Utah Joins California, Colorado, and Virginia in Enacting Consumer Privacy Law

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”) into law, making Utah the fourth state to enact comprehensive consumer privacy legislation following California, Colorado, and Virginia. The UCPA, which goes into effect December 31, 2023, shares the same general framework as the Colorado Privacy Act (“CPA”) and the Virginia Consumer Data Protection Act (“VCDPA”), but with some key differences that we highlight below.

The UCPA is the latest comprehensive state privacy law to cross the finish line, while 21 other states are actively considering comprehensive privacy legislation in 2022. With each new state privacy law, the patchwork of standards and obligations increases the complexity for businesses, including for many businesses not located in the regulating state. Companies that were already making changes to their privacy policies and practices to comply with the CPA, the VCDPA, and the California Privacy Rights Act (“CPRA”) amendments will now have to incorporate the obligations of the UCPA into that process.

Scope of the UCPA

Like the Virginia and Colorado laws, the UCPA adopts the concepts of data controllers and data processors. The UCPA applies to for-profit controllers and processors that (1) conduct business in Utah or produce a product or service that is targeted to consumers who are residents of Utah; (2) has annual revenue of $25 million or more; and (3) satisfies one of these thresholds: (a) controls or processes personal data of 100,000 or more Utah consumers in a year, or (b) derives more than 50% of their gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah consumers.

The statute exempts government entities, nonprofits, entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”), higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”).

The UCPA definition of personal data matches the Colorado and Virginia statutes: Personal Data is information linked to or reasonably linkable to an identified or identifiable individual. Unlike the other three, California also includes information linked or linkable to a household. All four statutes expressly exempt de-identified data and publicly available information.

Consumer Rights

The data rights provided to Utah consumers parallel the three other state privacy laws. The UCPA provides Utah consumers four specific rights:

1. The right to confirm whether a controller is processing their data, and if so, the right to access that data;
2. The right to delete their data;
3. The right to data portability; and,
4. The right to opt-out of certain uses of their data, including sales and targeted advertising.

However, the UCPA is narrower than the Colorado, Virginia, and California laws in other respects. Unlike other states, the UCPA does not obligate data controllers to:

• correct personal data,
• conduct data protection assessments,
• allow for opt-out of profiling, or,
• provide an appeals process for a denial of a data subject’s request to invoke a right granted by the UCPA.

Like California, the UCPA’s right to delete is limited to the personal information provided to the data controller by the data subject. This is in contrast to Colorado and Virginia, which extend the right to delete to all data about the data subject in the controller’s possession, including data acquired from third parties.

With regard to the sale of data, the UCPA aligns itself with Virginia. The “sale” of personal information is defined as “the exchange of personal data for monetary consideration by the controller to a third party” with specific exclusions. “Sale” does not include disclosures:

• to entities that process personal data on behalf of a controller (“processors”);
• to affiliates of the controller;
• to a third party where the purpose of the disclosure is consistent with the consumer’s reasonable expectations;
• at the direction of the data subject;
• where the disclosure is part of the product or service requested by the data subject;
• of information that is publicly available and not subject to the law (as discussed above); and,
• as part of a merger or acquisition.

Responsibilities of Controllers

Under the UCPA, controllers must provide Utah consumers with a reasonably accessible and clear privacy notice that identifies:

• the categories of personal data processed by the controller;
• the purposes for which the categories of personal data are processed;
• how consumers may exercise their rights;
• the categories of personal data that the controller shares with third parties; and,
• the categories of third parties with whom the controller shares personal data.

Compared to the California, Colorado, and Virginia laws, the UCPA gives businesses additional flexibility when it comes to responding to consumer requests. First, a controller does not have to comply with a data subject request if it would be unreasonably burdensome to associate the request with the personal data. Second, a controller may either refuse to act on a request or charge a reasonable fee to the consumer to cover the costs of complying with a consumer’s second or subsequent data request in a 12-month period if the request is excessive, repetitive, technically infeasible, or manifestly unfounded; the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business. The controller bears the burden of demonstrating the request satisfies one or more of these criteria.

Enforcement and Penalties

Like the CPA, the VCDPA, and the CPRA (except for data-security breaches), the UCPA does not create a private right of action. Instead, the law authorizes the Consumer Protection Division of the Utah Department of Commerce to receive and investigate consumer complaints and alleged violations of the statute and refer violations to the Utah Attorney General. Upon referral, the Attorney General can sue to enforce the law but may only do so after providing an entity 30 days to cure alleged violations. If the violation persists, the Attorney General may seek damages of up to $7,500 per violation.

Conclusion

Although the UCPA does not come into force until the end of 2023, companies that are revamping their privacy policies to comply with the CPRA amendments (effective date: January 1, 2023), the VCDPA (effective date: January 1, 2023), and the CPA (effective date: July 1, 2023) should also evaluate whether they will be subject to the UCPA and make adjustments to their privacy policies as appropriate. With the increasing patchwork of state laws, it is critical for companies to take steps to understand their data flows, prepare processes to respond to data subject requests, and try to identify a common set of practices that will enable them to comply with these new obligations in a consistent and efficient manner.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Tod Cohen, an O’Melveny partner licensed to practice law in California and the District of Columbia, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, and Lorenzo d’Aubert, an O’Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2022 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.