Utah recently joined California, Colorado, and Virginia as the fourth state to enact comprehensive data privacy legislation.  On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”) into law, which is set to go into effect on December 31, 2023.  The UCPA builds off existing and forthcoming privacy legislation but reduces some of the more burdensome compliance obligations provisions seen in California, whose privacy laws are much more consumer oriented.  Utah’s business-friendly approach should make compliance efforts less time-consuming and expensive and will likely provide a more streamlined model for state privacy legislation in other states.

Scope

Utah’s new law applies to Utah businesses that have an annual revenue of at least $25 million and either (i) process or control personal data of 100,000 or more Utah consumers per year or (ii) process or control personal data of 25,000 or more Utah consumers and derive over 50% of the business’s gross revenue from the sale of personal data.

The UCPA contains broad exemptions for entities regulated under certain federal laws and does not provide consumers with the ability to opt-out of processing using a global privacy control.  Like other data privacy laws, the UCPA provides new rights for consumers and new obligations for companies who collect or process consumer data.  Importantly, the law defines consumers as residents of Utah acting in an individual or household context.  The UCPA specifically does not require businesses to conduct and document data protection assessments about their data-processing practices, which makes the law much easier for businesses to follow.

Consumer Rights and Company Obligations

The UCPA provides Utah consumers the following rights:

• The right to confirm whether a company is processing their personal data.
• The right to access the personal data.
• The right to delete their personal data.
• The right to obtain a copy of their personal data in a format that is portable, readily usable, and easily transferable.
• The right to opt out of targeted advertising or sale of personal data.

The UCPA adopts Virginia’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party, but unlike California (pursuant to the forthcoming California Privacy Rights Act), the UCPA does not provide consumers with the right to correct their personal data.

As compared to other states’ laws, namely those of California, the UCPA is arguably the least commercially restrictive, containing fewer consumer rights to control uses of their personal and sensitive data and less onerous compliance requirements for businesses that collect and process such data.  Unlike the other states’ laws, the UCPA does not require businesses to conduct and document data protection assessments about their data-processing practices prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.  In addition, the UCPA does not require businesses to set up a mechanism for consumers to appeal a business’s decision regarding the consumer’s request to exercise any of their personal data rights.

The UCPA makes it easier to charge a fee when responding to consumer requests to exercise their personal data rights.  For example, Virginia data privacy laws allow businesses to charge a fee when responding to excessive or repetitive consumer requests, and in Colorado, businesses may charge a fee only if a second request is made in a 12-month period.  Utah, however, allows businesses to charge a fee under the same circumstances as well as when the business “reasonably believes the primary purpose in submitting the request was something other than exercising a right” or is harassing, disruptive, or poses an undue burden on the controller.

Sensitive Personal Data

Like other data privacy laws, the UCPA explicitly creates additional protections surrounding “sensitive data.”  The law sets forth specific requirements for companies that want to collect sensitive data such as information about an individual’s race or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical information or treatment information, genetic or biometric data, or specific geolocation data.

The UCPA provides a more relaxed consent requirement.  Companies who want to collect this type of data must provide consumers with a clear notice that they can opt out of sharing this type of information, whereas in Colorado and Virginia, companies may not process sensitive personal data unless consumers opt in.

Enforcement

Consistent with the state laws in Virginia and Colorado, the UCPA continues the data privacy trend of explicitly disavowing a private right of action, a clear departure from California legislation offering consumers a limited private right of action.  Instead, the UCPA undertakes a bifurcated approach to enforcement; investigatory powers are vested in the Division of Consumer Protection, and enforcement powers are exclusively vested in Utah’s Attorney General.  The UCPA does not, however, provide the Attorney General with rulemaking authority to provide further clarity to covered businesses about their privacy-related compliance obligations.

Conclusion

In the absence of a new comprehensive consumer privacy law on the federal level, states are moving rapidly to join California, Colorado, Virginia, and Utah in passing and implementing comprehensive privacy legislation.  Today, almost every business relies on consumer data in some way and given how quickly the UCPA was passed in 2022, it is likely that other states will be quick to follow suit.

The enactment of state privacy laws has already ushered in notable regulatory changes affecting how companies collect and manage data, making compliance efforts even more complex.  As other states join the movement toward greater personal data protection, multistate businesses must engage in comprehensive compliance programs to navigate the challenges resulting from varying state standards.

Newmeyer Dillion will continue to provide insights and updates on the rapidly changing privacy landscape.  For more information, please contact our data privacy team at 949-854-7000.