The UCPA — What It Is and What to Expect
The UCPA (Utah Consumer Privacy Act) was signed into law on March 24, 2022 by Utah Governor, Spencer Cox, the fourth state to pass a consumer privacy law specifically for consumers in that state. This new law has significant implications for both Utah’s tech industry and consumers.
Utah companies already following other privacy laws, like the CCPA (California Consumer Privacy Act) or VCDPA (Virginia’s Data Protection Act), will most likely have little to change about their current data practices. Utah’s new law not only borrows the framework from its predecessors, but essential language, too. For example, the UCPA uses the terms “controllers” and “processors.” Controllers are the companies ultimately responsible for people’s personal data. Processors are entities that a controller contracted with to process the data.
While there are many similarities between the UCPA and its predecessors, this law is distinct in several ways. Unlike other privacy laws, it does not grant consumers the right to correct inaccuracies in their personal data. Additionally, instead of requiring opt-in consent for the collection and processing of sensitive data, the UCPA requires entities to provide notice and the option to opt-out before a consumer’s personal data is processed. Finally, for controllers, this law requires fewer data protection assessments than others have.
As far as enforcement goes, unlike its counterparts in California and Virginia, complaints of infractions do not go directly to the state’s Attorney General. Instead, they go to the Utah Division of Consumer Protection within the Utah Department of Commerce. This department may then refer serious complaints to the Attorney General.
With the recent enactment of the law, Utah businesses are anxious to know whether they will be affected. For a businesses to be held legally responsibility under this act, it must meet the following conditions:
- Be a for profit entity in Utah or produce a product/service targeted to Utah residents
- Have annual gross revenues of $25 million
- Control or process the personal data of at least 100,000 Utah residents OR derive over 50 percent of gross revenue from sale of personal data and control and process the data of at least 25,000 Utah residents
This law aims to protect consumers and their personal data. It’s important to note that personal data does not include data collected for employment or in a commercial context. Under the UCPA, barring that prior exception, personal data is defined as anything linkable to an identified or identifiable individual. Companies that have already un-identified their data (scrubbing a dataset so its contents are impossible to trace back to an individual) are not affected by this law.
Certain entities are exempt from the UCPA. This includes entities regulated by HIPPA (the Health Insurance Portability and Accountability Act) of 1996 and the Gramm-Leach-Biley Act of 2018. Higher education, non-profits, tribes, and consumer reporting agencies under the Fair Credit Reporting Act, are also exempt.
Consumers are also granted certain rights under this act. For example, no controller may process consumer data without first informing the individual. Additionally, the controller must provide a copy of the consumer’s personal data being used, and in the case of targeted marketing or the sale of personal data, the consumer may opt-out.
The UCPA regulates the relationship between the controller and processor, still aiming to protect consumers' data privacy. Under these statutes, before a processor performs any processing on behalf of a controller, they are required to enter into a contract establishing the details of their processing. In these contracts, instructions for the processing, the nature and purpose of the processing, the type of data subject to processing, and the duration of the processing must be clearly outlined. Within this agreement, it is the processor’s responsibility to follow the controller’s instructions and ensure the workers tasked with handling the data are subject to a duty of confidentiality.
Under the law, controllers also have certain obligations to consumers. They must provide consumers with a privacy notice when their data is processed. This notice should inform the consumer what categories of personal data will be processed, purposes for processing and how consumers can exercise their rights under the law.
Although the UCPA is officially passed and signed into law, it won’t take effect until December 31, 2023. When it does, consumers have no private right of action, or in other words, they cannot sue. Rather, the state Attorney General is the means for legal action or taking an organization to court. If the Attorney General discovers a business violating the law, the business will have 30 days to correct the violations or incur serious fines.
Beginning on December 31, 2023, the state government will test the UCPA’s effectiveness for an 18 month period. During this year and a half, concerted efforts in both investigation and enforcement of this new data privacy law are expected.
To learn more about how this new law and how it compares to other states, please see the legal update prepared by Chicago-based law firm, Mayer Brown, that set up an office in Salt Lake City earlier this year.