Utah Becomes the 4th US State to Enact a Comprehensive Data Protection Law
6 March 2022
Utah’s legislators have recently enacted a new and comprehensive privacy act – the Utah Consumer Privacy Act (“UCPA“). Utah is now the fourth state to enact a state privacy law in absence of a comprehensive federal privacy law, following California, Virginia and Colorado.
The law is materially similar to the abovementioned laws, and to Virginia’s recently enacted law (which we have previously reported about) in particular. However, the law is not identical to other state laws or similar advanced privacy laws, and although generally narrower in comparison to them in certain aspects, it would require certain adjustments of compliance efforts.
The new law would apply to all entities that conduct business in Utah, or produce a product or service that targets Utah’s residents, and meet the following thresholds:
- An annual gross revenue of over $25 million; and
- Either (1) the entity controls or processes personal data of over 100,000 Utah residents; or (2) derives over 50% of its gross revenue from the “sale” of personal data and controls or processes personal data of at least 25,000 Utah residents.
Similarly to the other state privacy laws, the UCPA contains exceptions for certain data categories and entities, such as those that are regulated under sectorial federal law (e.g. the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act). In addition, the UCPA excludes employment data and business-to-business contact information from its scope, following similar exclusions (some are permanent while others are only applicable in the transition period) in other state privacy laws.
Below are some of the key highlights of the UCPA:
- Consumer rights: the UCPA provides consumers with rights in connection with their data, including the rights of access, deletion and portability. However, the UCPA does not provide consumers with the right to correct their personal data. In addition, the aforementioned rights are not absolute, and are limited by certain exceptions, such as for requests that are unreasonably burdensome requests, and for circumstances where the data is requited fraud detection or compliance with the businesses’ legal obligations.
- Opt out: the UCPA also allows consumers to opt out of certain uses of their personal data, including targeted advertising and ‘sale‘ of personal data. However, the UCPA does not allow consumers to opt out of automated profiling. “Sale” is narrowly defined in the UCPA as “exchange of personal data for monetary consideration“, and disclosures of personal data to third parties is would be excluded, to the extent that such disclosures are consistent with the consumers’ reasonable expectations.
- Sensitive data: as opposed to privacy laws that require affirmative consent for collection and processing of sensitive data, the UCPA requires businesses to provide consumers with a notice and an opportunity to opt-out of the use of sensitive data (which includes, inter alia, health, biometric and geolocation data).
- Enforcement: The UCPA does not create a private right of action. The law will be exclusively enforced by Utah’s Attorney General, which is required to provide business with a 30 days’ cure period for any alleged violation (except for subsequent violations by the same business). Each violation of the UCPA could lead to fines of up to $7,500 per violation. Consumers’ complaints will be referred to the Attorney General through the Division of Consumer Protection in the Utah Department of Commerce, if the Division deems the complaint as legitimate.
The UCPA is still subject to Utah’s Governor’s signature, however approval without any changes is expected, as the law was approved by both the state’s House of Representatives and the Senate. The law is expected to enter into force on 31 December 2023.
The UCPA presents an important regulatory development for entities that conduct business in the Unites States in connection with personal data of Utah residents. Relevant businesses should examine their data flows and assess the UCPA’s applicability over them.
Feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation