On February 25, the Utah Senate passed the Utah Consumer Privacy Act (the UCPA), which closely resembles both the Virginia Consumer Data Protection Act (the VCDPA) and the Colorado Privacy Act (the CPA). The House unanimously passed the bill on March 2. The bill now goes to Governor Spencer Cox, who has 20 days to sign or veto it. If signed, Utah would be the fourth state to pass a comprehensive privacy bill after California, Virginia, and Colorado.
Who Would This Bill Affect?
A for-profit business that (a) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25 million or more; and (c) satisfies one or more of certain enumerated thresholds: (i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or (ii) derives over 50% of the entity’s gross revenue from the sale of personal data, and controls or processes personal data of 25,000 or more consumers. The UCPA follows the GDRP framework and categorizes a business based on its activities as either a “controller” or “processor,” and provides specific requirements as to both categories (similar to the VDCPA and the CPA). Under the UCPA, “processor” is defined as a person who processes personal data on behalf of a controller. There are also a number of exemptions for entities, such as the government, nonprofits, and entities covered under other federal laws, such as FERPA, HIPAA, and GLBA. Under the UCPA, a “consumer” is defined as an individual who is a resident of the state acting in an individual or household context. It does not include an individual acting in an employment or commercial context.
Unique Provisions Under the UCPA:
While the Utah bill is like the VCDPA and the CPA, there are a few differences.
- There is no consumer right to request the correction of personal data.
- Data controllers are not required to implement an appeal process when consumer requests are denied.
- Consumer consent is not required prior to processing sensitive data of adults. The bill states a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing.
- There is no data protection risk assessment requirement.
Enforcement and Remedies
Like the three current comprehensive privacy bills, the UCPA does not provide a private right of action. However, the act creates a split system where the Department of Commerce’s Consumer Protection Office will consider and investigate a claim, without having enforcement power. If there is substantial evidence of a violation, the claim will go to the attorney general’s office. Then, the attorney general may choose to initiate an action. In comparison, California’s Privacy Rights Act delegates administrative enforcement authority to the California Privacy Protection Agency and civil enforcement authority to the attorney general.
Thirty days prior to any commencement of action, the attorney general will provide the controller or processor with a notice, which allows the entity to cure the alleged violation. For each violation, the attorney general may recover: (i) actual damages to the consumer; and (2) penalties not exceeding $7,500 per violation.
The bill is headed to Governor Spencer Cox. He will have 20 days to sign or veto the bill. If signed, the bill will have an effective date of December 31, 2023.