And Then There Were Four? Utah on the Verge of Enacting Consumer Privacy Law

Editor’s Note: Utah Governor Spencer Cox signed S.B. 227 into law on March 24, 2022. The Utah Consumer Privacy Act will become operative on December 31, 2023.

Utah is poised to become the fourth U.S. state—after California, Virginia, and Colorado—to enact comprehensive consumer privacy legislation, following the swift and unanimous passage of S.B. 227 in both the Utah Senate and House of Representatives.

The bill has been transmitted to Utah Governor Spencer Cox for his review.

If enacted, as is widely anticipated, the bill will create the Utah Consumer Privacy Act (UCPA), and be operative December 31, 2023. The UCPA will track closely with the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA), both of which also become operative in 2023.

This alert provides an overview of the UCPA, indicating key areas in which it would meaningfully depart from the VCDPA and CPA.

Scope

Covered Businesses. The UCPA would apply to any controller (i.e., a business that determines the purposes for which and the means by which personal data are processed) or processor (i.e., a person who processes personal data on behalf of a controller) that:

1. Conducts business in Utah or produces a product or service targeted to consumers who are Utah residents;
2. Has annual revenue of $25 million or more; and
3. Satisfies one or more of the following thresholds:
   

   i. During a calendar year, controls or processes personal data of 100,000 or more consumers; or

   ii. Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

The UCPA criteria for covered businesses differ from both the VCDPA and CPA in that the UCPA includes a standalone annual revenue requirement, excluding businesses with annual revenues of less than $25 million from the bill’s scope. The VCDPA and CPA do not contain such minimum revenue thresholds for covered businesses.

Consumers. The UCPA would define a consumer as a Utah resident “acting in an individual or household context,” and, like the VCDPA and CPA, would specifically exclude individuals “acting in an employment or commercial context.”

Personal Data. The UCPA would mirror the VCDPA and CPA in defining “personal data” as information that is linked or reasonably linkable to an identified or identifiable individual. The definition excludes de-identified data, publicly available information, and—in a departure from the VCDPA and CPA—aggregated data (i.e., information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to any consumer) from the definition of “personal data.”

Sale. The UCPA would define a “sale” as the exchange of personal data for monetary consideration by a controller to a third party. This is a narrower definition than found in the CPA, which defines “sale” as the exchange of personal data for monetary “or other valuable consideration.” The UCPA also includes a potentially helpful exception to “sale” that is not found in either the VCDPA or CPA: “sale” does not include a controller’s disclosure of personal data to a third party for a purpose that is consistent with the consumer’s reasonable expectations, considering the context in which the consumer provided the personal data to the controller.

Individual Rights

The UCPA would grant consumers the right to:

Confirm whether a controller is processing the consumer’s personal data and access that personal data.

Delete the consumer’s personal data that the consumer provided to the controller. This right is narrower than the deletion rights provided under the VCDPA and CPA, which apply to “personal data provided by or obtained about the consumer” and “personal data concerning the consumer,” respectively.

Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a portable format.

Opt out of the processing of the consumer’s personal data for purposes of targeted advertising or sale. Unlike the VCDPA and CPA, the UCPA would not give consumers the right to opt out of profiling in furtherance of decisions that produce legal or other significant effects. Moreover, unlike the CPA, the UCPA would not require controllers to allow consumers to exercise their opt-out rights via user-selected universal opt-out mechanisms, such as browser settings or extensions.

Controllers’ Obligations

The UCPA would impose the following obligations on controllers:

Notice: Like the VCDPA and CPA, the UCPA would require controllers to provide consumers with a reasonably accessible and clear privacy notice that includes:

i. The categories of personal data the controller processes;

ii. The purposes for which it processes the categories of personal data;

iii. How consumers may exercise a right;

iv. The categories of personal data it shares with third parties, if any; and

v. The categories of third parties, if any, with which it shares personal data.

Additionally, if it sells a consumer’s personal data or engages in targeted advertising, a controller would be required to clearly and conspicuously disclose the manner in which a consumer may exercise the right to opt out of sale or targeted advertising.

Data Security: The UCPA would require controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Such practices must be appropriate to the controller’s size, scope, and type, as well as the volume and nature of the personal data at issue.

Sensitive Data: Unlike the VCDPA and CPA, the UCPA would not require opt-in consent to process sensitive personal data.  Rather, the UCPA would prohibit a controller from processing sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out.

Children’s Data: The UCPA would require a controller to process personal data concerning a known child (i.e., an individual younger than 13 years of age) in accordance with the federal Children’s Online Privacy Protection Act.

Non-discrimination: The UCPA would prohibit a controller from discriminating against a consumer for exercising a right under the UCPA by:

i. Denying a good or service to the consumer;

ii. Charging the consumer a different price or rate for a good or service; or

iii. Providing the consumer a different level of quality of a good or service.

However, these prohibitions would not prevent a controller from offering a different price, rate, level, quality, or selection of goods or services if the consumer has opted out of targeted advertising or if the offer is related to the consumer’s voluntary participation in a bona fide loyalty, discount, or similar program.

Processors

The UCPA would require processors to adhere to controllers’ instructions and, insofar as reasonably practicable, assist controllers in meeting their obligations under the UCPA. It also specifies that a processor and controller must enter into a contract that:

i. Clearly sets forth the processing instructions, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations;

ii. Requires the processor to ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and

iii. Requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

These contractual requirements are less detailed and comprehensive than those outlined in the VCDPA and CPA.  For example, unlike the VCDPA and CPA, the UCPA would not require data processing agreements to include a provision stipulating that processors must allow for, and contribute to, reasonable audits or assessments by the controller or its designated auditor or assessor.

Exceptions

General Exceptions. The UCPA would contain several statutory exceptions, including for:

• Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates, as well as protected health information under HIPAA;
• Financial institutions or affiliates governed by the Gramm-Leach-Bliley Act (GLBA) and personal data collected, sold, or disclosed in accordance with the GLBA;
• The activities of entities regulated by the Fair Credit Reporting Act regarding personal data that bear on a consumer’s credit worthiness, credit standing, etc.;
• Personal data regulated by the Family Education Rights and Privacy Act;
• Air carriers;
• Nonprofit corporations; and
• Institutions of higher education.

Permitted Processing. The UCPA would likewise clarify that it does not restrict a controller or processor’s ability to, among other things:

• Comply with federal, state, or local laws, rules, or regulations;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product or service specifically requested by a consumer or a parent or legal guardian of a child;
• Take immediate steps to protect the life or physical safety of an individual;
• Detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity, or investigate, report, or prosecute the responsible party;
• Effectuate a product recall; or
• Perform internal operations that are reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller.

Enforcement/Penalties

Like the VCDPA and CPA, violations of the UCPA would not be subject to a private right of action. Rather, the Utah Attorney General (AG) would have exclusive authority to enforce violations.

Prior to initiating an enforcement action, the AG would be required to provide the controller or processor with at least 30 days’ written notice identifying each provision of the UCPA that the controller or processor allegedly violated and an explanation of the basis for each allegation. If the controller or processor cures the noticed violation within 30 days of receipt of the notice and provides the AG with an express written statement that the violation has been cured and no further violation of the cured violation will occur, the AG may not bring an enforcement action. Unlike the CPA, the UCPA cure provision does not expire.

However, in the event the controller or processor fails to cure a noticed violation or continues to violate the UCPA after curing a noticed violation, the AG may recover: (i) actual damages to the consumer; and (ii) up to $7,500 per violation.

Additional Pro-business Departures from Virginia and Colorado Laws

Appeals. Unlike the VCDPA and CPA, the UCPA would not require controllers to establish a process for a consumer to appeal the controller’s refusal to take action on a consumer request and make such process conspicuously available to consumers.

Data Protection Assessments. In another departure from the VCDPA and CPA, the UCPA would not require controllers to perform and document data protection assessments before undertaking specified processing activities, such as targeted advertising, sale, profiling, the processing of sensitive data, or other high-risk processing.

Next Steps

Utah Governor Spencer Cox has until March 24, 2022 (i.e., 20 days from the close of Utah’s 2022 legislative session) to sign or veto S.B. 227, or it will become law without his signature.

In the unlikely event that Governor Cox vetoes the bill, the House and Senate may call a veto override legislative session by a two-thirds vote of each chamber. May 3, 2022 is the last day a veto override session may begin. If the legislature convenes such a session and two-thirds of the members of each chamber approve the bill, it becomes law over the governor’s veto.

Outside of Utah, comprehensive consumer privacy bills are pending in at least 24 other states and the District of Columbia.  It remains to be seen whether and how passage of S.B. 227 will impact these other bills, and specifically whether passage would give momentum to other VCDPA- and CPA-like bills. It is likewise uncertain whether passage of S.B. 227 will re-ignite the call for federal privacy legislation, though it is unlikely that a federal bill will pass in a midterm election year, particularly in light of competing legislative priorities and the ongoing gridlock in Congress.

Please visit our California Consumer Privacy Act + Other State Consumer Privacy Laws Resource Center for more information on the evolving state consumer privacy landscape.