On March 24, the Utah Consumer Privacy Act (UCPA) was signed into law. It will take effect on December 31, 2023. UCPA generally has a narrower scope of application than the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and the General Data Protection Regulation (GDPR). It has multiple threshold requirements for applicability, excludes Utah residents acting in an employment or commercial context from protection (like the VCDPA and the CPA), and does not have a right to correct. The UCPA does not prescribe particular means or channels for data subject requests, but leaves it to data controllers to specify how requests may be submitted.
Who and what data is protected?
Utah residents acting in an individual or household capacity are protected under the UCPA with respect to information that is linked or reasonably linkable to an identified or identifiable individual. Utah residents acting in an employment or commercial context are expressly excluded from protection (like the VCDPA and CPA).
Who must comply?
Unless an exemption applies, a data controller or processor has to comply with the UCPA if it either does business in Utah or produces a product or service that is targeted to Utah residents, has annual revenue of $25,000,000 or more and satisfies one or more of the following two thresholds: (i) during a calendar year, controls or processes personal data of 100,000 or more Utah residents, or (ii) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.
Exemptions include institutions of higher education, nonprofit corporations, covered entities and business associates under the Health Insurance Portability and Accountability Act, financial institutions governed by the Gramm-Leach-Bliley Act, government entities and contractors, tribes and air carriers. UCPA also has data level exemptions.
How to comply?
Controllers shall provide privacy notices that include categories of personal data, processing purposes, how to exercise data subject rights, categories of personal data shared with third parties and the categories of such third parties, and, if the controller “sells” personal data for monetary consideration or engages in targeted advertising, disclose how to opt out of such activities. The UCPA’s definition of sale expressly excludes “considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations”. Controllers shall implement and maintain reasonable administrative, technical and physical data security practices.
Controllers may generally not process sensitive data collected from a consumer without providing clear notice and giving an opt out opportunity. In cases of processing sensitive personal data concerning a known child younger than 13, processing is required to be done in accordance with the US federal Children’s Online Privacy Protection Act (notably, UCPA does not distinguish between personal data collected about as opposed to from children under 13). UCPA defines “sensitive data” to mean certain prescribed categories of data, including personal data that reveals an individual’s racial or ethnic origin, religious beliefs or sexual orientation, medical information, and other categories.
Controllers may not discriminate against those exercising UCPA rights except controllers are not prohibited from offering a different price, rate, level, quality, or selection of a good or service to those who have opted out of targeted advertising or the offer is related to voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. And controllers are not required to provide a product, service, or functionality if the personal data is necessary to provide it and the data is either (i) not provided by the Utah resident or (ii) not permitted by the Utah resident to be processed by the controller.
Data controllers must offer and operationalize access, deletion, portability, and as applicable opt outs from processing of personal data for purposes of targeted advertising or the sale of personal data. Controllers must authenticate requests and take action within 45 days of receiving a request. Parents or legal guardians shall exercise rights of children younger than 13 on their behalf. The right to delete only extends to personal data that the consumer provided to the controller.
Data processors shall adhere to controllers’ instructions and assist controllers in meeting their obligations under UCPA.
Controllers and processors shall enter into a contract that includes terms similar to those required in data processing agreements under privacy laws in other jurisdictions including controller to processor instructions, confidentiality commitments, and imposing terms onwards to any sub-processors. A processor that adheres to a controller’s instructions with respect to a specific processing of personal data remains a processor under UCPA.
The UCPA requires that controllers that “engage in targeted advertising” permit opting out from such activity. While “engaging in targeted advertising” is broader than “sharing for cross context behavioral advertising” under the CCPA, UCPA lists exemptions to its definition of targeted advertising and e.g. advertising based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application are carved out.
Sanctions and remedies
The Utah attorney general has exclusive authority to enforce the UCPA. And a system shall be established to receive consumer complaints which shall be referred to the Utah attorney general if there is reasonable cause to believe that substantial evidence exists that a person identified in a complaint is in violation of UCPA. Controllers and processors have a 30 day cure period after receiving written notice from the attorney general, after which the attorney general may initiate an enforcement action in case alleged violations have not been cured or the controller or processor fails to provide a written statement regarding to the cure to the attorney general.
The attorney general may recover actual damages to the Utah resident(s) and for each violation and amount not to exceed $7,500. All money received shall be deposited into a Consumer Privacy Account and may be used to fund e.g. UCPA investigations and educating Utah residents and businesses regarding UCPA.
A violation of the UCPA does not provide a basis for, nor is a violation of the UCPA subject to, a private right of action under UCPA or any other law.