Utah is on the verge of passing a comprehensive state privacy law, potentially joining California (CCPA/CPRA), Virginia (VCDPA), and Colorado (CPA) as the fourth U.S. state to enact such a law. Yesterday, March 2, 2022, the Utah House of Representatives approved the Utah Consumer Privacy Act (“UCPA”) with a vote of 71-0. The House’s approval follows the Utah Senate’s approval of the bill several weeks ago with a vote of 28-0. While there are still some legislative formalities required for the bill to become law (such as the governor’s signature of the bill), companies should start familiarizing themselves with the bill and what it means for compliance. Overall, UCPA generally tracks VCDPA, with some notable differences that may make it more business-friendly. Below we have identified some of the differences between UCPA and the other comprehensive state privacy laws.
Effective Date
Companies will have time to prepare for UCPA. UCPA is set to take effect on December 31, 2023. CCPA took effect in January 2020, and will replaced with CPRA on January 1, 2023. VCPA and CPA take effect on January 1, 2023 and July 1, 2023, respectively
Applicability
UCPA will apply to companies that:
- Conduct business in Utah or produce a product or service that is targeted to consumers who are residents of Utah AND
- Have an annual revenue of $25 million or more AND
- Control or process personal data of 100,000 consumers or more OR derive over 50% of their gross revenue from the sale of personal data AND control or process data of 25,000 or more consumers
These requirements are very similar to CPRA, VCDPA, and CPA. Notably, the standalone $25 million revenue requirement is not present in VCDPA.
Investigation and Enforcement
Perhaps the most notable difference between UCPA and the other comprehensive state privacy laws is the two-step process for enforcement. First, a consumer complaint must be submitted to the Division of Consumer Protection constituted under the Utah Department of Commerce (“Division”). The Division then investigates the complaint and determines whether there is “reasonable cause” to believe that there has been a violation of UCPA. If reasonable cause is found, the Director of the Division then refers the matter to the Attorney General. Upon this referral, the AG may then initiate an enforcement action. However, companies will still be given a 30 day cure period. These procedural hurdles are unique and will likely slow or limit enforcement when compared to other privacy laws.
Loyalty Programs
As we have previously discussed, loyalty programs are facing increased scrutiny in California. In contrast, UCPA provides a broad ability to charge differing rates to consumers based on their privacy preferences by expressly allowing a controller to offer a “different price, rate, level, quality or selection of good or service” if it relates to voluntary participation in a loyalty or rewards program or if the consumer has opted out of targeted advertising.
Data Protection Assessments
Unlike VCDPA, UCPA lacks a requirement for companies to conduct data protection risk assessments.
Data Subject Rights
UCPA provides a narrower set of consumer rights than VCDPA, CPRA, and CPA. Specifically, UCPA does not include the right to correct inaccuracies in a consumer’s data or the right to opt-out of profiling (defined in VCDPA as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements”).
* * * *
It is possible aspects of UCPA will change before enactment. We will continue tracking the changing legislative landscape, including with respect to UCPA, and report back as new laws come into play.