On March 24, 2022, Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (“UCPA”) (S.B. 227), making The Beehive State the fourth to pass a comprehensive privacy law, following California (“CCPA” & “CPRA”), Virginia (“VCDPA”), and Colorado (“CPA”). The UCPA will go into effect on December 31, 2023.
Structurally, UCPA most closely resembles the VCDPA and is unlikely to pose major compliance challenges for companies already subject to other state-level privacy laws. However, the UCPA does present some notable differences from the Virginia regime – namely, the lack of a revenue threshold for covered entities, a narrower set of consumer rights, no data protection assessment requirement, and no limitation on secondary uses, among others discussed below.
On the whole, the UCPA strikes a reasonable balance between the needs of small businesses and consumer privacy rights, particularly considering the $25 million threshold, lack of a private right of action, and broad exemptions for certain types of data and controllers (e.g., non-profits, GLBA-regulated entities, employee data, etc.). The following are the key areas of the UCPA implicating digital advertising companies, and what this new law means for the patchwork of state privacy laws broadly.
The UCPA applies to controllers and processors that conduct business in Utah, or produce products or services targeted toward Utah residents, and have annual revenue of $25 million or more. Notably, aside from CCPA/CPRA, UCPA is the only law to include a revenue floor such as this.
In order to be subject to compliance, covered businesses must either 1) control or process the personal data of more than 100,000 consumers or 2) process the personal data of 25,000 or more consumers and derive more than 50% of revenue from the sale of that data (§13-61-102(1)). Unlike Colorado, the UCPA does not apply to non-profits and additionally excludes government entities, tribes, higher education institutions, covered entities under HIPAA, GLBA-regulated entities, and others.
The UCPA establishes new rights citizens may exercise with respect to their personal data – defined as “information that is linked or reasonably linkable to an identified or identifiable individual” and excluding deidentified data, aggregate data, and publicly available information (13-61-101(24). However, as compared to California, Virginia, and Colorado’s laws, these rights are significantly narrower.
In Utah, consumers will have the right to 1) confirm when a controller is processing their personal data; 2) delete personal data; 3) obtain a copy of their personal data (data portability); and 4) opt-out of targeted advertising or the sale of their personal data (§13-61-201(2)). Like California, but in contrast to Virginia, the UCPA’s right to delete is particularly narrow, and it only applies to data the consumer provided to the controller . Additionally, the UCPA notably lacks the right to correct inaccurate information, and unlike VCDPA and CPA, it does not provide consumers the right to opt-out of profiling . Additionally, pseudonymous data – personal data that cannot be attributed to a specific individual without additional information, so long as that additional information is separately kept from the consumer’s other personal data subject to other technical and organizational safeguards – is not implicated by controller obligations to act pursuant to these rights (§13-61-303).
Similar to the CPRA, VCDPA, and CPA, the UCPA establishes heightened standards for controllers processing sensitive personal data. Utah’s definition includes personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status. Further, it includes information regarding medical history, mental, or physical health conditions, medical treatment/diagnosis, the processing of genetic or biometric data for the purpose of identifying an individual, and specific geolocation (§13-61-101(32)). The UCPA’s inclusion of mental and physical conditions, in addition to treatments and diagnosis, makes Utah’s definition of sensitive personal data broader and more encompassing than that of Virginia, Colorado, and California, and more closely aligned to the NAI definition of health related sensitive information.
If consumer personal data is deemed “sensitive,” businesses subject to compliance “may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt-out of the processing ” (§ 13-61-302(3)). This differs significantly from Virginia and Colorado, where covered entities must obtain affirmative “opt-in” consumer consent.
Like Virginia and California, UCPA has a non-retaliation provision, which prohibits a controller from discriminating against users who exercise rights by denying them goods or services, charging them a different rate or price, or providing the consumer a different level of quality. However, if a consumer opts-out of targeted advertising or is engaged in a loyalty program, rewards, premium feature, or club card program, controllers are free to apply a different rate, level, quality, or selection of goods and services. This approach is a bit of a departure from that taken by California, and is more explicit than Virginia. California is still unique with respect to its requirement for businesses to conduct a “good faith estimate” of the value of this data (Cal. Reg. 999.307(b)(5)).
Akin to Virginia and Colorado, the UCPA does not contain a private right of action and subsequently, relies on the state attorney general for enforcement. Notably, the UCPA stands alone with its first-of-a-kind two-step claims process and enforcement assessment provisions, and follows Virginia by rejecting to grant the state attorney general rule making authority, unlike Colorado and California. To facilitate its two-step claims process, the UCPA creates a Division of Consumer Protection within the State Department of Commerce, responsible for fielding and investigating complaints from consumers. If the Director of the Division has “reasonable cause” to believe “substantial evidence” exists as to a violation of the UCPA, it refers the claim to the state attorney general who has exclusive enforcement authority and may choose to initiate an enforcement action (§ 13-61-401). Upon initiating enforcement action, the attorney general must provide the business with a 30 day cure period to remedy the violation. Like Virginia, Utah’s law does not phase out this cure period. This is in opposition to Colorado, whose cure period requirement sunsets January 1, 2025, and California, whose cure period was completely eliminated by CPRA.
Despite not providing the state attorney general rulemaking authority, the UCPA instead instructs the AG to compile a report by July 1, 2025, evaluating the liability and enforcement provisions and the general effectiveness of the law (§ 13-61-404). The reporting requirement could serve to influence future legislative amendments to the UCPA, ensuring enforcement is effective and efficient while offering consistency for those subject to compliance.
Significant provisions excluded:
Notably, the UCPA leaves out a few provisions seen in California, Colorado, and Virginia’s privacy laws. Opt-out preference signals, such as the Global Privacy Control (“GPC”), have gained support from consumer advocates and many policymakers as an efficient way for consumers to exercise privacy preferences across websites and apps. Currently, California and Colorado both have provisions requiring businesses to establish the technological capabilities to accept and honor these signals. However, the UCPA is similar to VCDPA in its silence on this issue.
While the UCPA requires controllers to establish, implement, and maintain reasonable security practices, it lacks the formal risk assessment requirement present in the other state privacy laws. Broadly speaking, these risk assessment requirements impose obligations on covered businesses to test risky processing activities using personal information and report results to their respective state authority, but it can often be onerous for those subject to compliance.
Additionally, both California and Colorado define “dark patterns” and seek to regulate their use, and the Utah legislature followed Virginia in opting against including this approach.
Implications for the state consumer privacy patchwork and digital advertising industry
With every new patch in the state privacy legal quilt, there are inevitably key differences that will impact compliance by businesses, as well as provide considerations for future laws in other states. As previously noted, the UCPA closely tracks each of the other comprehensive privacy laws in certain ways, but diverges in others. Overall, for companies already preparing to comply with the laws in California, Virginia and Colorado, this new law isn’t likely to create any significant novel legal requirements. However, it does reflect some evolving thinking on many key issues. For instance, when passed in 2018, CCPA didn’t even contemplate “sensitive data,” and only added an opt-out requirement with the passage of CPRA. The VCDPA was the first to require opt-in consent for sensitive data, and Colorado followed suit. As aforementioned, Utah has taken on an approach more similar to the CPRA, requiring an opt-out for sensitive data . Further, each state law has adopted a slightly different definition of what exactly rises to the level of “sensitive.” Given the varying definitions and approaches to consumer consent, there is a striking lack of consensus on how best to protect consumer’s sensitive data.
On the issue of pseudonymous data, which is critical to the practices of the digital ads industry, Virginia, Colorado and now Utah have all recognized the distinction and privacy benefits that can come from this data. All three have created a more practical set of requirements–though not identical–for companies as applied to compliance with consumer rights. This provides a valuable emerging consensus for state legislators considering new laws.
Similar inconsistency exists with respect to opt-out preference signals. In contrast to the California approach that fails to contemplate the intricacies of this issue, Virginia and now Utah opted to remain silent, and Colorado sought to strike a fairer balance by requiring the compliance with such signals, but also requiring the AG to develop regulations mindful of anti-competitive implications. With this notable split across the states on how to apply automated, platform-based opt-out signaling, companies will need to conduct themselves in a way that complies with these varying approaches.
Finally, with respect to enforcement, the four state privacy laws contain striking similarities and differences. Fortunately, Virginia, Colorado, and Utah all rejected private rights of action, as opposed to California, which provides a narrow right focused on data security. This is a very positive development, particularly for small businesses whose innovation risks being stifled by excessive consumer litigation. Additionally, there is deviation in the way the states’ attorneys general enforce each respective law. Perhaps the most important contribution of the UCPA is its adoption of a unique two-step claims process. This model is superior to private litigation, and assures that meaningful violations of the law are addressed and frivolous claims are avoided, while providing covered entities with resources and experts to understand their compliance requirements and honor consumer privacy. Finally, there is inconsistency among the states with respect to rulemaking – with two states requiring attorneys general to promulgate regulations (CA & CO), and the others seeking a more simple approach (VA & UT). The absence of rulemaking provides for greater consistency of interpretation and enforcement, rather than laws that constantly evolve through regulation.
With legislation seemingly stalled at the federal level, Utah will certainly not be the last U.S. state to enact a comprehensive privacy law, and the patchwork of compliance obligations will only continue to grow. Positively, the UCPA signals a strong endorsement of Virginia’s approach to consumer privacy, and sets another good example for lawmakers in sister states looking to promote competition and growth among small businesses while providing meaningful privacy rights and protections for consumers. While the NAI and most stakeholders will continue to push for enactment of a uniform federal privacy framework, the introduction of state bills that are more closely aligned with Virginia and Utah are generally positive developments in the interim.