Utah: Enforcement under UCPA compared with State privacy laws
Utah recently became the fourth U.S. State to pass comprehensive data privacy legislation, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act ('UCPA') was signed into law on 24 March 2022. The UCPA will enter into force in December 2023, at the same time as California's second comprehensive privacy law - the California Privacy Rights Act of 2020 ('CPRA'), Colorado's privacy legislation - the Colorado Privacy Act ('CPA'), and Virginia's privacy law - the Virginia Consumer Data Protection Act ('CDPA'). Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, compare the enforcement provisions of these four States' privacy statutes.
Scope of application
The UCPA applies to organisations conducting business, or targeting consumers in Utah that meet the following two conditions:
- the organisation's total annual revenue is at least $25 million; and
- the company either (a) collects or processes information for at least 100,000 consumers, or (b) controls or processes the information of 25,000 consumers and derives over 50% of its annual revenue from the sale of personal data.
The UCPA exempts certain types of businesses from compliance, including governmental entities, institutions of higher education, and not-for-profit corporations, and does not apply to personal data that is already protected by federal laws, such as the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), the Gramm-Leach-Bliley Act of 1999 ('GLBA'), and the Fair Credit Reporting Act of 1970 ('FCRA').
Highlighting all the differences between the UCPA and other State privacy legislation is outside the scope of this article; yet there are two fundamental differences in the scope of application of these statutes that should be mentioned. In this regard, a major difference is Utah's revenue threshold. Unlike the other privacy regimes, Utah's statute only applies to organisations that exceed its $25 million threshold, without exception, regardless of the number of Utah consumers whose information is being processed.
Another feature of the UCPA that differs from California's and Colorado's legislation that impacts its scope of application is the UCPA's definition of 'sale'. When California's first consumer privacy act, the California Consumer Privacy Act of 2018 ('CCPA'), was adopted in 2018, its broad definition of 'sale' caused a stir among organisations doing business in California because it expanded the long-accepted notion of a sale. The CCPA defined sale broadly to include the exchange of personal data for monetary 'or other valuable consideration' to a third party. Colorado's CPA defines sale similarly. By contrast, the UCPA - like Virginia's CDPA - limits the definition of sale to the 'exchange of personal data for monetary consideration by a controller to a third party'. California's broad definition has given rise to debate and follow-up legislative activity focusing on the definition of 'valuable consideration'. Many organisations subject to the CCPA engaging in cross-context behavioural advertising, or that allow analytics companies to process personal data in exchange for analytical analysis, have chosen to address the ambiguity by including statements in their privacy notices alerting consumers that some arrangements that would not traditionally be considered sales, may nevertheless be considered 'sales' under the CCPA.
The UCPA provides relief to organisations processing Utah personal data by eliminating this grey area, providing certainty through a clearer definition that reflects a more traditional notion of a sale. Finally, the UCPA contains a useful exception from the definition of sale that makes it even narrower than the CDPA or CPA. Under the UCPA, sale does not include the 'disclosure of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations'.
Having discussed how the four existing State consumer privacy statutes differ in their scope of application, the remainder of this article will focus on the enforcement provisions of the four States' statutes.
Under California's 2018 legislation, the CCPA, the California Attorney General ('AG') is responsible for enforcing its provisions. The CPRA shifts enforcement away from the AG, creating the California Privacy Protection Agency ('the Agency'). The Agency will have the full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA, including issuing fines for violations. Like the CCPA, but in contrast with California's more recent approach in the CPRA, Colorado's CPA tasked the Colorado AG with implementing and enforcing the CPA. Virginia's CDPA grants the Virginia AG exclusive enforcement authority and the power to seek injunctive relief and damages for each violation. Utah's enforcement mechanism is somewhat of a hybrid between these two approaches.
The Utah Division of Consumer Protection ('the Division') is tasked with investigating consumer complaints under the UCPA, which it can then refer to the Utah AG. The Utah AG holds exclusive enforcement authority and may bring an action for uncured violations and recover actual damages to the consumer and $7,500 per violation in civil penalties.
In Utah, Colorado, and Virginia, there is no private right of action. In California, by contrast, both the CCPA and CPRA grant a limited private right of action for consumers under certain circumstances.
The enforcement provisions of these privacy statutes also differ in their cure provisions. Under California's CCPA, once a company is notified of alleged non-compliance, it is given an automatic 30-day period to cure its non-compliance. The CPRA will eliminate the CCPA's 30-day notice and cure provision. While there will no longer be an automatic cure period, the newly formed Agency in California will have discretion to provide a business with time to cure the alleged violation, which determination will take into consideration a lack of intent to violate the CPRA and any voluntary efforts to cure the violation. Utah took an approach similar to the CCPA. The Utah AG must provide entities with written notice of an alleged violation and a 30-day opportunity to cure. Virginia's CDPA also provides a 30-day cure window. The Colorado CPA provides the longest window, a 60-day cure period for alleged violations.
In Colorado, the CPA gives the Colorado AG authority to adopt rules governing privacy. This rulemaking authority is consistent with the approach taken in California, but is notably absent from the Virginia and Utah statutes. In Utah, while the Division is empowered to set up a system to receive and investigate complaints under the UCPA, it is not specifically authorised to adopt additional rules regarding privacy. Neither the Division, nor the AG have explicit rulemaking authority under the UCPA. Like Utah, Virginia's CDPA does not provide the Virginia AG with rulemaking authority.
Utah's new consumer data privacy protection law will enter into force on 21 December 2023. There is no interim rulemaking period, so organisations that process Utah personal data in a manner that triggers the UCPA's application should begin to prepare for its implementation now. For practical purposes, organisations that are also subject to the CPRA, the CPA, and CDPA should be aware that complying with the UCPA will not necessarily mean compliance with the laws in those other States. For this reason, Utah attorneys should remain alert to the changing legal environment in the other States, even as they assist their clients in complying with the UCPA.