Utah is set to join California, Colorado, and Virginia as it moves towards the adoption of a comprehensive data privacy law. The Utah Consumer Privacy Act (UCPA) passed unanimously in the Utah Senate on February 25 and the Utah House of Representatives on March 2. The bill is now with Governor Spencer Cox, who has until March 24 to sign the bill, take no action which allows it to become law automatically, or veto the bill.
The UCPA, while similar to the other three states’ laws, is less onerous. Utah lawmakers acknowledge that it reflects a compromise, providing consumer privacy protections while being less burdensome than comparable privacy statutes. It provides the key privacy elements, including a focus on transparency and safeguards, and rights for individuals to opt-out of the sale of their data, without providing a private cause of action. One unique feature of the UCPA is that it allows the Utah Attorney General an opportunity to propose changes to the Act through an enforcement assessment, which is expected to be conducted approximately one year into the UCPA’s implementation.
The UCPA applies to companies conducting business in Utah or targeting Utah consumers with their products and service:
- If they have $25 million or more in annual revenue worldwide, and
- If they control or process the personal data of 100,000 or more Utah consumers in a year or they derive at least 50% of their revenue from selling the data of more than 25,000 Utah consumers.
The UCPA will not apply to: 1) government entities and government contractors; 2) Native American tribes; 3) higher education institutions; 4) non-profits; and 5) entities regulated under the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). It will also not apply to credit reporting activities regulated under the Fair Credit Reporting Act (FCRA), or data regulated under the Driver’s Privacy Protection Act of 1994, the Family Education Rights and Privacy Act, or the Farm Credit Act of 1971.
“Personal data” is broadly defined under the UCPA as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” However, the UCPA does not apply to most employee data. It also does not apply to deidentified or aggregated data, or data widely available publicly.
Consumer rights under the UCPA
Under the UCPA, Utah residents have rights with respect to their personal data processed by a covered business, including a right to:
- Know what the business is processing,
- Access the data,
- Request that their data be deleted,
- Obtain copies of their data in a portable format, and
- Opt-out of the sale or sharing of personal data or the processing of personal data for targeted advertising.
Residents will not be charged for one request each year. Businesses may be able to charge a fee for additional requests or requests that are considered excessive or made in bad faith.
Under the UCPA, these individual rights may not restrict a company’s ability to comply with law or a legal process; provide a product or service requested by the individual; perform a contract with the individual; repair technical errors; protect security; or conduct internal analytics or research.
Covered businesses will need to:
- Implement safeguards around personal data,
- Enter data processing agreements with vendors and service providers,
- Provide notice and an opportunity to opt-out when they process a resident’s sensitive data, which includes data that reveals a person’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, genetic or biometric information, or specific geolocation.
Request and cure period
Under the UCPA, covered businesses have 45 days to respond to a valid consumer request, but may have a 45-day extension if reasonably necessary. Covered businesses may deny a request if they cannot authenticate or if the personal data is pseudonymized.
There is no private cause of action under the UCPA. A claim of violations will go to the Utah Department of Commerce Division of Consumer Protection for investigation; if deemed legitimate, the claim will then go to the Attorney General to either concur or reject the claim. If the Attorney General does find it is a worthy claim, the company would still have the 30-day period to cure the violation.
Thus, we expect that there will likely not be many enforcement actions under the UCPA. However, the Attorney General does have the authority to seek civil penalties, including actual damages plus a fine not exceeding $7,500 per violation of the UCPA.
When will the UCPA become effective?
If adopted, the UCPA would be effective on December 31, 2023.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.