Preparing for the Tidal Wave and Preparing for the Tsunami: Utah Becomes Fourth State to Pass Privacy Legislation | Bradley Arant Boult Cummings LLP


At last count, at least 39 states have introduced (or passed) comprehensive privacy legislation. After what was once a legislative mole watching and waiting game, we are now seeing this legislation being passed and implemented more regularly and more quickly.

For example, within two months of the start of the new year, Senate Bill 227, titled the Utah Consumer Privacy Act (UCPA), passed both houses of the Utah Legislature and is awaiting now the signature of Utah Governor Spencer J. Cox from March. 3. Once in office, Governor Cox can sign or veto the UCPA before it becomes law after 20 days. If enacted, Utah will quickly become the fourth state to pass comprehensive data privacy legislation in the United States, following California, Colorado and Virginia. The UCPA would come into effect on December 31, 2023.

The UCPA closely resembles the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (CPA), but also shares provisions with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

You can read the full text of the UCPA here.

What does this mean for your business? We highlight key aspects of the UCPA below:

Which companies are affected?

The UCPA would apply to all for-profit controllers and processors that generate annual revenues of at least $25 million by (a) doing business in the state or (b) producing products or services intended for in-state residents, and meet one of two thresholds:

  1. In a calendar year, processes the personal data of at least 100,000 state residents, or
  2. Derives more than 50% of its gross revenue from the sale of personal data and processes the personal data of at least 25,000 state residents.

The UCPA threshold of $25 million adds an additional component to consider (namely an annual income and processing requirement), unlike the singular components of CCPA/CPRA, VCDPA or CPA.

Personal data vs sensitive data

Like the CCPA/CPRA, the VCDPA and the CPA, the UCPA differentiates between “personal data” and “sensitive data”. The UCPA defines “sensitive data” as personal data revealing racial or ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, medical history or health information, biometric data and specific geolocation data. However, the UCPA exempts the collection of personal data revealing racial or ethnic origins when processed by a “video communications service”, an undefined term. This exclusion has existed in the UCPA since the bill proposed by the Utah Legislature in 2021.

Unlike the CPA and VCDPA, the UCPA does not require consent before a controller can lawfully process sensitive data, only that “clear notice” and an “opt-out” be provided to the controller. prior.

Consumer rights

The UCPA provides rights similar to existing national privacy laws:

  1. Right to Know/Access: Consumers can ask if a controller is processing their personal data and have access to personal data.
  2. Right to deletion: The consumer can order the controller to delete the personal data provided by the consumer.
  3. Right to transmit/carry: Similar to the VCDPA, a consumer can ask the controller to transfer their personal data to another controller where the processing is carried out by automated means.
  4. Right of withdrawal : Consumers can object to the processing of their personal data for the purposes of targeted advertising and the sale of their personal data. In addition, although not listed under the right of withdrawal, consumers also have the right to object to any processing of their sensitive data, unless waived as mentioned above.

The right to rectification is notably absent from the UCPA, unlike the other three states which all grant consumers the right to correct inaccuracies in their personal data processed by the data controller.

No data protection assessment obligation

The UCPA does not require any risk or data protection assessment before processing consumer personal data. Both the CPA and the VCDPA require data protection assessments to be carried out where any processing presents an “increased risk of harm to a consumer”. Similarly, the CCPA/CPRA directs the implementation of regulations for companies to perform regular “risk assessments” and “cybersecurity audit” when the processing “presents a significant risk to consumer privacy or security. “.

Sanctions, Investigations and Amendment Procedures

In what is largely a point of contention for states seeking to enact privacy legislation, the UCPA does not grant a private right of action for any violation of the UCPA. Only the Utah Attorney General can enforce the UCPA. Offending entities have a 30-day processing period before Utah AG can take action. By filing an action, Utah AG may recover actual damages to the consumer of up to $7,500 for each violation of the UCPA. If multiple controllers or contractors are involved in the same violation, each may be liable for their respective percentage of fault.

Similar to the VCDPA, the UCPA grants no regulatory authority to the Utah AG. However, the UCPA directs Utah AG to compile a report that (a) assesses the liability and enforcement provisions of the UCPA, and (b) summarizes the data protected and unprotected by the UCPA. The Utah AG must then submit this report to the Interim Business and Labor Committee of the Utah Legislature by July 1, 2025. This report will notify the Legislature if changes are warranted.


The UCPA has a multitude of derogations. Below is a list of notable entities and information not applicable to the UCPA:

  1. Employee and Business-to-Business (B2B) Exemption: The UCPA only applies to personal data about state residents who are acting in an individual or family context. This contrasts with the CCPA, whose exemptions are set to expire when the CPRA comes into force on January 1, 2023.
  2. Financial Institutions, Financial Institution Affiliates, and GLBA Regulated Information
  3. Covered Entities, Business Associates, and HIPAA Regulated Protected Health Information
  4. FERPA Regulated Information
  5. Non-profit companies


Given that another state data privacy law passed so quickly in 2022, Utah certainly won’t be the last legislation we see this year. To date, Florida, Indiana, Oklahoma and Wisconsin have already proposed privacy bills in their respective homes. It’s probably only a matter of time before we’re inundated with a complex patchwork of state laws that privacy experts say would be happening for years.

Source link


Comments are closed.