The Utah legislature has passed Senate Bill 227, otherwise known as the Utah Consumer Privacy Act (UCPA). Barring a veto from Utah Governor Spencer J. Cox, who, as of March 15, 2022, officially has the bill on his desk for action, Utah will become the fourth state to pass a comprehensive privacy bill, following the likes of California, Virginia, and Colorado. If enacted, the UCPA would take effect on December 31, 2023.
Utah Consumer Privacy Act
Should the UCPA be enacted, it would apply to for-profit data controllers and processors that (1) conduct business in Utah or target Utah consumers, (2) generate $25 million in annual revenue, and (3) either process or control personal data of 100,000 or more Utah state residents, or process or control personal data of at least 25,000 Utah residents and derive 50% or more of their profits from the processing or controlling of that data. Unlike the singular provisions in the California, Colorado, and Virginia privacy laws, the applicability of UCPA accounts for businesses' revenue ($25 million) and the processing requirement.
The UCPA contains comparable provisions to the Virginia Data Privacy Act (VCDPA), the Colorado Privacy Act (CPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). Like the VCDPA and CPA, Utah's law will not contain a private right of action, but the state Attorney General may seek statutory damages of up to $7,500 per violation or for actual damages. Before enforcing the UCPA, the Attorney General must provide 30 days' notice to allow the company to cure any violations. The consumer rights provided to Utah residents under the law are very similar to existing privacy laws:
- Right to Access – Consumers have the right to confirm that a business is processing their personal data and to access that data.
- Right of Deletion – Consumers have the right to delete their personal data that they provided to the business.
- Right to Data Portability – Consumers have the right to obtain a copy of the data that the business controls and it must be readily portable, usable, and transmittable to other businesses.
- Right to Opt-Out – Consumers have the right to opt-out of the processing of their data for purposes of targeted advertising or the sale of their data.
While the UCPA is similar to other state's privacy laws, it contains some differences that make it easier for businesses to comply. For instance, the commonly used consumer right to correction has been left out of the UCPA. That right, which is used in the other state privacy laws, would allow for consumers to correct inaccuracies to their personal data. Furthermore, businesses in Utah will not be required to conduct and document risk assessments about their internal data processing practices. Also, Utah will not require businesses to set up consent mechanisms before processing consumer data, as long as consumers are presented "with clear notice and an opportunity to opt out of the processing." Under the UCPA, businesses may charge a reasonable fee when consumers request to access their personal data rights. In other states, businesses can charge fees for complying with consumer requests if the requests are "manifestly unfounded, excessive, or repetitive" (Virginia) or if more than one request is made in a 12-month period (Colorado). Businesses in Utah may charge a fee in either of those situations, as well as when the business "reasonably believes the primary purpose in submitting the request was something other than exercising a right" or if the request is harassing, disruptive, or poses an undue burden on the business.
Exemptions to the UCPA include non-profit businesses, entities and information covered under the Health Insurance Portability and Accountability Act of 1996 (HIPPA), information covered under the Family Educational Rights and Privacy Act (FERPA), financial institutions and information covered under the Gramm-Leach-Bliley Act (GLBA), and, importantly, any employee and business-to-business relationships.
State Privacy Law Developments
Utah may be the next state to pass a comprehensive data privacy law, but they will certainly not be the last. More than 30 states have introduced similar bills. Indiana, Florida, Oklahoma, and Wisconsin have already crossed the bills between their state legislative houses. With numerous laws on the way for 2023, businesses should allocate some time during the rest of this year to assess their compliance requirements and focus on internal practices and regulatory compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.