By Weiss Hamid
Continuing the growing trend, Utah has become the fourth state to enact a comprehensive state privacy law, entitled the Utah Consumer Privacy Act (“UCPA”).
Utah’s Senate passed the UCPA unanimously on February 25, 2022, and was followed by a unanimous vote by Utah’s House on March 2. On March 22, Governor Spencer Cox signed the UCPA, officially making it the law of the land. Utah therefore has joined California (California Consumer Privacy Act as amended by the California Privacy Rights Act), Virginia (Consumer Data Protection Act) and Colorado (Colorado Privacy Act in passing extensive privacy and data laws. The law will take effect December 31, 2023.
Generally, the UCPA bears a closer similarity to the VCDPA and CPA rather than the CCPA. One key distinction is that the UCPA offers no private right of action. This mirrors the VCDPA and CPA and in contrast to the CCPA which offers a private right of action for data breaches involving specific types of personal information.
Other significant components to the UCPA include:
The UCPA applies only to controllers or processors that (1) do business in the state (or target Utah residents with products or services); (2) earn at least $25 million in revenue; and (3) either: (a) control or process personal data of 100,000 or more consumers (defined as a Utah resident) in a calendar year; or (b) derive more than 50 percent of gross revenue from selling personal data and control or process data of 25,000 or more consumers.
The “and” is a key distinction between the UCPA and the CCPA, whereas the CCPA’s $25 million dollar revenue requirement is an independent basis to determine applicability. Therefore, the UCPA is much more narrow in scope.
The UCPA is also distinct from VCDPA and CPA in that it does not require opt-in consent for sensitive data. Instead, the UCPA requires controllers to “present the consumer with clear notice and an opportunity to opt out” of sensitive data processing.
Consumer Rights Provided
The UCPA offers consumers the ability to access, obtain in a portable manner, and delete personal information they have specifically provided to the controller/processor. This differs from the CPA and CCPA, which requires controllers and processors to provide personal data “concerning” (CPA) or “about” (CCPA) a consumer. Unlike the other three data privacy laws, the UCPA does not provide a right of correction or accuracy.
As indicated above, the UCPA does not provide consumers a private right of action. The Utah Attorney General can recover actual damages for consumers and a penalty of up to $7,500 per violation. Businesses are provided a 30-day notice and right to cure period.
Data Protection Assessment
The UCPA is silent on any requirement for controllers and/or processors to conduct data protection assessments, which differs from the CCPA, CPA, and VCDPA.
Originally published in the Privacy Law Section of the California Lawyers Association. To view the article, click here.