA, VDPA and, as of July 1, 2024, the ColoPA, the Act is silent on whether businesses must comply with consumer opt-out requests submitted via a user-selected universal opt-out mechanism such as the Global Privacy Control. In fact, the Act does not provide any direction to businesses as to reasonable opt-out methods (e.g., providing a toll-free phone number or online web form), leaving businesses with broad discretion to determine such methods.
Note that the UCPA specifically prohibits any provision of a contract that purports to limit or waive any of a consumer’s UCPA rights.
No private right of action – what are the penalties for non-compliance?
Like the VDPA and ColoPA, the UCPA does not include a private right of action, unlike the CCPA and CPRA which offer consumers a limited private right of action to recover statutory damages in the event the consumer’s nonencrypted or nonredacted personal data is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. As we previously stated in our discussion of Colorado and Virginia’s newly enacted laws here, the UCPA continues the trend away from the inclusion of a private right of action, as legislation in many states where a privacy law initially had strong support, failed in part due to disagreements amongst lawmakers on issues of enforcement (e.g., Florida and Washington).
Instead, the UCPA undertakes a new, bifurcated approach to enforcement of the Act granting investigative powers to the Division of Consumer Protection (the “Division”) created under the Act to receive and investigate consumer complaints regarding alleged UCPA violations committed by a controller or processor. If the director of the Division determines that there is “substantial evidence” to support a consumer complaint, the Division is required to refer the matter to the Attorney General for enforcement and to consult with the Attorney General on an as-needed basis. The Attorney General, who has the exclusive authority to enforce the Act, can then initiate an enforcement action and assess damages, including actual damages for the consumer and, for each violation, an amount not to exceed $7,500, which will be deposited into the Consumer Privacy Account established under the Act.
Though the UCPA’s approach of vesting enforcement authority in the state Attorney General largely tracks the approach adopted by Virginia and Colorado which also provide sole enforcement authority to its respective attorneys general, the UCPA cabins such authority in two notable ways. First, as previously mentioned, the UCPA does not provide the Attorney General with rulemaking authority to expand upon or provide further clarity to covered businesses, certain of which will assume privacy-related compliance obligations for the first time. Despite the lack of rulemaking authority, the UCPA requires the Attorney General and Division to compile and submit a report to the Business and Labor Interim Committee before July 1, 2025, evaluating the liability and enforcement provisions of the UCPA, including the effectiveness of the Attorney General and Division’s efforts to enforce the Act and summarizing the data protected and not protected by the Act. Such a requirement is the first of its kind and may eventually make way for additional regulations to resolve enforcement gaps. Secondly, the Act includes a 30-day right to cure with no indication that such cure period is to sunset as is the case under ColoPA. Many privacy advocates have voiced concern with this aspect of the law, arguing that such a limited enforcement mechanism and accompanying cure period will result in fewer penalties for noncompliance with the Act, leaving consumers without strong protection for misuse of their personal data.
Though Utah is the first state to enact omnibus privacy legislation this year, we certainly do not expect it to be the last as predicted here. While Virginia and Colorado showed that U.S. states can enact comprehensive data protection legislation with a more business-friendly model than the CCPA/CPRA’s GDPR-driven approach, Utah has taken this one step further, identifying additional areas in which covered business’ commercial needs can be addressed while still providing consumers enhanced visibility and control over the collection, processing and retention of their personal data.
 Like both ColoPA and VDPA, the UCPA specifically carves out individuals acting in an employment or commercial (i.e. B2B) context from the definition of consumer.
 Note that the CPRA, which amended the CCPA to distinguish between personal and sensitive data, does not require businesses to receive consumer consent prior to processing sensitive data. Instead, CPRA covered entities can use sensitive data so long as they (i) disclose to consumers the categories of sensitive data to be collected, the purposes for the collection and use of such data and whether the data is sold or shared and (ii) with respect to certain sensitive data that is collected or processed with the purpose of inferring characteristics about consumers (to be further defined in CPRA regulations), provide consumers with a right to limit the entity’s use of the consumer’s sensitive data to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer (i.e. a limited opt-out approach).
 Note additionally (as further discussed below) that the Utah Attorney General, who is tasked with enforcing the UCPA, is not provided rulemaking authority under the current language of the Act.