Utah Consumer Privacy Act – Mintz’s Hot Take
Utah is on the brink of joining California, Colorado, and Virginia to become the fourth state in the US to enact a major comprehensive privacy law. On February 25, the Utah Senate passed the Utah Consumer Privacy Act (“UCPA”), and on March 2, it was passed by the Utah House. The bill officially went to Governor Spencer Cox’s desk on March 15 and he has 20 days to sign or veto, or the UCPA automatically becomes law. If the governor vetoes the bill (which is unlikely), the Utah legislature has sufficient votes to override, because it was passed unanimously.
The Mintz privacy team has reviewed the UCPA for answers to business’ most pressing questions about how this new law will affect them if it is enacted. Please see our break down below.
Who does the UCPA apply to?
The UCPA applies to any “controller” or “processor” who: (a) conducts business in Utah or produces a product or service that is targeted to Utah residents; (b) has annual revenue of $25M or more; and (c) satisfies at least one of the following: (i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or (ii) derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
A "consumer" under the UCPA means an individual who is a resident of Utah acting in an individual or household context. "Consumer" does not include an individual acting in an employment or commercial context. A "controller" under the UCPA means a person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others, while a “processor” is a person who processes personal data on behalf of a controller. Those familiar with the California Consumer Privacy Act (“CCPA”) will recognize these terms to be analogous to a “business” and a “service provider” under the CCPA.
Are there exemptions?
Yes, there are a number of exemptions in the UCPA. For example, the UCPA does not apply to certain government entities and those contracting with them, nonprofits, certain educational institutions, and certain entities governed by certain other laws such as The Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). It also does not apply to certain employment-related information, nor to information governed by certain federal laws such as HIPAA or the Fair Credit Reporting Act (FRCA).
The UCPA also contains a laundry list of processing activities that are expressly not restricted by the UCPA, such as for example, processing personal data to comply with law, provide a product or service requested by a consumer, perform a contract to which the consumer is a party, or to conduct internal analytics or other research to develop, improve, or repair a Controller’s or a Processor’s product, service, or technology.
What rights do consumers have under the UCPA?
- Right to confirm whether or not their personal data is processed;
- Right to access their personal data;
- Right to deletion of their personal data;
- Right to obtain a copy of their personal data;
- Right to transmit their personal data to another controller without impediment, where the processing is carried out by automated means; and
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, or (ii) the sale of personal data.
However, consumers have limited rights with respect to any personal data that has been pseudonymized, provided the Controller can demonstrate that any information necessary to identify a consumer is kept separately and is subject to appropriate security measures to ensure that the personal data is not attributed to an identified or identifiable individual.
What are a business’ obligations with respect to consumer requests?
Controllers have the following obligations to consumers when they receive a consumer request under the UCPA:
- Take action and inform the consumer of any action taken in response within 45 days of receipt (may be extended an additional 45 days in certain circumstances)
- Provide required information to consumers free of charge (unless the request is the consumer’s second or subsequent request in a 12 month period)
Are businesses required to provide notices to consumers?
Yes, Controllers must provide a clear and reasonably accessible privacy notice that meets the requirements under the UCPA, such as information about the Controller’s processing of personal data, how consumers may exercise their rights under the UCPA, and disclosures about the Controller’s sharing of personal data.
Additionally, if a Controller sells personal data or engages in targeted advertising, the Controller must clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer's personal data or processing for targeted advertising.
What other obligations do businesses have?
Controllers are required to establish, implement, and maintain reasonable security measures as specified in the UCPA. The UCPA also contains stepped-up obligations with respect to “sensitive data” (data about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health-related information, biometric data, or specific geolocation data). Prior to processing sensitive data, Controllers must present the consumer with a clear notice and an opportunity to opt-out of the processing. In the case of processing personal data of a known child, Controllers must comply with the federal Children’s Online Privacy Protection Act, or COPPA.
Controllers cannot discriminate against consumers for exercising their rights under the UCPA, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers. However, notably, the UCPA permits Controllers to offer a different price, rate, level, quality, or selection of a good or service, including offering a good or service for no fee or at a discount, if (i) the consumer has opted out of targeted advertising; or (ii) the offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
Are vendors/data processors impacted?
Yes, under the UCPA, Processors have direct obligations. For example, Processors are required to adhere to the Controller’s instructions and are required to assist the Controller in meeting the Controller's obligations, including obligations related to the security of processing personal data and notification of a security breach.
Prior to a Controller processing personal data, Controllers and Processors must enter into an agreement that meets specific requirements under the UCPA.
Is there a private right of action?
No, the UCPA does not provide for a private right of action and is enforced exclusively by the Attorney General. Notably, the UCPA requires that the Attorney General provide notice and a thirty (30) day cure period prior to initiating an action.
What are the fines and penalties for violation of the UCPA?
Civil penalties up to $7500 per violation, and the Attorney General may recover any actual damages to the consumer.
When does the UCPA become effective?
If signed into law, the UCPA will become effective on December 31, 2023, approximately one year after similar laws in Colorado and Virginia go into effect.
What is happening in other states?
Watch this space. Other states are moving rapidly. Proposals in Indiana, Iowa, Massachusetts, Ohio, and Wisconsin (4 bills under consideration) – among others – are moving through state legislatures. The only ones falling away so far have been Florida, where the legislature adjourned for the 2022 session on March 11 without passing Florida HB 9, and Washington, where none of the four bills introduced or carried over to the 2022 session met the legislative deadline to crossover. Be sure to check back with the Mintz Privacy & Cybersecurity Blog regularly for updates and subscribe to our newsletter.