The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

As CPW has previously covered, Utah is one of several states considering enacting a comprehensive privacy bill this year.  CPW’s Kristin Bryan and Kyle Fath were recently interviewed by Bloomberg Law concerning this development.  The full article is available here.

Kyle commented that “[d]espite the bill’s similarity to the Virginia law and its number of exemptions, it still complicates the national compliance picture.  Businesses may apply more stringent standards from jurisdictions like California to consumers in other states, such as Utah, because it can be complicated and costly to comply in a piecemeal manner.”

As Kristin explained, the failure of the federal government to enact comprehensive privacy legislation means that “many states are taking privacy regulations into their own hands,” and “[t]he inclusion of a private right of action for bills is a ‘worst case scenario’ for businesses that would be regulated under such laws.”  In this instance, she commented, “[i]t does appear [the Utah legislature is] trying to strike the right balance between providing privacy protections while also limiting the exposure to businesses, as seen by lack of private right of action.”

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.

The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws

This blog post is a bonus supplement to our quarterly Artificial Intelligence and Biometric Privacy Quarterly Review Newsletter. Be on the lookout for our Q3 Newsletter!

We are quickly approaching the Jan. 1, 2023 operative date of most of the provisions of the California Privacy Rights Act (“CPRA), which, as most of us know by now, substantially amends the CCPA. Under the CPRA, the California Privacy Protection Agency (“CPPA” or “Agency”) has a mandate to issue regulations on a number of specific topics. With just fewer than three months to go until January 1, regulations are not even close to being finalized.  The Agency released the first draft of proposed regulations on May 24, and the first public comment period ended on August 23. In a meeting held by the CPPA on Friday, September 23, the Agency gave no concrete sense of timing or any comments on topics, such as those discussed in this post, for which regulations have not even been issued. This has left many businesses feeling left in the lurch, uncertain of what to do. Continue Reading Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations

Kyle Fath, partner in the firm’s Data Privacy, Cybersecurity & Digital Assets group and Los Angeles Office, was appointed this month to serve on the Connecticut Data Privacy Act (CTDPA) working group by the joint standing committee of the Connecticut General Assembly.

Continue Reading Kyle Fath appointed to Connecticut Privacy Legislation Working Group

We head into the fourth quarter on the heels of the first public California Consumer Privacy Act (CCPA) civil penalty, while also looking ahead to the new state privacy laws in Virginia, Colorado, Connecticut, and Utah and the significant updates that the California Privacy Rights Act (CPRA) will bring to the CCPA. Considering that regulations are yet to be finalized in both California and Colorado, it is no surprise that some businesses are uncertain regarding how to proceed. To help businesses address both current risks, as demonstrated by recent enforcement, as well as the “new” 2023 privacy requirements, we have developed guidance materials, including high-level workstreams, covering the following topics:

  1. Preparing for the 2023 State Privacy Laws
  2. HR and B-to-B Data CCPA/CPRA Compliance Primer
  3. Lessons from the First CCPA Civil Penalty Case
  4. Takeaways from the First Draft of Revised CCPA/CPRA Regulations

Click here to download the guidance. More detailed guidance and workstreams, as well as model materials with customization support, are available to clients. Contact your SPB relationship partner for more information.

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR