The Utah legislature recently passed the Utah Consumer Privacy Act (UCPA). UCPA is a comprehensive privacy bill that shares similarities to the California Consumer Privacy Act (CCPA). If the Governor signs the bill into law, Utah will become the fourth state to pass consumer privacy legislation. Below is a summary of the UCPA.
Who is covered?
The UCPA is, in many ways, a parallel to the CCPA. However, the UCPA has broader exemptions. The UCPA applies to all data controllers or processors who conduct business in Utah or produce a product or service targeted towards consumers residing in Utah with an annual revenue of $25,000,000 or more and either:
- control or process personal data of 100,000 or more consumers annually; or
- derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
There are notable exemptions for governmental and third-party entities acting on behalf of the government handling employee data, nonprofits, higher education institutions, covered entities and business associates under HIPAA, financial institutions and information governed by the Gramm-Leach-Bliley Act, and personal data regulated by Family Educational Rights and Privacy Act.
What sales are not covered?
Compared to the CCPA, the UCPA defines the sales of personal data narrowly. It defines data sales as exchange of personal data for monetary consideration only. This implies that the exchange of personal data for “other valuable consideration” does not constitute a sale. The UCPA also does not consider disclosures of personal information to third parties a sale if the purpose is consistent with the consumer’s reasonable expectations.
What rights are provided and to whom?
Like the CCPA, the UCPA provides individuals with certain privacy rights. Individuals who are Utah residents acting in an individual or household (Utah Consumers) would have the rights of access, correction, deletion of data the consumer provided to the controller. In addition, it provides Utah Consumers with the right of data portability, and right to opt-out of certain processing, as well as the right to opt-out of the “sale” of personal data. The bill does not allow consumers to opt-out of profiling and does not require consumer consent before processing sensitive data. Instead, it states that controllers must notify consumers of sensitive data processing and allow them the opportunity to opt-out.
What other differences exist between the UCPA and CCPA?
The UCPA allows for broader exemptions for controllers and processors than the CCPA. The UCPA does not require processors to allow for, or contribute to, reasonable audits and inspections by the controller or controller’s designated auditor, to produce data processing assessments, or to respond to consumer requests, unlike the CCPA. The UCPA also differs from the CCPA because it is the first bill to explicitly protect trade secrets from disclosure. Another key difference is that the UCPA does not require controllers to honor Global Privacy Control signals that enable users to opt out of the sale of personal data and targeted advertising on their browser, unlike the CCPA.
Who will enforce the bill?
The UCPA grants enforcement authority to the Utah Attorney General but does not provide a private right of action. It also gives potential violators a chance to cure potential violations before enforcement can take place. The Attorney General must first provide the allegedly non-compliant business with a written notice before initiating the enforcement action to provide an opportunity to cure the violation with 30 days of receiving the notice. The Attorney General can recover: (1) actual damages to the consumer and (2) a fine of up to $7,500 per violation.
What is the impact of the bill?
If the governor signs the bill into law, it will go into effect as of December 31, 2023. This means that businesses with connections to Utah who qualify as an entity covered by the UCPA should prepare to be compliant with the law preferably before but no later than December 31, 2023. The UCPA will likely become a more efficient model for state privacy legislation because it avoids the added compliance obligations and burdens of other models, such as the CCPA.