March Privacy Madness: Utah Becomes Fourth State to Enact Comprehensive Privacy Bill

PDF

Yesterday, Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”). Utah is now the fourth U.S. state to enact a comprehensive privacy law, following the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), Virginia’s Consumer Data Protection Act (“VCDPA”), and Colorado’s Privacy Act (“ColoPA”). The CPRA and VCDPA with go into effect on January 1, 2023 and ColoPA will follow shortly after on July 1, 2023. The UCPA will have an effective date of December 31, 2023.

What is the UCPA?

The UCPA is a cross-industry privacy law that provides certain privacy rights to Utah residents over their personal data. “Person data” is defined broadly to include any data that is “linked or reasonably linkable” to an individual. Additional compliance requirements apply to more narrowly defined categories of “sensitive data.” Publicly available or de-identified information is not regulated by the UCPA.

Similar to the EU’s General Data Protection Regulation (“GDPR”), the UCPA utilizes a
controller/processor distinction and imposes specific duties on the controllers and processors of consumer personal data. A "controller" is defined as a person doing business in the state who determines the purposes and means by which personal data is processed. A "processor" is defined as a person who processes personal data on behalf of a controller.

Who is in Scope of the UCPA?

The UCPA applies to controllers and processors that:

• Conduct business in Utah or produce a product or service targeted to Utah consumers;
• Have annual revenue of $25 million or more;

and either:

• Control or process personal data of 100,000 or more consumers during a calendar year; or
• Derive over 50% of the entity's gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

Exemptions to the UCPA include non-profits, entities and information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), information covered under the Family Educational Rights and Privacy Act (“FERPA”), financial institutions and information covered under the Gramm-Leach-Bliley Act (“GLBA”), and information collected in an employment or business-to-business context.

What Are the Responsibilities of Controllers and Processors?

The duties of controllers include:

• Duty of transparency (requires controllers to provide consumers with a privacy notice containing certain information);
• Duty of purpose specification (requires controllers to specify the express purpose for which data is collected and processed);
• Duty of care (requires controllers to implement reasonable measures to secure personal data);
• Duties regarding providing an opportunity to opt-out of the sale of personal data, processing for targeted advertising, or processing of sensitive data; and
• Duty to avoid unlawful discrimination (prohibits controllers from processing personal data in violation of state or federal laws that prohibit discrimination).

Processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the UCPA. Together, controllers and processors must enter into a contract that sets out the details of processing and ensures the confidentiality of personal data.

What Rights Does the UCPA Provide to Consumers?

• Right to Access - Consumers have the right to confirm that a business is processing their personal data and to have access that data.
• Right of Deletion – Consumers have the right to delete the personal data that they have provided to a business.
• Right to Data Portability – Consumers have the right to obtain a copy of the data that the business controls in a format that is readily portable, usable, and transmittable to other businesses.
• Right to Opt Out – Consumers have the right to opt out of certain processing.

How Will the UCPA Be Enforced?

The UCPA does not provide a private right of action. However, the UCPA creates a split system where the Department of Commerce’s Consumer Protection Office (“CPO”) will investigate consumer complaints regarding potential violations. Following an investigation, the CPO can refer matters to the attorney general’s office who, in turn, may choose to initiate an enforcement action. For each violation, the attorney general may recover actual damages to the consumer and penalties, not exceeding $7,500 per violation.

What Actions Should be Taken Now?

The passage of the UCPA adds to a growing list of state regulatory requirements. While the UCPA will not take effect until 2023, businesses preparing for the CPRA, VCDPA, and/or ColoPA can streamline their compliance efforts by assessing the applicability and requirements of the UCPA in conjunction with these other privacy laws. If you have any questions about how the UCPA will affect your organization or for assistance with any other privacy issues your business is facing, contact a member of Maynard’s Cybersecurity and Privacy Team.

This Client Alert is for informational purposes only and should not be construed as legal advice. The information in this Client Alert is not intended to create and does not create an attorney-client relationship.