And The Next State Is….Utah – Utah Becomes The Fourth State To Pass A State Privacy Law
On March 24, 2022, Utah became the fourth state to pass a comprehensive privacy law, the Utah Consumer Privacy Act (“UCPA”). The UCPA is similar to both Colorado’s Consumer Privacy Act (“CPA”) and Virginia’s Consumer Data Protection Act (“VCDPA”), and in certain respects follows California’s Consumer Privacy Act (as amended) and California’s Privacy Rights Act (collectively, “CCPA/CPRA”), although CCPA/CPRA continues to have a broader reach, with lower application thresholds, than each of UCPA, CPA and VCDPA.
The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25 million or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.
The UCPA like each of the three prior state comprehensive privacy laws grants residents of their state certain individual rights, including the right to delete personal data, the right to receive a copy of personal data or access to personal data and the right to opt-out of sales of personal data or target advertising. Also, like each of the three prior state laws, the UCPA will require controllers to provide privacy notices to individuals, implement reasonable and appropriate data security measures and include certain specific contractual provisions in contracts with processors.
California continues to be the only one of the now-four passed comprehensive state privacy laws that include a private right of action.
Following the CPA’s and VCDPA’s footsteps, the UCPA has exemptions for individuals acting in an employment or commercial (business to business) context and exemptions for entities subject to the Health Insurance Portability and Accountability Act of 1996 and financial institutions subject to the Gramm-Leach-Bliley Act.
The UCPA becomes effective on December 31, 2023.
As additional states continue to analyze and review the passing of comprehensive privacy laws, organizations need to understand the potential effects these laws may have on their operations. McGrath North’s team provides a practical approach to help your organization create an efficient plan to operationalize a privacy and security compliance program to allow for flexibility in this ever-changing privacy law atmosphere. Contact McGrath North’s privacy and cybersecurity practice group today to understand the current state of privacy law in a particular state, nationally and/or internationally to confirm your organization’s obligations.