Happy 2024 folks! As we turn the page on 2023, we mustn’t overlook the dynamic changes in state privacy laws as we step into the new year.
In March 2022, Utah became one of the early states to enact a consumer data privacy law. While the Utah Consumer Privacy Act (UCPA) is perceived as being more favorable to businesses compared to its predecessors — the CCPA/CPRA, VCDPA, and the CPA — businesses operating in Utah must keep in mind key regulations required by UCPA.
Key UCPA Components
The UCPA – like other privacy regulations – provides consumers the following rights related to their personal data:
- Right to Access and delete personal data: Importantly, the UCPA does not grant consumers the ability to request the deletion of all their personal data held by a controller. Instead, consumers only have the right to delete the personal data they have specifically provided to the controller.
- Right to opt out the collection and use of personal data for certain purposes: Unlike some other state privacy laws, the right to opt out of profiling and the right to correct inaccuracies in personal data is absent from the UCPA. Also unlike the CPA, controllers subject to the UCPA are NOT required to acknowledge universal opt out signals as a means for consumers to exercise their opt out rights.
- Right to data portability: Consumers have a right to obtain a copy of their personal data (previously provided to the controller) in a format that is feasible, practicable, readily usable and portable.
To exercise any of these rights, controllers are to specify the means for consumers to submit a request.
Scope
The UCPA applies to businesses that:
- conducts business in the state or produces a product or service that is targeted to Utah consumers;
- have an annual revenue of $25 million or more, and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes the personal data of 100,000 or more Utah consumers each year; or
- derives over 50% of their gross revenue from the sale of personal data, and controls or processes data of 25,000 or more residents in Utah.
Incorporating several threshold requirements makes the scope of the UCPA more limited in comparison to existing state privacy laws. The annual revenue thresholds can exempt smaller businesses from the UCPA even if they meet other thresholds. Similarly, larger businesses surpassing the revenue threshold will not be bound by the UCPA unless they satisfy an additional threshold.
Key Definitions
A “consumer” is defined as an individual who is a resident of the state acting in an individual or household context.” But unlike the CPA and VCDPA, it explicitly excludes “those acting in an employment or commercial context.” Therefore the UCPA does not protect employee data.
A “sale” is defined as “the exchange of personal data for monetary consideration by a controller to a third party.” Unlike the CCPA and CPA, it excludes a “other valuable consideration” clause – so an exchange of personal data will only quality as a sale if the consideration is monetary.
“Personal Data” is defined broadly as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” The definition excludes deidentified data and publicly available information –also excludes “aggregated data” defined as “information that relates to a group or category of consumers: (a) from which individual consumer identities have been removed; and (b) that is not linked or reasonably linkable to any consumer.”
Violations of the UCPA
The UCPA does not provide for a private right of action. But the UCPA allows the Division of Consumer Protection to investigate complaints and authorizes the AG’s office to enforce the law and impose penalties against businesses that fail to comply.
If you are found to be in violation of the UCPA, the AG will provide written notice first followed by a 30-day cure period.
If a controller or processor fails to cure the violation, the AG can fine the business for actual damages and up to $7,500 per violation. Keep in mind each instance of improper use of personal data counts as a single violation.
Exemptions
The UCPA provides for exemptions for higher education institutions, nonprofit organizations, government organizations and contractors, indigenous tribes, air carriers, those covered by the Health Insurance Portability and Accountability Act (HIPAA), and financial institutions governed by the Gramm-Leach-Bliley Act (GLBA). Additionally the UCPA provides for data-level exemptuions and does not apply to information subject to HIPAA, the GLBA, Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, or Farm Credit Act. Data processed or maintained in the course of employment is also exempt.
Privacy Policy and Other Obligations
Privacy Policy: Like other state privacy laws, the UCPA requires controllers to provide consumers with a privacy policy that includes:
- The categories of personal data processed by the controller.
- The purposes for processing the data.
- How consumers may exercise their rights.
- The categories of personal data the controller shares with third parties, if any.
- The categories of third parties, if any, with whom the controller shares personal data.
Responding to Requests and Security Measures: And like other state privacy laws, controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data” and respond to consumer requests within 45 days.
Contracts: Any processing activities conducted by a processer on behalf of a controller must be governed by a data processing contract before processing any consumer data. The contracts must outline certain requirements including what types of data should be processed, the intent behind processing the data, the duration of processing, and security obligations of each party.
Non-Discrimination: Controllers and processors are prohibited from discriminating against any consumer by neglecting any kind of goods and services, or charge a different price, or providing the consumer with a product or service different in its quality.
Consent. The UCPA requires you to obtain verifiable consent to process data of someone younger than 13 years old and businesses must be process data in compliance with the Children’s Online Privacy Protection Act (COPPA).
As always, we’ll continue to keep you up to date with state privacy laws in 2024.