New legislation adds another wrinkle to the US legal landscape with the Utah Consumer Privacy Act
LLast year brought with it many noteworthy developments in consumer privacy that significantly impacted businesses that collect and use personal data as part of their operations, including the enactment of two new consumer privacy statutes by Virginia and Colorado.
Just recently, Utah became the fourth state to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act (UCPA), which will go into effect on December 31, 2023.
While the UCPA contains a number of provisions similar to the California Privacy Rights Act of 2020 (CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA) both 2021, the Utah law also departs from these consumer privacy statutes in several material respects.
But while the myriad of new and innovative ways personal data is being leveraged for commercial purposes continues to proliferate, the associated legal risks are also rising in the US as lawmakers seek to strengthen requirements placed on businesses’ data collection and processing practices.
Scope and applicability
The UCPA applies to any entity that; conducts business in Utah or produces a product or service that is targeted to Utah consumers; has annual revenue of at least $25 million; and meets one or both of the following criteria – during a calendar year, controls or processes the personal data of 100,000 or more consumers; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.
Importantly, the UCPA’s requirement that businesses meet both a financial threshold and a data processing threshold presents a much higher bar to fall under the scope of the UCPA versus the CPRA, VCDPA, and CPA – and will likely remove some companies that are subject to the California, Virginia, and Colorado laws from the scope of Utah’s recently-enacted statute.
The UCPA classifies entities that process personal data as either “controllers” or “processors”, and mandates different requirements for each. Controllers are those entities that determine the purposes for which and the means by which personal data is processed, while processors merely process personal data on behalf of a controller.
Under the UCPA, personal data relates to any information that is linked or reasonably linkable to an identified individual or an identifiable individual.
In a similar fashion to the CPRA, VCDPA, and CPA, the UCPA classifies certain types of data as “sensitive data” which are subject to additional requirements and restrictions not applicable to other types of personal data.
Under the law, sensitive data includes; data revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship, or immigration status; information regarding medical history, mental or physical health condition, or medical treatment or diagnosis; genetic or biometric data; and specific geolocation data.
The UCPA affords consumers four fundamental rights:
Access: The right to confirm whether a controller is processing the consumer’s personal data and access to such data.
Deletion: The right to delete the consumer’s personal data that the consumer has provided to the controller.
Portability: The right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without impediment.
Opt-Out: The right to opt-out of the processing of personal data for purposes of targeted advertising and the “sale” of personal data (defined by the UCPA as the exchange of personal data for monetary consideration by a controller to a third party).
Importantly, however, unlike CPRA, VCDPA, and CPA, the UCPA does not provide consumers with a right to correct inaccurate personal data.
The UCPA requires controllers to comply with consumer rights requests, including by establishing one or more means for consumers to submit requests to exercise their consumer rights. It does not mandate that controllers implement an internal appeals process for consumers to challenge refusals to take action in response to their requests.
Also similar to the CPRA, VCDPA, and CPA, the UCPA requires controllers to provide notice to consumers containing, at a minimum, the following information:
The categories of personal data processed by the controller
The purposes for which the categories of data are processed
How consumers may exercise their rights
The categories of personal data that the controller shares with third parties if any
And the categories of third parties, if any, with whom the controller shares personal data.
Before processing any sensitive data, a controller must first present consumers with clear notice and an opportunity to opt-out of the processing.
Controllers must establish, implement, and maintain reasonable data security practices that are designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.
The UCPA also sets forth a range of requirements on processors of personal data, which include entering into written contracts with controllers that set out the instructions to which the processor is bound, as well as assisting controllers with fulfilling their UCPA obligations, including obligations relating to the security of processing personal data and any necessary data breach notifications.
Liability and enforcement
The UCPA does not provide a private right of action for individuals to pursue litigation against entities for alleged violations of the law. Rather, enforcement authority rests exclusively with the Utah attorney general.
Companies that violate the UCPA can be subjected to civil penalties of up to $7,500 per violation. Importantly, however, the UCPA includes a cure provision that provides the opportunity for businesses to avoid enforcement actions if violations are corrected within 30 days after receiving notice of alleged non-compliance.
Although the UCPA does not go into effect until the end of 2023, companies should add UCPA compliance to their 2023 consumer privacy preparedness plans (which should already encompass compliance with the CPRA, VCDPA, and CPA) to ensure full compliance with the UCPA’s effective date of December 31, 2023.
In particular, companies should immediately implement the following action steps (if they have not done so already):
Complete a data mapping and inventory exercise
Provide written notice to all individuals at or before the time personal data is collected
Design and implement processes and procedures for responding to consumer requests
Implement data security measures to protect and secure personal data
And consult with experienced privacy counsel to ensure compliance with today’s constantly-evolving privacy legal landscape.