Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: UCPA compared with CPA, CPDA, and CPRA

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.

Daemon Barzai / Essentials collection / istockphoto.com

UCPA background and key terms: Who does the UCPA impact?

The UCPA adopts the 'controller' and 'processor' approach used in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the CPA, and the VCDPA. A controller is someone who does business in Utah and determines the purposes and means of processing personal data. Furthermore, a processor is a person who processes personal data on a controller's behalf. A third party is a person other than the consumer, controller, or processor, or an affiliate or contractor of the controller or the processor.

What's the material and territorial scope of application of the law?

The UCPA applies to businesses that conduct business in Utah, or produce a product or service targeted to Utah residents, and have an annual revenue of $25 million or more. Businesses must also satisfy one or more of the following: control or process the personal data of 100,000 or more consumers, or derive over 50% of gross revenue from the sale of personal data, and control or process personal data of 25,000 or more consumers.

Notably, the UCPA differs from any of the existing omnibus State privacy laws by requiring businesses to meet a monetary threshold, in addition to satisfying at least one other threshold. In contrast, the threshold for applicability of the CCPA and CPRA are satisfied by just having $25 million in revenue.

Threshold

UCPA

CPA

CDPA

CPRA/CCPA

Conduct business in the State

Produce or deliver a product or service targeted to State's residents

Annual revenue of at least $25 million

Annual revenue over $25 million

Control or process the personal data of at least 50,000 residents



(CCPA only)

Control or process the personal data of at least 100,000 residents



(CPRA only)

Derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 residents

✓*

Derive 50 percent or more of its annual revenues from selling consumers' personal data



(CPRA includes sharing)


* Colorado does not set a threshold amount for the revenue derived, and also includes controllers that receive a discount on the price of goods or services from the sale of personal data. Virginia likewise does not set a threshold amount for revenue derived.

How is a data 'sale' defined?

Under Utah's law, sale is defined as exchange of personal data by a controller to a third party for monetary consideration. The UCPA narrows activities that may be considered sales by excluding disclosures of personal data if the purpose of the disclosure is consistent with a consumer's 'reasonable expectations', which is a much broader carve-out than any found in existing omnibus State privacy law.

While there is some consistency in nomenclature across the four laws, they are not identical.

Defined terms

UCPA

CPA

CDPA

CPRA/CCPA

Controllers and processors

Businesses and service providers

Third party

Contractor

Sale

Share


Which businesses are exempt from the respective privacy law?

Known as the 'business-friendly' privacy statute, it's no surprise that there are many entity and data exemptions to the UCPA's applicability. As detailed below, the UCPA mostly aligns with its predecessors and does not apply to, among others, governmental entities or third parties under contract with a governmental entity acting on their behalf, higher education institutions, tribes, or non-profit organisations.

The law also does not apply to protected health information under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), and information subject to the Fair Credit Reporting Act of 1970 ('FCRA'), the Gramm-Leach-Bliley Act of 1999 ('GLBA'), or the federal Family Education Rights and Privacy Act of 1974 ('FERPA'). Additionally, the UCPA does not include within its scope data that is processed or maintained in the course of employment (or an agent and independent contractor relationship) or personal data within the business-to-business context. Finally, the UCPA also excludes de-identified and publicly available information from the definition of personal data, as well as aggregated data. 'Aggregated data' is broadly defined as information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to any consumer.

Exemption

UCPA

CPA

CDPA

CPRA/CCPA

Non-profit organisations

Institutions of higher education and/or information subject to FERPA

Information and/or entities subject to HIPPA and covered entities/business associates



(information only)



(information and limited entities)

Information and/or institutions subject to GLBA



(information only)

Personal information within scope of employment



(limited exemption until 1 January 2023)

Personal information in the commercial (business-to-business) context



(exempt until 1 January 2023)

Aggregated data


What rights are granted to consumers?

The UCPA protects 'consumers' (defined as individuals residing in the State who are acting in an individual or household context, not in an employment or commercial context) and provides them with the right to access the personal data a controller processes about them, the right to delete the data they provide to controllers, the right to 'port' a copy of the data a controller processes about them, and the right to opt out of the 'sale' (defined as the exchange by a controller to a third party for monetary consideration) of personal data or processing of personal data for targeted advertising.

The parents or legal guardians of consumers who are children (defined to be individuals under 13 years old) may exercise consumer rights on behalf of the child. There are also special rights consumers are given with respect to their 'sensitive data', which include children's data, in addition to an individual's racial or ethnic origin, religious beliefs, sexual orientation, and citizenship or immigration status amongst other. Finally, and unlike the CDPA and CPA, which require opt-in consent, controllers are prohibited from processing 'sensitive data' without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing, as is the case under the CPRA.

As with the existing State consumer privacy laws, the UCPA also affords consumers various rights.

Consumer right

UCPA

CPA

CDPA

CPRA/CCPA

Access

Delete

Correct inaccurate information



(CPRA)

Data portability

Know



(confirmation)

Opt-out of sale

Opt-out of sharing



(sharing in CPRA only)

Non-discrimination

Opt-in for processing of sensitive information

Opt-out for processing of sensitive information



(right to limit - CPRA only)


What obligations are imposed on controllers by the respective laws?

The UCPA is more business-friendly than existing comprehensive State privacy laws in that it generally imposes fewer obligations on controllers. Unlike some other State privacy laws, the UCPA does not contemplate data minimisation principles, nor the need for Data Protection Impact Assessments (‘DPIAs’) and affirmative consent requirements for certain types of processing.

At a high level, controllers under the UCPA must respond to consumer rights requests, set forth certain processing instructions in contracts with data processors (who must, in turn, impose the same on sub-processors), safeguard consumers' personal data using reasonable administrative, technical, and physical controls, and must not discriminate against consumers for exercising their rights. Controllers must also post a privacy notice that contains disclosures about their personal data practices similar to those required under existing omnibus State privacy laws.

The below table identifies key obligations that are imposed on controllers under existing State privacy laws. Importantly, the specifics of controller obligations vary across each law in their precise requirements. Thus, for a complete understanding of controller obligations, companies should consult the text of applicable laws.

Controller obligations

UCPA

CPA

CDPA

CPRA/CCPA

Purpose specification

Requirement to honour universal opt-out signals

recommended, but not legally required

recommended, but not legally required

Transparency

Data minimisation

recommended, but not legally required

Consent to process children's personal data



(for 'sales' and 'sharing' only)

Data Security

Non-discrimination

Timing for consumer request responses

45 days

(plus 45-day extension)

45 days

(plus 45-day extension)

45 days

(plus 45-day extension)

45 days

(plus 45-day extension)

Commercial contract provisions

Data processing assessments


What must be included in a privacy policy?

As with existing State privacy laws, controllers subject to the UCPA must post a privacy notice containing disclosures about their personal data practices. Although the precise details to be disclosed vary, companies must generally provide information about certain key concepts, such as:

  • the categories of personal data collected;
  • the purpose(s) of collection;
  • whether personal data will be shared; and
  • applicable consumer rights.

Note, however, that the substance of such notices varies in the precise obligations and specifications under these laws. Thus, while we synthesise certain overarching concepts to include, companies should refer to the text of each law for a complete understanding of their legal obligations. Moreover, in addition to requiring certain disclosures in general, consumer-facing privacy notices, some of these laws may also require companies to adopt additional notices, such as an employee-facing privacy policy, opt-out notices, or the like.

Privacy policy disclosures

UCPA

CPA

CDPA

CPRA/CCPA

Personal data processing

Collection of personal data and categories thereof

Purpose(s) of processing

Disclosure of personal data to third parties, if any, and categories thereof

Whether controller 'sells' personal data and to whom

Whether controller engages in 'targeted advertising' or 'shares' personal information for cross-context behavioural advertising purposes

Use of automated decision-making or profiling

Data retention period

Consumer rights and choices

Consumer rights and choices available

Instructions for exercising consumer rights

How a consumer may appeal a controller's action

N/A

N/A

Other

Controller's contact

information

recommended, but not legally required

recommended, but not legally required

(email or other online mechanism to contact required)


What is sensitive data under the UCPA?

'Sensitive data' under the UCPA includes personal data that reveals an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, information regarding an individual's medical history, mental, or physical health condition, medical treatment or diagnosis by a healthcare professional, and genetic personal or biometric data if the processing of such data is for the purpose of identifying a specific individual or specific geolocation data. Notably, sensitive data under the UCPA does not include information that reveals racial or ethnic origin when processed by a video communication service, or by certain healthcare workers - carve-outs that are unique to the UCPA and further narrow the scope of the law.

Like other existing comprehensive State privacy laws, the UCPA imposes additional obligations upon controllers that process 'sensitive data'. Like the CPRA, the UCPA requires controllers to present consumers with clear notice and an opportunity to opt-out of the processing of their sensitive data. In contrast, the CPA and CDPA require opt-in consent.

How are the respective laws enforced?

The Utah Attorney General ('AG') holds exclusive authority to enforce the UCPA. Controllers and processors are entitled to written notice of an alleged violation and a 30-day opportunity to cure the violation. This cure period does not sunset, while under the CPA, the 60-day cure period sunsets in January 2025 and the CPRA eliminates the mandatory cure period for enforcement actions brought by the California AG that existed under the CCPA.

The Utah AG may bring an action for uncured violations and recover actual damages to the consumer and $7,500 per violation in civil penalties. There is no private right of action, and the law expressly pre-empts any local laws or regulations that also govern the processing of personal data.

Enforcement

UCPA

CPA

CDPA

CPRA/CCPA

Enforced by AG

Enforced by district attorney

Private right of action



(limited to certain breaches of personal information)

Right to cure



30 days



60 days (sunsets in January 2025)



30 days

X

30 days under CCPA; 30 days for private actions only under CPRA

Penalty per violation



(up to $7,500 for each violation)



(up to $20,000 per violation, with a maximum penalty of $500,000 for a series of related violations)



(up to $7,500 for each violation)



(up to $7,500 for each violation)


Conclusion

Businesses that operate in these States should stay turned for additional guidance in the form of regulations or publications from the applicable regulatory bodies or enforcement agencies. And, of course, businesses should continue to monitor the privacy landscape for future laws.

Samantha Ettari Senior Counsel
[email protected]
Gabriella Gallego Associate
[email protected]
Naa Kai Koppoe Associate
[email protected]
Ellen Choi Associate
[email protected]
Charlotte Kress Associate
[email protected]
Perkins Coie, Dallas