In our previous post, New State Privacy Laws – What’s Required?, we commented that although California led the way, Virginia and Colorado passed privacy laws on the heels of this landmark legislation, and twenty states had privacy legislation in the works. Since this writing, Utah has become the newest state to pass privacy legislation. Utah’s Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022. And, although the law does not take effect until December 31, 2023, there are compliance obligations to keep an eye on. Here’s a look at how to begin preparing for the country’s newest state privacy requirements.
UCPA Overview
The UCPA was signed into law on March 24, 2022 and will take effect on December 31, 2023. The law defines consumers as individuals who are residents of Utah and acting in an individual or household manner. Notably, it does not include individuals acting in employment or commercial contexts. It defines controllers as persons doing business in the state who determine the purposes for which, and the means by which, personal data is processed. Processor is defined as a person who processes personal data on behalf of a controller, thus borrowing terms from the GDPR.
The UCPA applies to any controller or processor who:
- Conducts business in the state
- Produces a product or service that is targeted to consumers who are Utah residents
- Has an annual revenue of at least $25 million and satisfies either: (1) during a calendar year, controls, or processes personal data of 100,000 or more consumers, and/or (2) derives over 50 percent of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers.
The UCPA grants consumer rights to access and delete personal data. It also requires written agreements between controllers and processors. Finally, it treats consumer rights as largely opt-out.
What Makes UCPA Different from other US State Privacy Laws? (CA, CO, and VA)
Although the UCPA is largely based on Virginia’s privacy legislation, it is distinct and arguably narrower than its predecessors. For starters, it appears to be the least restrictive of the four state data privacy laws passed to date. First, the UCPA has a narrower scope of applicability than the other states’ laws. For a business to be in scope, it must meet the criteria above, AND satisfy one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers, or
- derives over 50% of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers.
The UCPA exempts non-profits, higher education, government entities, or entities processing personal data subject to federal privacy laws. Additionally, the UCPA does not apply to personal data of employees or business contacts, de-identified data, aggregated data, or information generally available to the public.
Second, like other state privacy laws, the UCPA grants consumers rights to access and delete personal data. It does not, however, grant consumers a right to correct personal data. In addition, it only allows for deletion of information obtained from the consumer by the controller. It does not allow for deletion of information inferred from what a consumer has provided, or from third-party information. The UCPA allows for an opt-out of targeted advertising like other laws, however it sticks to opt-out for sensitive data, instead of creating an opt-in provision like the Virginia and Colorado laws.
Thirdly, the UCPA is lighter on security and data processing agreements than its predecessors in other states. Unlike California, Virginia, and Colorado, the UCPA does not require controllers to conduct formal data processing risk assessments prior to processing personal and even sensitive data. It also does not include provisions on dark patterns. Like the other laws, the UCPA does require a controller to execute an agreement with a processor but does not require provisions in the agreement allowing controllers to audit the processor or give controllers rights to object to a processor’s use of a subcontractor.
Finally, enforcement looks slightly different under the UCPA than its predecessors in other states. Under the UCPA, consumers are required to first submit complaints to the Utah Division of Consumer Protection, which then has the power to elevate a UCPA complaint to the Utah Attorney General’s office. In California, Colorado, and Virginia, the process starts in the Attorney General’s office.
Looking Forward
As more and more states pass data privacy laws like these four, it is only natural for companies to be intimidated by the potential of a tsunami of fifty separate privacy laws. While Utah clearly added its own twist to American privacy laws, and has some unique requirements, many have remained similar to established state laws.
Since the UCPA is narrower than its predecessors in California, Virginia, and Colorado, if a company is compliant or working towards compliance with any of these privacy laws, some work will have been accomplished toward compliance with the UCPA.
As always, reviews, updates, and implementation of robust privacy programs, data mapping, consent practices and similar good data stewardship practices will serve companies well in complying with the UCPA, as it has for the other state privacy laws.
For more information on U.S. state privacy laws or how Myna Partners can assist with your privacy and data security compliance needs, contact Dave Cohen, at: dave.cohen@levelupconsult.com