Utah: UCPA compared with State privacy laws and GDPR
On 24 March 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act ('UCPA') into law, making Utah the latest State to adopt comprehensive privacy legislation. The UCPA - along with the California Privacy Rights Act of 2020 ('CPRA'), the Colorado Privacy Act ('CPA'), and the Virginia Consumer Data Protection Act ('CDPA') - make up a new wave of laws going into effect in 2023 ('the 2023 Laws') that will reshape the privacy landscape in the US.
The UCPA tracks closely with the CDPA, and it is unlikely to drastically impact the compliance regime for businesses subject to the other 2023 Laws or the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the UCPA does include certain differences, largely in ways that narrow its application and lessen the burdens on controllers. In this sense, the UCPA may become a new model for more States that tend to lean more conservative and pro-business. In this article, Gregory Szewczyk, Partner at Ballard Spahr LLP, explores some of these differences.
Like the CPA and CDPA, the UCPA generally uses the GDPR's terminology of controller, processor, and personal data. By contrast, the CPRA uses terms such as business, service provider, and personal information. However, all of the 2023 Laws refer to 'consumers' rather than the GDPR's 'data subjects'. As explained below, that distinction is more than just a difference in diction: it reflects a substantively different scope as it relates to the personal data of employees and in the business-to-business ('B2B') context.
This article is generally based on the terminology used in each law. However, for the ease of reading, equivalent terms are used interchangeably when comparing and contrasting rights and obligations.
Narrower applicability thresholds
As a preliminary matter, the 2023 Laws take a fundamentally different approach to applicability than the GDPR. At a very general level, the 2023 Laws apply when a controller conducts business in the State, plus meets additional thresholds, whereas the GDPR applies when a controller has an establishment in the EU or targets and monitors EU data subjects. Please note that all of these laws have nuances that significantly impact applicability, and companies should conduct a thorough and complete analysis to determine whether any particular law applies to them.
As with many of its differences, the UCPA's applicability thresholds are narrower than the other 2023 Laws. Essentially, the UCPA requires both the annual revenue threshold of the CPRA (which is a standalone threshold under the CPRA), plus one of the CDPA's processing thresholds. Thus, in order to be subject to the UCPA, a controller or processor must:
- conduct business in the State;
- have an annual revenue of $25 million or more; and
- either (a) control or process the personal data of 100,000 or more Utah consumers in a calendar year, or (b) derive over 50% of its revenue from the sale of personal data, and control or process the personal data of 25,000 Utah consumers or more.
The UCPA follows the model set by Colorado and Virginia by excluding entirely employee and B2B data. By contrast, the CPRA contains limited exemptions for these categories of personal data, and the GDPR does not contain any exemptions at all. Notably, these limited exemptions in the CPRA are subject to a sunset clause and are set to expire on 1 January 2023, which is the date the CPRA goes into effect. While amendments have been introduced to extend the limited exemptions, there is no guarantee that they will pass. Further, even if the amendments pass, they will likely face constitutional challenges even if they do. The extent to which employee and B2B data will be exempt under the CPRA is therefore unclear.
The UCPA exempts personal data governed by certain U.S. federal regulations, including the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), the Gramm-Leach-Bliley Act of 1999 ('GLBA'), and the Fair Credit Reporting Act of 1970 ('FCRA'). As with the other 2023 Laws, the scope of the exemption can be limited and depends on the processing. Notably, the UCPA follows the Colorado and Virginia model of providing a full exclusion for financial institutions regulated by the GLBA, whereas the CPRA only exempts non-public personal information regulated by the GLBA. The GDPR does not include any exemptions for such data regulated by U.S. sector-specific laws.
The UCPA follows the CPRA and the CDPA in exempting non-profit organisations. By contrast, the CPA and the GDPR apply to non-profits that are otherwise subject. Like the CDPA, the UCPA also includes an express exemption for institutions of higher education, whereas the CPA's exemption for institutions of higher education appear to only apply to Colorado institutions. Finally, the UCPA includes an exemption for 'tribes'.
No express prohibition on dark patterns in consent
The concept of dark patterns generally refers to the use of an interface designed to manipulate, subvert, or impair a user's autonomy, decision-making, or choice. In practice, dark patterns are often used to manipulate a user into making a certain choice, or prevent them from knowing they are making a choice at all.
Like the CDPA, the UCPA does not address or prohibit the use of dark patterns. The CPA and CPRA, on the other hand, expressly prohibit the use of dark patterns in the context of obtaining consent. Nonetheless, the use of dark patterns could render consent ineffective under the UCPA, as consent is defined to mean an affirmative act that unambiguously indicates the consumer's voluntary and informed agreement.
No opt-in consent for sensitive data
The UCPA defines 'sensitive data' to mean:
- personal data that reveals an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or information regarding an individual's medical history, mental health condition, or medical treatment or diagnosis by a healthcare professional;
- the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or
- specific geolocation data.
The UCPA does not require opt-in consent to process sensitive data, unless the data concerns a child. Instead, the UCPA requires controllers to provide the consumer with clear notice and an opportunity to opt out of sensitive data processing. The CPRA takes a similar approach, requiring disclosures on uses and retention, as well as opt-out rights to limit use and disclosure. By contrast, the CPA and CDPA both require opt-in consent to process sensitive data. The GDPR also requires opt-in consent, subject to several exceptions.
Narrower opt-out rights
The UCPA's opt-out rights contain similarities and differences with the other 2023 Laws. Like all of the laws, the UCPA requires controllers to provide consumers with the right to opt out of sales and targeted advertising. However, the UCPA does not provide a right to opt out of profiling. In fact, the UCPA does not address profiling at all. By contrast, the CPA, CPRA, and CDPA all require controllers to allow consumers the right to opt out of profiling, although the definitions and scope differs between the CPRA and the CPA and CDPA.
With respect to 'sales', the UCPA restricts the definition of 'sale' to 'the exchange of personal data for monetary consideration by a controller to a third party'. This definition tracks the CDPA, but differs from the CPA and CPRA, which expand the definition of sale to include an exchange for 'other valuable consideration'.
The UCPA also includes an exception to the definition of sale, whereby a sale does not occur if the disclosure to a third party is for a purpose consistent with the consumer's reasonable expectations given the context. This exception does not appear in the other 2023 Laws.
Like the CDPA, the UCPA does not require controllers to honour a universal opt-out mechanism. By contrast, the CPA specifically requires controllers to do so in accordance with the forthcoming rules, and the CPRA contemplates a similar process.
Narrower right to delete
As with the other 2023 Laws, the UCPA provides consumers with a right to delete. However, that right to delete does not apply to all data collected by controllers. Instead, it applies only to personal data that the consumer provided to the controller. It therefore does not apply to personal data that the controller collects from third parties, and it may not apply to inferences that the controller developed internally.
The CPA and CDPA, on the other hand, extend that right to all data 'concerning' the consumer. The GDPR's right of erasure similarly applies to data concerning a data subject. The CPRA also provides a broader deletion right as to all information a business collects about a consumer. Further, an existing California opinion from the Attorney General ('AG') explains that data 'collected about a consumer' includes inferences developed internally.
No right to correct
Unlike the other 2023 Laws and the GDPR, the UCPA does not provide to consumers the right to correct their personal data.
No right to appeal
The CPA and the CDPA both require controllers to create a process for consumers to appeal a refusal to act on consumer rights requests. The GDPR contains a similar right to object.
The UCPA, however, does not contain this right.
No data protection assessments
The CPA and CDPA both require controllers to conduct data protection assessments before a controller conducts certain types of higher risk processing. The GDPR contains a similar requirement, although it refers to the exercise as a Data Protection Impact Assessment ('DPIA'). The CPRA also contains a similar concept in its risk assessment provisions, the specifics of which will be addressed through the forthcoming regulations.
The UCPA, on the other hand, does not require data protection assessments.
Permanent cure period
Like the CDPA, the UCPA contains a 30-day cure period before the Utah AG can bring an action for an alleged violation. The CPA and CPRA cure periods contain sunset clauses.
No private right of action
Like the CPA and CDPA, the UCPA does not provide a private right of action through which consumers can bring claims for alleged violations. The CPRA, on the other hand, affords a private right of action with statutory damages for security breaches caused by a business' failure to implement reasonable security measures.
Gregory Szewczyk Partner
Ballard Spahr LLP, Denver