As lawmakers continue to debate the merits of passing comprehensive privacy legislation at the state level, something of a pattern is taking shape in legislative chambers around the country. While the turning of the legislative calendar each year seems to bring the potential for a massive overhaul of the privacy landscape, legislators have achieved only modest reforms to date. That dynamic is perhaps most emblemized by the Washington Privacy Act (WPA), a bill introduced in four consecutive legislative sessions only to fail each time (twice being passed through the Senate on nearly unanimous votes). The pattern held again this year, as legislatures produced more than 58 comprehensive privacy proposals in 27 states, so far yielding just a single new law (hint: it was not the WPA) and just a handful of still-active proposals as of late March 2022.
That law is the Utah Consumer Privacy Act (UCPA), and it will be exceedingly familiar to anyone who has followed state privacy developments over the last couple of years. UCPA borrows heavily from the Virginia Consumer Data Protection Act (VCDPA), and much like VCDPA, it rocketed through the legislature in no time flat, catching even the most astute privacy observers by surprise. Luckily, save for a few key differences which we will highlight for you below, the similarities to VCDPA will likely absolve data controllers and processors of any substantial overhauls of their compliance programs.
Applicability
Similar to existing state privacy laws, UCPA applies a multi-part test to determine the applicability to businesses. In particular, the law adopts a framework similar to that of the VCDPA, with an additional revenue threshold layered on top. UCPA applies to any controller or processor who conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state and has annual revenue of $25 million or more, and 1) either controls or processes personal data of 100,000 or more consumers during a calendar year or 2) derives over 50 percent of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Once crucial area of divergence under UCPA is the definition of sale, which means “the exchange of personal data for monetary consideration by a controller to a third party,” which notably omits exchanges of data for “other valuable consideration,” a construct included in Colorado and California to capture other forms of data transfer. Additionally, the definition of sale in Utah is contingent upon “the context in which the consumer provided the personal data to the controller,” which could include disclosure of data to a third party “if the purpose is consistent with a consumer’s reasonable expectations.” This provision offers Utah data controllers additional flexibility not currently found in existing state laws, including in Virginia.
Much like other state privacy laws, UCPA exempts many types of data already covered by sectoral privacy laws at the state and federal level. For example, UCPA exempts non-profits, protected health information processed by covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), financial institutions or personal data processed in accordance with the Gramm-Leach-Bliley Act (GLBA), certain data maintained by the state, and certain data maintained by public utilities.
Consumer Rights
In broad strokes, UCPA also approaches consumer rights in much the same way as states with laws already on the books, including a right for consumers to access, delete, and transfer their data, as well as providing opt-outs for certain type of processing (targeting advertising and sales). However, the right to delete under UCPA is slightly more limited than we’ve seen in other states, as it only requires controllers to delete data upon request that a consumer has provided to them, rather than any data the controller has collected about the consumer. Businesses seeking to take advantage of the additional flexibility under the UCPA will need to find a way to map consumer-provided data versus data collected through other means.
Additionally, opt-out rights under UCPA are more limited than existing laws. For example, unlike Virginia or Colorado, UCPA does not allow consumers to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The definition of targeted advertising also borrows from the narrower VCDPA text rather than Colorado’s law. Under UCPA, targeted advertising means “displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” In Colorado, targeted advertising could be based on information a business inferred about a consumer, in addition to data directly obtained from the consumer. Finally, unlike CPRA or CPA, UCPA is silent on covered businesses’ responsibilities to respond to global opt-out signals, such as those sent by a web browser.
Another key differentiator when comparing UCPA to CPA and VCPDA is that UCPA does not require opt- in consent to allow businesses to process sensitive information. While the term is defined in the bill text (more narrowly so than CPRA, CPA, or VCDPA), consumers must opt out of the processing in much the same way as they would opt out of a sale if they do not want businesses to collect this type of information.
Enforcement
Enforcement of UCPA largely tracks VCDPA. Though signed into law last week, its provisions will not go into effect until December 31, 2023, (about a year after VCDPA and six months after CPRA and CPA) under the exclusive enforcement authority of the Utah Attorney General. Covered businesses will have 30 days after written notice from the Attorney General to cure an alleged violation of the act. If the business fails to cure the violation, the Attorney General may recover actual damages to the consumer and an amount not to exceed $7,500 for each violation and the money shall be deposited into a new Consumer Privacy Account the Attorney General may use for investigatory costs, attorney’s fees, and consumer and business education. The law does not include a private right of action and expressly preempts other local laws regarding the processing of personal data by a controller or processor.
As the state privacy patchwork continues to evolve, the App Association will remain a resource for updates, including any new promising bills or substantive rulemakings. Stay tuned, and in the meantime, follow the App Association and Innovators Network Foundation on Twitter for timely updates and thought leadership on all things privacy.