Utah follows California, Virginia and Colorado with comprehensive state privacy law

On March 24, 2022, Utah joined California, Virginia, and Colorado in enacting comprehensive privacy legislation, when Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”) into law.

The UCPA will take effect on December 31, 2023 and adds to an increasingly active state legislative landscape. Companies should augment their compliance programs to account for the evolving changes in U.S. privacy laws.

Utah’s law is similar to Virginia and other state privacy laws

The good news for businesses from a compliance and operational perspective is that the UCPA significantly overlaps with Virginia’s Consumer Data Protection Act (“VCDPA”), set to take effect on January 1, 2023, and the Colorado Privacy Act (“CPA”), set to take effect on July 1, 2023 (both of which are generally modelled after the EU’s General Data Protection Regulation).

To a lesser extent, the UCPA also shares certain commonalities with the California Consumer Privacy Act (“CCPA”), which has been in effect since January 1, 2020, and the California Privacy Rights Act (“CPRA”), set to take effect on January 1, 2023, even though California has elements that differ or go beyond the GDPR.

For instance, like the laws in California, Virginia, and Colorado:

  • Individual rights: The UCPA will give Utah residents the right to access their personal data, obtain a portable copy of their personal data, request deletion of their personal data, opt-out of the “sale” of their personal data, opt-out of “targeted advertising”, and be guaranteed to not be discriminated against for exercising any of the foregoing rights. Businesses must either honor or decline these requests within 45 days of receipt (extendable to 90 days under certain circumstances), which is in line with California, Virginia, and Colorado law (except that California law requires sale opt-outs to be honored within 15 business days).
  • Definition of sale: The UCPA defines “sale” as “the exchange of personal data for monetary consideration”. This definition mirrors the VCDPA’s definition of sale, which is narrower than the California and Colorado frameworks (which frameworks also allow for non-monetary consideration to trigger a sale).
  • Extra-territorial application: The UCPA’s applicability to businesses will be subject to revenue and data processing thresholds. Specifically, the UCPA will apply to any “controller” or “processor” that: (i) conducts business in Utah or produces products or services that are targeted to Utah residents, (ii) has annual revenue of at least US$25m, and (iii) either (a) controls or processes the personal data of at least 100,000 Utah residents in a year or (b) derives over 50% of its gross revenue from the “sale” of personal data and controls or processes the personal data of at least 25,000 Utah residents.
  • Exemptions: The UCPA will exempt personal data that is already subject to other laws like HIPAA, Gramm-Leach-Bliley, or FERPA, in line with other state laws.
Utah’s new law may be more business-friendly

On the other hand, the UCPA has certain features that make it more business-friendly than laws in California, Virginia, and Colorado, at least on paper. For instance:

  • The UCPA will not provide Utah residents with the ability to correct or update their personal data, unlike the CPRA, VCDPA, and CPA.
  • The UCPA will not require businesses to offer an appeal right if the business declines to take action on a request, unlike the CPRA, VCDPA, and CPA.
  • Unlike the Virginia and Colorado laws, the UCPA will not require prior opt-in consent to process “sensitive data” (defined to include racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data); rather, the UCPA only requires a clear notice and ability to opt-out of the processing of sensitive data, which is closer to the limited opt-out right under the CPRA.
  • Also unlike the CPRA, VCDPA, and CPA, the UCPA will not provide opt-out rights or additional disclosure requirements in relation to automated decision-making or profiling.
Exemptions: Employment data and B2B data

The UCPA will not apply to personal data collected in the employment context or the B2B / commercial context. This is in line with Virginia and Colorado. Meanwhile, the applicability of California law to employment-related personal data and B2B data is still pending the outcome of proposed legislation currently in the State Assembly.

Under the CPRA, the CCPA’s exemptions for employment data and B2B data are scheduled to sunset after December 31, 2022. Two bills have been offered to extend that sunset for three more years or make the employee and B2B exemptions permanent.

No private right of action and cyber safe harbor

Enforcement is another area of the UCPA that businesses are likely to welcome. The UCPA will not have a private right of action.

Instead, it will only be enforceable by the state’s attorney general. Moreover, the UCPA will provide businesses with a 30-day right to cure alleged non-compliance before the attorney general may pursue enforcement actions, including fines of US$7,500 per violation or actual damages to consumers.

The UCPA’s obligation to maintain appropriate data security practices to protect personal data and reduce risks of harm to the consumer interplays with and complements Utah’s Cybersecurity Affirmative Defense Act, signed into law in March 2021, which provides an affirmative defense to claims arising out of a security breach to businesses with a written cybersecurity program.

Take-aways to deal with these new state privacy laws

The UCPA continues a trend of U.S. state governments enacting comprehensive privacy laws in the absence of a single federal law. This dynamic is unlikely to change any time soon, and it is likely that more states will follow Utah, Colorado, Virginia, and California – sooner rather than later.

Though no two state laws are the same, it is possible to craft a U.S. privacy compliance program in a streamlined manner that is principles-based and will be adaptable if (or more likely, when) more states follow suit. In order to prepare for 2023 and beyond, businesses should:

  • Conduct a privacy compliance assessment, mapping the privacy controls to the requirements in the different state laws and to a principles-based privacy framework.
  • Review (or undertake) data mapping exercises, being sure to reflect applicable data handling practices that capture the key definitions under these new laws (e.g., sensitive data), categories of personal data, sources of data, use cases, and recipients of data.
  • Ensure personal data is protected by physical, technical, and administrative safeguards appropriate to the nature of the data and the potential risks and prepare a written cybersecurity program.
  • Review and update privacy notices now and implement a process for annual reviews thereafter. As part of the privacy notices and data mapping, businesses should put in place a data retention schedule that is compliant with state privacy laws.
  • Assess the effectiveness of existing processes for receiving, verifying, and responding to consumer requests made pursuant to state privacy laws.
  • Review and update template agreements (such as data processing agreements with vendors that will process personal data) and ensure that vendor questionnaires adequately assess the security standards of vendors.
  • Assess whether any activities of the business constitute “sales” or “targeted advertising” and ensure that there are easy-to-use opt-out mechanisms where applicable.