Getting Spicy: Salt Lake State Passes Privacy Law
Update: The UCPA was signed into law by Governor Spencer J. Cox without amendment on March 24, 2022.
Utah is set to become the fourth U.S. state to pass comprehensive data privacy legislation. Senate Bill 227, known as the Utah Consumer Privacy Act (“UCPA” or the “Act”), unanimously passed the Utah House of Representatives on March 3, 2022, after passing the Utah Senate earlier this year. Governor Spencer J. Cox now has 20 days to sign or veto the bill before it automatically becomes law. If the UCPA is signed, Utah will become the first state in 2022 to establish a framework for controlling and processing personal data that parallels legislation like the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Colorado Privacy Act (“CPA”). Several other states are poised to pass comprehensive privacy legislation this year, making the landscape an interesting one for privacy advocates, privacy professionals, consumers, and businesses alike.
Notably, the Act does not create a private right of action for consumers, and all complaints must first go through the Division of Consumer Protection within the Utah Department of Commerce before being referred to the Utah Office of the Attorney General. This article contains a chart comparing certain provisions of the UCPA to the CPA, the VCDPA, and the CCPA (as amended by the CPRA), as well as a breakdown of key provisions.
Scope and Applicability
The UCPA applies to businesses that (1) conduct business in Utah or produce a product or service targeted to Utah residents, (2) has annual revenue of $25 million or more, and (3) either (i) control or process the personal data of at least 100,000 residents during a calendar year or (ii) derive over 50% of their gross revenue from the “sale” of personal data and control or process personal data of at least 25,000 residents.
The UCPA only provides protections to “consumers,” which is defined as “an individual who is a resident of the state acting in an individual or household context.” Similar to Virginia and Colorado, the UCPA’s scope does not cover information of individuals processed in an employment or commercial context.
Further, there are expected exemptions from the Act’s applicability, including exemptions for governmental entities, higher education institutions, nonprofits, HIPAA-covered entities and business associates, and financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act.
Controllers and Processors
Using the language of the European Union’s General Data Protection Regulation, the UCPA distinguishes between processors and controllers in its allocation of responsibilities. Processors are responsible for processing data on behalf of controllers, and controllers dictate how processed data should be used.
The UCPA requires controllers and processors to enter into a contract covering topics such as the type of data subject to processing, the nature and purpose of the processing, and an obligation for the processor to use “appropriate technical and organizational measures” and “assist the controller in meeting the controller’s obligations, including obligations related to the security of processing personal data and notification of a breach of security.” Further, the processor must ensure that all persons handling personal data are subject to a duty of confidentiality, as well as any possible subcontractors the processor may choose to hire.
In complement, controllers must provide consumers with an accessible and comprehensible privacy notice stating the categories of personal data to be processed, the purposes of such processing, and, among other things, how consumers can exercise their rights under the UCPA.
The UCPA creates a similar array of individual rights as seen in other data privacy legislation, such as the right to access, obtain a copy of, and delete one’s personal data. Consumers can also opt-out of the processing of their personal data for the purposes of targeted advertising or the sale of personal data.
There are significant caveats in the UCPA that distinguish these rights from those found in other state data privacy laws. For example, while Virginia and Colorado create an opt-in regime for “sensitive” personal data, Utah recognizes this distinct subcategory but employs an opt-out system. In addition, the UCPA clarifies that “sensitive data” does not include personal data that reveals an individual’s racial or ethnic origin if the personal data is processed by a video communication. Further, the UCPA provides no right to correct inaccuracies in one’s personal data, nor does it provide a right to opt-out of processing data for profiling purposes.
Requests and Right to Appeal
Under the UCPA, a consumer can submit a request to a controller or processor specifying the right they intend to exercise. The controller or processor would then have 45 days to respond and take actions they deem appropriate or deny the request subject to certain rights to extend that period.
Instead of providing a statutory right to appeal denials of requests as seen in the VCDPA and CPA, consumers can instead file a complaint with the Utah Division of Consumer Protection (“UDCP”). The UDCP can then choose to investigate a consumer complaint to determine whether any violations have occurred. If the director reasonably believes there is substantial evidence indicating a violation has occurred, they must refer the matter to the attorney general, who bears the exclusive authority to enforce the UCPA. However, there is currently no provision in the UCPA for consumers to appeal any decision of the UDCP not to refer their complaint to the attorney general.
Express Obligations for Deidentified Data
The UCPA incorporates obligations that relate to the processing of “deidentified data” into the definition of that term. For data to qualify as “deidentified” and, thus, not subject to certain provision of the UCPA, the controller must (1) take reasonable measures to “ensure that a person cannot associate the data with an individual,” (2) “publicly commit” to maintain and use the data only in deidentified form and not attempt to reidentify the data, and (3) contractually obligates any recipients of the data to comply with these requirements. It is unclear what constitutes a “public commitment” and how a controller can “ensure” that no other person can associate the data with an individual.
Sales of Personal Data
The UCPA defines the “sale” of personal data as “the exchange of personal data for monetary consideration by a controller to a third party.” The UCPA forgoes the broader definition of sale under the CCPA and CPA regarding “valuable consideration” by restricting the definition of “sale” to monetary transactions. In addition to the expected exclusion for disclosure of personal data at the direction of the consumer, the definition of “sale” under the UCPA also excludes “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.”
No Private Right of Action
Under the UCPA, there is no private right of action, nor is there a separate enforcement agency. Rather, the UCPA is exclusively enforced through the Utah attorney general’s Office. Once the UDCP refers a complaint to the Utah attorney general, the Utah Office of the Attorney General may then choose to initiate an enforcement action against a controller or processor for the alleged violation(s). However, before initiating such an action, the controller or processor must receive a written notice identifying the alleged violation and be given a 30-day window to cure the violation.
Upon bringing a successful action, the attorney general may recover up to $7,500 per violation. All money received under such actions will be deposited into a newly created Consumer Privacy Account.
What This Means for You
The UCPA was unanimously passed by the Utah House of Representatives on March 3, 2022 and sent to Governor Spencer J. Cox’s desk to sign. Governor Cox has 20 days to either sign or veto the bill before it automatically becomes law. Once it becomes law, the UCPA would take effect on December 31, 2023.
Organizations should determine applicability as soon as feasible. However, organizations that are already taking steps to comply with the VCDPA or CPA can fold considerations under the UCPA into their existing implementation plans. The passage of the UCPA is perhaps an indication that states will adopt the “Virginia” framework for data privacy legislation (i.e., sale being limited to “monetary consideration,” no private right of action, and an express exclusion of “personal data collected in the employment and commercial context”) as opposed to the “California” framework.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.