Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (“CCPA”) can leverage existing compliance mechanisms designed to comply with the CCPA to satisfy requirements under the Utah Consumer Privacy Act (“UCPA”), which will become operative on December 31, 2023.
Most companies will not need to expand the scope of their CCPA-focused privacy notices to cover Utah residents exactly as California residents, because the UCPA is more narrowly framed than the CCPA. To determine what works best for your company, consider the following concerning the UCPA:
Who and what data are protected?
The UCPA protects “consumers,” which is defined as Utah residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection. Protected information under the UCPA includes information that is linked or reasonably linkable to an identified or identifiable individual.
Who must comply?
Unless an exemption applies, the UCPA applies to “controllers” and “processors” that (i) either do business in Utah or produce a product or service targeted to Utah residents; (ii) have an annual revenue of at least $25 million; and (iii) satisfy one or more of the following two thresholds: (a) control or process the personal data of 100,000 or more Utah residents annually, or (b) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Utah residents.
“Controller” is analogous to a “business” under the CCPA and is defined as a person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others. “Processor” is analogous to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a “processor” under the UCPA, a company has to process personal data on behalf of a controller and as instructed pursuant to a contract containing certain prescribed terms, whereas under the CCPA, a company must both enter into and adhere to a contract with certain terms and only process personal information for certain business purposes as defined by the CCPA.
Exemptions include institutions of higher education, nonprofit corporations, covered entities and business associates under the Health Insurance Portability and Accountability Act, financial institutions governed by the Gramm-Leach-Bliley Act, government entities and contractors, tribes and air carriers. UCPA also has data level exemptions.
How to comply?
Privacy Notices. Controllers shall provide privacy notices that include: (i) categories of personal data; (ii) processing purposes; (iii) how to exercise data subject rights; (iv) categories of personal data shared with third parties; and (v) the categories of such third parties.
Controllers that “sell” personal data for monetary considerations or engages in targeted advertising must also clearly disclose how consumers can exercise their right to opt out of such activities and stop the sale or processing when requested. The UCPA defines a “sale” of personal data as “the exchange of personal data for monetary consideration by a controller to a third party.” In other words, a sale seems to require money to be exchanged, although it is possible that monetary consideration could be found in reduced pricing models. This definition of sale is narrower than that under the CCPA, under which the disclosure of personal information for non-monetary consideration can be considered a sale.
Given the UCPA defines “selling” only as exchanging personal data specifically for monetary consideration, far fewer companies should be affected by the right to opt out under the UCPA than by that under the CCPA. First, any contract not involving payments are excluded from the UCPA. Second, even contracts involving payments are arguably not covered by the UCPA’s definition of “sale” if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for personal data under the UCPA. This may leave only arrangements whereby controllers are paid specifically for the personal data of Utah residents. “Engaging in targeted advertising” is broader than “sharing for cross context behavioral advertising” under the CCPA, but UCPA provides certain exemptions to its definition of targeted advertising, such as advertising based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application.
Notably, the UCPA’s definition of a “sale” contains a unique exemption that allows a controller to disclose personal data to a third party — without such disclosure being a “sale” — if the purpose is consistent with the consumer’s “reasonable expectations,” considering the context in which the consumer provided the personal data.
Controllers that provide typical core website disclosures would satisfy the disclosure obligations under the UCPA for online personal data collection practices, but would need to supplement with disclosures for Utah residents for offline practices as applicable if they don’t already have that in place (e.g. at brick and mortar stores).
Technical and Organizational Measures and Data Processing Agreements. Controllers shall establish, implement, and maintain reasonable administrative, technical and physical data security practices. Further, before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under other state privacy laws, including controller to processor instructions, confidentiality commitments, and requirement to impose terms onwards to any sub-processors.
Data processors must adhere to controllers’ instructions and use appropriate technical and organizational measures to assist controllers in meeting their obligations under the UCPA. A processor that adheres to a controller’s instructions with respect to a specific processing of personal data remains a processor under the UCPA with respect to such processing.
Data Subject Rights. Data controllers must offer and operationalize access, deletion, portability, and as applicable opt outs from the sale of personal data, targeting advertising, or the processing of sensitive data. Notably, like the CCPA but unlike the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Act and the Virginia Consumer Data Protection Act, the right to deletion of personal data under the UCPA only extends to personal data that the consumer provided to the controller. Controllers must authenticate requests and take action within 45 days of receipt, with a 45-day extension if reasonably necessary. Parents or legal guardians shall exercise rights of children younger than 13 on their behalf.
Controllers may not discriminate against those exercising UCPA rights except controllers are not prohibited from offering a different price, rate, level, quality, or selection of a good or service if (i) the consumer has opted out of targeted advertising; or (ii) the offer is related to voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Controllers are also not required to provide a product, service, or functionality if the personal data is necessary to provide it and the data is either (i) not provided by the Utah resident; or (ii) not permitted by the Utah resident to be processed by the controller.
Controllers should be able to comply with the UCPA by expanding the scope of their compliance mechanisms designed to address the CCPA to cover consumers in Utah.
Sensitive Data. The UCPA defines “sensitive data” to mean certain prescribed categories of data, including personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, medical information, and other categories.
Controllers may not process sensitive data collected from a consumer without providing clear notice and giving an opportunity to opt out of the processing of sensitive data. In cases of processing sensitive data about a known child younger than 13, processing is required to be done in accordance with the US federal Children’s Online Privacy Protection Act (“COPPA”). Given verifiable parental opt-in consent is generally required under COPPA, this could potentially mean parental opt-in consent would be required for processing sensitive data about a child under 13. This is different from COPPA, which only requires parental opt-in consent before collecting personal information from a child.
Sanctions and remedies
The UCPA does not provide a private right of action and grants the Utah Attorney General exclusive enforcement authority. The enforcement mechanism in Utah is a two-step process. First, the Utah Division of Consumer Protection (“UDCP”) will investigate a complaint and determine if there is reasonable cause to believe substantial evidence exists that a person identified in a consumer complaint is in violation of the UCPA. The compliant will only be referred to the Utah Attorney General’s office if the UDCP makes such a determination.
The Utah Attorney General must provide a written notice of alleged violation and a 30-day opportunity to cure. Any uncured violations are subject to civil penalties of up to $7,500 per violation.