Utah Consumer Privacy Act
If Governor Spencer Cox signs the Utah Consumer Privacy Act (UCPA) into law by the March 24, 2022, deadline, Utah will join a handful of other states that have enacted stringent consumer data protection laws. The law will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law, following on the heels of California, Colorado and Virginia. Like these other privacy laws, the UCPA provides consumers with broad protection and rights concerning the collection, use, processing, sharing and sale of their personal information. Businesses that fail to comply with the UCPA may be subject to significant fines and penalties.
The UCPA applies to controllers or processors that (1) do business in Utah or produce a product or service targeted to consumers who are Utah residents, (2) have annual revenue of $25 million or more, and (3) either (a) control or process personal data of 100,000 or more consumers during a calendar year or (b) derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
The law includes broad exemptions for (1) entities regulated under certain federal laws, (2) covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), (3) information governed by HIPAA, (4) financial institutions and information governed by the Gramm-Leach-Bliley Act (GLBA), and (5) student information regulated by the Family Educational Rights and Privacy Act (FERPA).
Key Definitions under UCPA
A “controller” is defined as a person doing business in the state who determines the purposes and means by which personal data is processed, regardless of whether the person makes the determination alone or with others. A “processor” is defined as a person who processes personal data on behalf of a controller.
"Personal data" means information that is linked or reasonably linkable to an identified individual or an identifiable individual. It does not include deidentified data, aggregated data or publicly available information.
"Sensitive data" means personal data that reveals an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional. It also includes the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual or specific geolocation data.
Consumer Data Protection Rights
Consumers will have the right to (1) confirm whether a controller is processing the consumer's personal data, (2) access the consumer’s personal data and (3) delete the personal data that was provided to the controller. Consumers also will have the right to obtain a copy of the personal data that the consumer previously provided in a format that, to the extent technically feasible, is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means. In addition, a consumer has the right to opt out of the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data.
A consumer may exercise any of these rights by submitting a request to a controller, by means prescribed by the controller, that specify the right the consumer intends to exercise. In the case of processing personal data concerning a known child, their parent or legal guardian shall exercise a right on the child's behalf. In the case of processing personal data concerning a consumer subject to legal guardianship, conservatorship or other protective arrangement, that person can exercise a right on the consumer's behalf.
Responsibilities of Data Controllers
A controller must comply with a consumer's request to exercise any right under the UCPA within 45 days of receiving the request, and inform the consumer of any action taken on the consumer's request. If a controller does not take action within the 45 days, it must inform the consumer as to why action was not taken. The initial 45-day period may be extended only by an additional 45 days if reasonably necessary due to the complexity of the request or the volume of the requests received. If a controller needs to extend the initial 45-day period, it must inform the consumer of the length of the extension and provide the reasons for it. The 45-day period does not apply if the controller reasonably suspects the consumer's request is fraudulent and the controller is not able to authenticate the request, in which case the controller does not have to comply with the request and may request that the consumer provide additional information for verification.
A controller may not charge a fee for information in response to a request, unless the request is the consumer's second or subsequent request within 12 months. A controller can refuse to act on a request or charge a fee to cover the administrative costs of complying with a request only if one of the following applies:
The request is excessive, repetitive, technically infeasible or manifestly unfounded
The controller reasonably believes the primary purpose in submitting the request was something other than exercising a right
The request, individually or as part of an organized effort, harasses, disrupts or imposes undue burden on the resources of the controller's business.
Importantly, a controller must provide consumers with a reasonably accessible and clear privacy notice that includes:
The categories of personal data processed by the controller
The purposes for which the categories of personal data are processed
The ways in which consumers may exercise a right
The categories of personal data that the controller shares with third parties, if any
The categories of third parties, if any, with whom the controller shares personal data.
If a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, it also must clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer's personal data or processing for targeted advertising.
Controllers also must establish, implement and maintain reasonable administrative, technical and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. Controllers must implement data security practices that are appropriate for the amount and type of personal data they handle.
Except as otherwise provided by UCPA, a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing. The processing of personal data concerning a known child must be done in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. section 6501 et seq., and the act's implementing regulations and exemptions.
A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer, charging a different price or rate for a good or service or providing the consumer a different level of quality of a good or service.
A processor must adhere to the controller's instructions and assist the controller in meeting the controller's obligations to the extent practically reasonable, including obligations related to the security of processing personal data and notification of a breach of a security system as defined by Utah’s Protection of Personal Information Act. Before a processor begins processing personal data on behalf of a controller, the processor and controller shall enter into a contract that:
Clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations
Requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data
Requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.
If a business fails to comply, UCPA allows the Division of Consumer Protection to accept and investigate consumer complaints regarding the processing of personal data, and authorizes the Office of the Attorney General to take enforcement action, impose penalties and make technical changes. The enforcement action can recover actual damages to the consumer in an amount not to exceed $7,500 for each violation.
The Attorney General cannot initiate an enforcement action if the controller or processor cures the noticed violation within 30 days after the day on which the controller or processor receives the written notice and provides the attorney general an express written statement that the violation has been cured and no further violation of the cured violation will occur. If more than one controller or processor involved in the same processing is found to be in violation of the UCPA, the liability for the violation shall be allocated among the controllers or processors according to the principles of comparative fault.
It is important to note UCPA does not include a private right of action for consumers.
To avoid potential regulatory enforcement actions and the imposition of fines and penalties, organizations should revisit their consumer data collection policies and procedures to ensure compliance with the UCPA and other newly enacted state privacy laws, including:
The nature of consumer data collected
The purpose of collecting consumer data
Where consumer data is stored
How long consumer data is stored
How consumer data is protected from compromise, including unauthorized access
Third parties that receive consumer data for the purpose of processing this information
Contracts in place with such third parties regarding the processing of consumer data
Disclosures to consumers regarding the collection, use, sharing and sale of their data
Methods by which consumers can request information concerning their data
Procedures in place to respond to consumer requests.