The number of states enacting comprehensive privacy laws is growing, adding to the existing complex patchwork of privacy, security, and data breach notification laws that keep legal and compliance personnel on their toes. Businesses should start preparing to comply with these laws, many of which become effective in 2023.
This five-part series highlights key provisions in a few of the new comprehensive privacy laws. Each week we will examine laws in a new state – Virginia, Colorado, Utah, Connecticut, and California – and provide recommendations on what steps businesses should consider taking now to comply. This post – the third in our series – explores how the Utah Consumer Privacy Act (UCPA) could impact your business.
Stay tuned every week as we highlight key takeaways from these new laws. We anticipate that this series will continue to grow as states enact or revise consumer privacy laws.
Utah Consumer Privacy Act
On March 24, 2022, Utah Governor Spencer J. Cox passed the UCPA, which provides new rights to Utah residents and creates new obligations for business. This law will become effective on December 31, 2023.
- Applicability Threshold
The UCPA applies to businesses involved in data processing that conduct business in Utah or produce a product or service that is targeted to Utah residents if the business has an annual revenue of $25 million or more in the preceding calendar year and either: (i) controls or processes personal data of 100,000 or more consumers a year or (ii) processes personal data of 25,000 or more consumers and derives over 50% of the entity's gross revenue from the sale of personal data.
This revenue threshold makes the applicability of UCPA narrower than certain of the other state privacy laws.
The UCPA protects "personal data," which are defined as "information that is linked or reasonably linkable to an identified or identifiable individual." The UCPA creates some heightened requirements for "sensitive data", which include racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, and certain health and biometric data unless otherwise carved out of the law.
The UCPA includes data-specific and entity-level exemptions. Among the exempt data categories are protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA), data processed in accordance with the Gramm-Leach Bliley Act (GLBA), and data regulated by the Family Education Rights and Privacy Act (FERPA).
The UCPA also does not apply to various categories of entities, including nonprofit corporations, higher education institutions, entities subject to HIPAA or GLBA, Indian tribes, governmental entities, and third parties acting under contract with governmental entities on behalf of those governmental entities. The law contains certain exceptions that may be relevant to the health and life science industries, though not all health information is carved out, so these entities should analyze whether they process data that are considered "sensitive data" under the UCPA.
- Summary of Consumer Rights
The UCPA grants new rights to individuals, including the right to:
- know what personal data have been collected;
- know how a business uses their personal data;
- obtain a copy of the personal data a business retains about them to the extent that it is feasible, portable, and usable; and
- access and delete personal data businesses retain.
The UCPA also gives individuals the right to opt out of the collection and use of personal data for targeted advertising.
UCPA also requires that consumers be able to exercise their new rights with applicable businesses. Controllers (businesses that determine the purpose and means for processing data) must respond to these requests within 45 days from receipt, barring the need for an extension due to complexity or the volume of requests. UCPA provides for an additional 45 days if an extension is needed and if the controller informs the consumer of the need for the extension.
- Data Use and Retention
Controllers must establish and maintain reasonable administrative, technical, and physical data security practices, taking into account the size, scope, and type of business as well as the volume and nature of data collected. Finally, the UCPA requires close examination of due diligence and contracting protocols.
Controllers must also execute contracts that include clear instructions for processing personal data. The data processing agreements should address confidentiality requirements, and must require the processor to execute written contracts with subcontractors that contain similar obligations.
Although the UCPA does not require consumers to opt in prior to processing personal data or sensitive data, the UCPA imposes a number of obligations on controllers. Specifically, controllers must provide clear and accessible privacy notices that include the categories of data they process, the purpose of processing data, how consumers may contact the business to exercise a right, and categories of personal data that controllers share with third parties.
Controllers that sell personal data to third parties, or that engage in targeting advertising, must clearly and conspicuously disclose how consumers can exercise their right to opt out of the sale of processing or targeted advertising.
Controllers that process sensitive data must also provide consumers with a notice and an opportunity to opt out prior to processing any sensitive data.
- State Enforcement
The UCPA authorizes the Utah Attorney General's Office to take enforcement action after notifying the party allegedly in violation of the UCPA and providing a 30-day cure period within which the noncompliance can be remediated. The Utah Attorney General's Office can impose penalties of $7,500 per violation and can recover for actual damages to consumers. However, there is no private right of action under the UCPA.
Businesses that will be subject to the UCPA should review their privacy programs now to confirm that they meet or exceed the new requirements. For example, businesses subject to the UCPA should have policies and procedures to receive consumer requests regarding personal data. They should consider conducting an inventory of personal and sensitive data so they can process consumer requests within the statutory time periods. Businesses should also review privacy notices and update contracts with vendors to address contracting requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.