Utah’s New Privacy Law: Will This New Balance Become the Norm? | Dorsey & Whitney LLP


Governor Spencer Cox of Utah has now signed into law the Utah Consumer Privacy Act (“UCPA”), which was recently passed unanimously by the Utah Legislature and which will go into effect on December 31, 2023. Utah joins California, Colorado, and Virginia is the fourth state to enact comprehensive privacy legislation. Of the three aforementioned states, the UCPA most closely resembles the Virginia Consumer Data Privacy Act (“VCDPA”) and the Colorado Privacy Act (“CPA”), following what appears to be the trend toward less ambitious privacy laws. with respect to the California Consumer Privacy Act (“CCPA”) feature.

What does the UCPA do?
Application. The UCPA applies to any controller or processor who

  1. Do business in the state of Utah Where manufactures products or services targeting consumers who are residents of Utah;
  2. Has a annual turnover of 25 million dollars or more; and either
  3. Processes or controls the personal data of 100,000 or more Utah citizens or shoot more 50% of its gross turnover to treat or control the personal data of 25,000 or more Utah consumers.

Exemptions. The UCPA does do not apply to government entities, tribes, institutions of higher education, or nonprofit corporations; nor to information or covered entities or business associates governed by the Federal Health Insurance Portability and Accountability Act (“HIPAA”), financial institutions and information under the umbrella of the Gramm-Leach Act- Bliley (“GLBA”), information subject to the Federal Credit Reporting Act (“FCRA”) and personal data regulated by the Family Educational Rights and Privacy Act (“FERPA”). The language of the UCPA further exempts entities such as consumer reporting agencies and their affiliated activities, among other defined exemptions.

Consumer rights. The UCPA provides consumers with certain privacy rights, as follows:

  • To access – the right to know whether a data controller is processing his personal data and to access his personal data;
  • Erasure – the right to delete the personal data that the consumer has provided to the controller;
  • Portability – the right to obtain a copy of his personal data in a portable format, easily usable and allowing the consumer to transmit the data to another controller without hindrance; and
  • Opt out – the right to refuse the processing of their personal data if they are used for the purpose of targeted advertising or the sale of personal data.

Controllers must provide a process for consumers to exercise their rights. Consumers, in their requests, must specify the right they intend to exercise, and data controllers are required to respond within forty-five days of receipt of any request. Data controllers may extend the 45-day period, but must communicate the justification to the consumer. There is no charge for information requested or provided in response to a request, unless the request is deemed to be duplicative, or harassing or unduly burdensome to the controller.

Obligations of controllers. Controllers have the following duties and responsibilities:

  • Transparency, specification of objectives, and data minimization – A controller must provide consumers with a reasonably accessible and comprehensive privacy notice that includes (1) the categories of personal data being processed; (2) the purposes for which the personal data is processed; (3) how and where consumers can exercise a right; (4) the categories of personal data the controller shares with third parties; and (5) the categories of third parties with whom the controller shares personal data;
  • Consent for secondary use – A controller cannot process sensitive consumer information without first presenting the consumer with clear notice and an opportunity to opt out;
  • Security – A controller must maintain appropriate data security practices to protect personal data and reduce the risk of consumer harm associated with data processing;
  • No discrimination and non-retaliation – A data controller cannot discriminate against a consumer for the exercise of a right; and
  • Non-waiver of consumer rights – Any provision of a contract purporting to limit or waive a consumer’s right under the UCPA is void.

Enforcement. The offenses are only enforceable by the Utah Attorney General’s Office. Before the Attorney General can take enforcement action, the controller is entitled to a thirty day cure or waiver period, with a written notice explaining the basis of the allegation and giving the data controller the opportunity to remedy it.

Compared to other existing privacy laws
The VCDPA, CPA and UCPA have a number of important elements in common, but also important differences. Key commonalities include:

  • No private right of action (unlike the CCPA’s private right of action for a data breach);
  • Comparable definitions of “personal data”; and
  • Thirty-day healing period (same as Virginia; Colorado has a sixty-day healing period, and California’s thirty-day healing period is scheduled to be repealed in 2023).

Beyond the VDCPA and the CPA, the UCPA and the CCPA have in common:

  • No right of appeal if a monitor denies a consumer request (CPA and VCDPA require a process for consumers to appeal any denial).

Unlike other national privacy laws, the UCPA:

  • Does not require data protection assessments (“DPAs”);
  • Does not give consumers a right of correction/accuracy;
  • Allows consumer opt-out only for targeted advertising and sale of personal data; and
  • Provides consumers with a limited right to erasure that applies only to personal data that the consumer has provided to the controller.

Interaction with Utah’s Cyber ​​Safe Harbor
The UCPA’s obligation to maintain appropriate data security practices to protect personal data and reduce the risk of consumer harm provides an interesting and important supplement to Utah’s Cybersecurity Affirmative Defense Act (hereafter referred to as “Utah Safe Harbor” or “Safe Harbour”), enacted last year on March 11, 2021, which provides an affirmative defense to claims arising from a breach of security for companies with a written cybersecurity program.

In summary, Utah businesses now have even more incentive to complete the relatively simple steps needed to qualify for Safe Harbor, including:

  1. create, maintain and reasonably comply with a written cybersecurity program meet certain minimum requirements; and,
  2. protocols for notifying individuals of security breaches.

In order to meet minimum technical requirements, a written cybersecurity program must comply with certain recognized cybersecurity frameworks, such as the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO 27000”) , among others. Compliance with the privacy standards described in HIPAA or GLB or other applicable federal or state regulations, including the recently enacted UCPA, may also qualify under Safe Harbor.

Upcoming Best Practices
As more and more states consider enacting their own privacy laws, understanding the applicability and compliance with the various state laws that apply to them will become increasingly difficult for companies operating in multiple states. An ongoing process of “changing the law” for these companies will be an essential part of doing business. Companies that collect or process consumer personal information in Utah must ensure that they:

  1. Know what personal data is collected and to which “category” this data belongs;
  2. Know how personal data is processed, including the purpose for which it is processed;
  3. Know with whom the personal data is shared and to which “category” the potential third parties belong;
  4. Draft appropriate disclosures, paying particular attention to the specific notification requirements that the laws describe;
  5. Develop processes and procedures to facilitate and respond to consumer requests, whether those requests are for personal information or to opt out of processing of personal information; and
  6. Document and reassess each of these elements on an annual basis.

Source link


Comments are closed.