Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah's legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March 15, 2022 and the Governor has until March 24, 2022 to either sign or veto the bill, otherwise it will become law without his signature. If enacted, as is anticipated, the UCPA will become effective on December 31, 2023, six months after the Colorado Privacy Act (ColoPA) and nearly a year after the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA) come into effect.
Key Takeaways
Scope
The UCPA applies to controllers1 and processors2 that: 1) conduct business in Utah or produce a product or service targeted to consumers who are Utah residents; 2) have annual revenue of $25 million or more; and 3) meet at least one of the following thresholds: i) during a calendar year, control or process the personal data of 100,000 or more consumers; or ii) derive over 50 percent of the entity's gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers. Notably, unlike other state privacy laws, the UCPA applies only to entities that meet both the minimum annual revenue of $25 million plus an additional threshold requirement. "Consumers" under the UCPA are Utah residents acting in an individual or household context; individuals acting in an employment or commercial context are expressly excluded from the scope of the statute.
Similar to the VCDPA and ColoPA, the UCPA extends broad, status-based exemptions to governmental entities, institutions of higher education, nonprofits, covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), financial institutions or affiliates of financial institutions governed by the Gramm-Leach-Bliley Act (GLBA), entities subject to the Fair Credit Reporting Act, and air carriers. However, the UCPA goes further than either the Virginia or Colorado laws by introducing express status-based exemptions for tribes and government contractors when acting on behalf of a governmental entity. The UCPA also contains numerous data-based exemptions such as protected health information under HIPAA or personal data regulated by other federal laws including the GLBA, Driver's Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), and the Farm Credit Act.
Consumer Rights
Similar to existing U.S. state privacy laws and the EU General Data Protection Regulation (GDPR), the UCPA grants consumers rights regarding their personal data, which the UCPA defines as data "linked or reasonably linkable" to an identified or identifiable individual and expressly excludes de-identified, aggregated, or publicly available from the definition of personal data. Specifically, the UCPA grants consumers the right to: 1) confirm whether a controller is processing the consumer's personal data and access the consumer's personal data; 2) delete the personal data that the consumer provided to the controller; 3) obtain a copy of the consumer's personal data that the consumer previously provided in a portable format; and 4) opt out of the processing of the consumer's personal data for the purposes of targeted advertising or the sale of personal data. Unlike the VCDPA and ColoPA, the UCPA does not grant consumers a right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, nor does it require controllers to honor a universal opt-out mechanism. The UCPA definition of targeted advertising substantively mirrors the definition in the VCDPA.
The UCPA defines "sale" as "the exchange of personal data for monetary consideration," thus adopting the VCDPA's more limited definition of sale rather than the broad definition of sale used in the Colorado and California privacy laws of exchange for "monetary or other valuable consideration." Similar to the VCDPA and ColoPA, the UCPA clarifies several carve-outs that do not constitute a sale of personal information, including disclosures to processors and affiliates; disclosures to a third party for the purpose of providing a product or service requested by the consumer; data the consumer intentionally made available to the general public; and transfers of personal data as part of the controller's merger, acquisition, or bankruptcy. Unlike the VCDPA or the ColoPA, however, the UCPA adds a novel sale exception: under the UCPA a sale does not occur if the controller's disclosure to a third party is for a purpose consistent with a consumer's reasonable expectations given the context in which the consumer provided the personal data to the controller.
Consistent with the CCPA, CPRA, VCDPA, and ColoPA, controllers have 45 days under the UCPA to respond to consumer requests and this time period can be extended once by an additional 45 days if reasonably necessary due to the complexity or volume of the request(s). Notably, the 45-day period does not apply if the controller reasonably suspects the consumer's request is fraudulent and the controller is unable to authenticate the request within the 45-day period. The UCPA also specifies grounds on which a controller may deny a consumer's request, including if the personal data is pseudonymized (defined to mean the data can no longer be attributed to a specific individual without the use of additional information) and the controller keeps the information necessary to re-identify the data separately, subject to effective technical and organizational measures to prevent access, similar to the requirements of the ColoPA. Unlike the VCDPA and ColoPA, the UCPA does not provide a mechanism for consumers to appeal a controller's denial of their requests.
The UCPA makes clear that controllers may charge a reasonable fee to cover administrative costs of complying with a consumer request or refuse to act on a request if the request is excessive, repetitive, technically infeasible, manifestly unfounded; the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or the request, individually or as part of an organized effort harasses, disrupts, or imposes undue burden on the resources of the controller's business. Controllers that rely on these exceptions bear the burden of demonstrating that the request satisfied one or more of these criteria.
Controller and Processor Duties
Following the VCDPA, ColoPA, and the GDPR, the UCPA uses a controller/processor framework and the primary compliance obligations fall upon controllers. Similar to existing state privacy laws, the UCPA requires controllers to provide a "reasonably accessible and clear privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purposes for which the categories of personal data are processed; (iii) how consumers may exercise a right; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data." If the controller sells personal data or engages in targeted advertising, the privacy notice must also clearly and conspicuously disclose the manner in which the consumer may opt out.
The UCPA requires controllers to provide clear notice and opportunity to opt out before processing sensitive data.3 Unlike the Virginia and Colorado laws, the UCPA does not require prior opt-in consent. Sensitive data includes racial or ethnic origin, religious beliefs, sexual orientation, citizenship, immigration status, information regarding an individual's medical history, mental or physical health condition, medical treatment or diagnosis, genetic data, biometric data, or specific geolocation data.
The UCPA also imposes a few limited obligations directly upon processors. Specifically, the UCPA requires processors to adhere to the controller's instructions and assist the controller in meeting their UCPA obligations such as those related to data security and breach notification. Prior to processing personal data, the processor and controller must enter into a contract that clearly sets forth instructions for processing personal data, the nature and purpose of the processing, type of data subject to processing, duration of processing, and the parties rights and obligations. As part of that contract, processors are required to 1) ensure that each person processing personal data is subject to a duty of confidentiality with respect to personal data and 2) ensure any subcontractors are engaged subject to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to personal data.
The UCPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers. The UCPA also requires controllers to obtain parental consent to process personal data of a known child under 13. This obligation is satisfied if the controller complies with the verifiable parental consent mechanisms under the federal Children's Online Privacy Protection Act (COPPA).
The UCPA prohibits controllers from discriminating against a consumer for exercising a UCPA right by denying a good or service, charging the consumer a difference price or rate for a good or service, or providing a different level of quality of good or service. Nevertheless, the UCPA expressly permits a controller to offer a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if the consumer has opted out of targeted advertising or if the offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
Enforcement and Civil Penalties
The UCPA does not contain a private right of action. Instead, the Utah attorney general will have exclusive authority to enforce violations. The UCPA tasks the Utah Department of Commerce, Division of Consumer Protection with establishing a system to receive consumer complaints and, if it determines that there is reasonable cause to believe that substantial evidence of a violation exists, it can refer the matter to the attorney general. Upon receiving written notice from the attorney general, controllers or processors violating the UCPA will have 30 days to cure the violation and provide a written statement that the violation has been cured and will not recur, after which the attorney general can seek damages of up to $7,500 per violation.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor attorney general guidance, enforcement, and litigation pursuant to the UCPA in order to assist clients with compliance. For more information or advice concerning your UCPA compliance efforts, please contact Tracy Shapiro, Maneesha Mithal, Eddie Holman, Amanda Irwin, or any member of the firm's privacy and cybersecurity practice.
[1]“‘Controller’ means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” Utah Code § 13-61-101(12).
[2]“‘Processor’ means a person who processes personal data on behalf of a controller.” Utah Code § 13-61-101(26).
[3]Sensitive data is defined as “(i) personal data that reveals: (A) an individual's racial or ethnic origin; (B) an individual's religious beliefs; (C) an individual's sexual orientation; (D) an individual's citizenship or immigration status; or (E) information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; (ii) the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or (iii) specific geolocation data. (b) ‘Sensitive data' does not include personal data that reveals an individual's: (i) racial or ethnic origin, if the personal data are processed by a video communication service; or (ii) if the personal data are processed by a person licensed to provide health care under Title 26, Chapter 21, Health Care Facility Licensing and Inspection Act, or Title 58, Occupations and Professions, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional.” Utah Code § 13-61-101(32).