- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
- The Framework of a Tort-Claim Safe Harbor
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
On March 24, 2022, Utah joined California, Virginia and Colorado to become the fourth state to enact a comprehensive consumer privacy law. The Utah Consumer Privacy Act (the “UCPA”) has similarities to the existing privacy laws enacted by California (the “CCPA”), Virginia (the “VCDPA”) and Colorado (the “CPA”). Certain aspects of the UCPA’s approach, however, are distinct from those other privacy laws. Generally, the UCPA applies to a more narrow scope of businesses, and more categories of data fall outside of the UCPA’s definition of “personal data” -- thereby imposing less of a burden on businesses. Below we’ve provided a high-level summary of the UCPA’s general requirements and certain of its differences and similarities to consumer privacy laws enacted by other states.
Subject to a number of exceptions covered below, the scope of businesses subject to the UCPA includes any controller or processor of personal data that:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The UCPA’s requirement for a covered business to meet the $25,000,000 revenue threshold in addition to meeting the data volume thresholds causes the scope of businesses subject to the UCPA to be narrower than that of the existing California, Virginia and Colorado privacy laws.
The UCPA defines a “consumer” as “an individual who is a resident of the state acting in an individual or household context.” However, similar to the VCDPA and the CPA, the UCPA expressly excludes individuals acting in an employment or commercial context from the definition of consumer. Accordingly, entities subject to the UCPA need not include the personal data of such individuals when complying with their obligations under the UCPA. Like the VCDPA, the UCPA defines “sale” as “the exchange of personal data for monetary consideration by a controller to a third party.” Notably, the UCPA only considers the exchange of personal data for monetary consideration a sale, whereas the CCPA and the CPA go further, and provide that the exchange of personal data for monetary or other valuable consideration constitutes a sale.
The UCPA also explicitly excludes certain types of data disclosures from the definition of sale, similar to many of the exclusions contained in the VCDPA and CPA. For example, disclosures to a processor’s and a controller’s affiliate are excluded, as are disclosures to a third party to provide a product or service requested by the consumer. However, the UCPA’s definition of sale also explicitly excludes “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.” The UCPA further expressly excludes aggregated data from the definition of personal data, which is a first among the other state privacy laws currently enacted.
The UCPA provides for a number of exceptions with respect to what types of data are not covered by the law and with respect to entities which are exempt from compliance with the law notwithstanding their satisfaction of the revenue and data requirements of the law. For example, the UCPA exempts from its compliance obligations institutions of higher education and nonprofits, as well as covered entities and business associates pursuant to the Health Insurance Portability and Accountability Act and financial institutions governed by the Gramm-Leach-Bliley Act. Government entities and contractors are also exempt from the law, as are tribes and air carriers. With respect to data-level exemptions, the UCPA does not apply to information subject to HIPAA, GLBA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act. Data processed or maintained in the course of employment, including job applicant data, is also exempt.
The UCPA provides consumers the right to submit authenticated requests to data controllers to: (1) confirm if a controller is processing their personal data and provide such consumers with access to that data; (2) delete personal data that the consumer provided to the controller; (3) if technically feasible, obtain a copy of data that the consumer provided to the controller in a portable manner; and (4) opt-out of the processing of personal data for targeted advertising or sale. Notably, unlike the California, Virginia and Colorado privacy laws, the UCPA does not provide a right to correct inaccuracies in a consumer’s data. However, similar to the California and Virginia privacy laws, data controllers must respond to an authenticated request from a consumer within 45 days. Also similar to the CCPA, and unlike the VCDPA and the CPA, the UPCA does not require data controllers to establish a process by which consumers may appeal a denial of their request.
Like most consumer privacy laws, the UCPA requires a controller to provide consumers with a “reasonably accessible and clear privacy notice.” Controllers processing the personal data of consumers known to be under the age of 13 are required to obtain verifiable parental consent and process such data in accordance with the Children’s Online Privacy Protection Act. As with the CCPA, VCDPA and CPA, controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.”
Controllers are prohibited from “discriminat(ing) against a consumer for exercising a right by denying a good or service to the consumer; charging the consumer a different price or rate for a good or service; or providing the consumer a different level of quality of a good or service.” Controllers may, however, offer “a different price, rate, level, quality, or selection of a good or service to a consumer” if the consumer opted out of targeted advertising or if the offer relates to the consumer’s voluntary participation in a bona fide loyalty program.
The UCPA does not provide for a private right of action, nor does it allow a consumer to use a violation of the law to support a claim under other Utah laws. As with the VCDPA, the state attorney general has exclusive enforcement authority.
Generally, the UCPA is narrower in scope (with respect to its application to businesses and forms of data) and more lenient than the privacy laws of Virginia, California and Colorado. Businesses may find it easier to comply with the UCPA than the other existing state privacy laws. The UCPA is not set to go into effect until December 31, 2023, however, and the law may undergo certain changes until its official implementation. Honigman will continue to monitor developments with respect to the UCPA and any other state privacy laws enacted this year and shall provide timely updates with respect to such developments.