UCPA background and key terms: Who does the UCPA impact?

The UCPA adopts the 'controller' and 'processor' approach used in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the CPA, and the VCDPA. A controller is someone who does business in Utah and determines the purposes and means of processing personal data. Furthermore, a processor is a person who processes personal data on a controller's behalf. A third party is a person other than the consumer, controller, or processor, or an affiliate or contractor of the controller or the processor.

What's the material and territorial scope of application of the law?

The UCPA applies to businesses that conduct business in Utah, or produce a product or service targeted to Utah residents, and have an annual revenue of $25 million or more. Businesses must also satisfy one or more of the following: control or process the personal data of 100,000 or more consumers, or derive over 50% of gross revenue from the sale of personal data, and control or process personal data of 25,000 or more consumers.

Notably, the UCPA differs from any of the existing omnibus State privacy laws by requiring businesses to meet a monetary threshold, in addition to satisfying at least one other threshold. In contrast, the threshold for applicability of the CCPA and CPRA are satisfied by just having $25 million in revenue.

* Colorado does not set a threshold amount for the revenue derived, and also includes controllers that receive a discount on the price of goods or services from the sale of personal data. Virginia likewise does not set a threshold amount for revenue derived.

How is a data 'sale' defined?

Under Utah's law, sale is defined as exchange of personal data by a controller to a third party for monetary consideration. The UCPA narrows activities that may be considered sales by excluding disclosures of personal data if the purpose of the disclosure is consistent with a consumer's 'reasonable expectations', which is a much broader carve-out than any found in existing omnibus State privacy law.

While there is some consistency in nomenclature across the four laws, they are not identical.

Which businesses are exempt from the respective privacy law?

Known as the 'business-friendly' privacy statute, it's no surprise that there are many entity and data exemptions to the UCPA's applicability. As detailed below, the UCPA mostly aligns with its predecessors and does not apply to, among others, governmental entities or third parties under contract with a governmental entity acting on their behalf, higher education institutions, tribes, or non-profit organisations.

The law also does not apply to protected health information under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), and information subject to the Fair Credit Reporting Act of 1970 ('FCRA'), the Gramm-Leach-Bliley Act of 1999 ('GLBA'), or the federal Family Education Rights and Privacy Act of 1974 ('FERPA'). Additionally, the UCPA does not include within its scope data that is processed or maintained in the course of employment (or an agent and independent contractor relationship) or personal data within the business-to-business context. Finally, the UCPA also excludes de-identified and publicly available information from the definition of personal data, as well as aggregated data. 'Aggregated data' is broadly defined as information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to any consumer.

What rights are granted to consumers?

The UCPA protects 'consumers' (defined as individuals residing in the State who are acting in an individual or household context, not in an employment or commercial context) and provides them with the right to access the personal data a controller processes about them, the right to delete the data they provide to controllers, the right to 'port' a copy of the data a controller processes about them, and the right to opt out of the 'sale' (defined as the exchange by a controller to a third party for monetary consideration) of personal data or processing of personal data for targeted advertising.

The parents or legal guardians of consumers who are children (defined to be individuals under 13 years old) may exercise consumer rights on behalf of the child. There are also special rights consumers are given with respect to their 'sensitive data', which include children's data, in addition to an individual's racial or ethnic origin, religious beliefs, sexual orientation, and citizenship or immigration status amongst other. Finally, and unlike the CDPA and CPA, which require opt-in consent, controllers are prohibited from processing 'sensitive data' without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing, as is the case under the CPRA.

As with the existing State consumer privacy laws, the UCPA also affords consumers various rights.

What obligations are imposed on controllers by the respective laws?

The UCPA is more business-friendly than existing comprehensive State privacy laws in that it generally imposes fewer obligations on controllers. Unlike some other State privacy laws, the UCPA does not contemplate data minimisation principles, nor the need for Data Protection Impact Assessments (‘DPIAs’) and affirmative consent requirements for certain types of processing.

At a high level, controllers under the UCPA must respond to consumer rights requests, set forth certain processing instructions in contracts with data processors (who must, in turn, impose the same on sub-processors), safeguard consumers' personal data using reasonable administrative, technical, and physical controls, and must not discriminate against consumers for exercising their rights. Controllers must also post a privacy notice that contains disclosures about their personal data practices similar to those required under existing omnibus State privacy laws.

The below table identifies key obligations that are imposed on controllers under existing State privacy laws. Importantly, the specifics of controller obligations vary across each law in their precise requirements. Thus, for a complete understanding of controller obligations, companies should consult the text of applicable laws.

What must be included in a privacy policy?

As with existing State privacy laws, controllers subject to the UCPA must post a privacy notice containing disclosures about their personal data practices. Although the precise details to be disclosed vary, companies must generally provide information about certain key concepts, such as:

• the categories of personal data collected;
• the purpose(s) of collection;
• whether personal data will be shared; and
• applicable consumer rights.

Note, however, that the substance of such notices varies in the precise obligations and specifications under these laws. Thus, while we synthesise certain overarching concepts to include, companies should refer to the text of each law for a complete understanding of their legal obligations. Moreover, in addition to requiring certain disclosures in general, consumer-facing privacy notices, some of these laws may also require companies to adopt additional notices, such as an employee-facing privacy policy, opt-out notices, or the like.

What is sensitive data under the UCPA?

'Sensitive data' under the UCPA includes personal data that reveals an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, information regarding an individual's medical history, mental, or physical health condition, medical treatment or diagnosis by a healthcare professional, and genetic personal or biometric data if the processing of such data is for the purpose of identifying a specific individual or specific geolocation data. Notably, sensitive data under the UCPA does not include information that reveals racial or ethnic origin when processed by a video communication service, or by certain healthcare workers - carve-outs that are unique to the UCPA and further narrow the scope of the law.

Like other existing comprehensive State privacy laws, the UCPA imposes additional obligations upon controllers that process 'sensitive data'. Like the CPRA, the UCPA requires controllers to present consumers with clear notice and an opportunity to opt-out of the processing of their sensitive data. In contrast, the CPA and CDPA require opt-in consent.

How are the respective laws enforced?

The Utah Attorney General ('AG') holds exclusive authority to enforce the UCPA. Controllers and processors are entitled to written notice of an alleged violation and a 30-day opportunity to cure the violation. This cure period does not sunset, while under the CPA, the 60-day cure period sunsets in January 2025 and the CPRA eliminates the mandatory cure period for enforcement actions brought by the California AG that existed under the CCPA.

The Utah AG may bring an action for uncured violations and recover actual damages to the consumer and $7,500 per violation in civil penalties. There is no private right of action, and the law expressly pre-empts any local laws or regulations that also govern the processing of personal data.

Conclusion

Businesses that operate in these States should stay turned for additional guidance in the form of regulations or publications from the applicable regulatory bodies or enforcement agencies. And, of course, businesses should continue to monitor the privacy landscape for future laws.

Samantha Ettari Senior Counsel
[email protected]
Gabriella Gallego Associate
[email protected]
Naa Kai Koppoe Associate
[email protected]
Ellen Choi Associate
[email protected]
Charlotte Kress Associate
[email protected]
Perkins Coie, Dallas