Utah has become the fourth state to enact a comprehensive consumer privacy statute. See Utah Consumer Privacy Act (“UCPA”). California was the first State to enact such a law in 2018 and, since then, Virginia and Colorado have passed similar legislation. The UCPA will go into effect on December 31, 2023.
On the “up side,” the UCPA demonstrates that politicians still understand — or at least pretend to understand — the need to protect the use and abuse of personally identifiable consumer data and other sensitive information. More than 30 State legislatures have introduced similar privacy legislation in the last couple of years and we can expect more statutes to pass soon. However, on the “down side,” the UCPA lacks the robustness of the previously enacted statutes. Indeed, the UCPA contains so many exceptions, holes and internal contradictions that one might consider it mere “window-dressing” giving pleasant sounding talking points to Utah politicians. Hopefully, the UCPA will not be used as a template for future legislation.
As one example, the UCPA purports to protect “sensitive” consumer data like race, sexual orientation, religious beliefs, biometric data and specific geolocation data. See § 13-61-101(32). However, “sensitive data” does not include personal data that reveals an individual’s racial or ethnic origin, if the personal data are “processed by a video communication service.” That is an enormous exception given the extensive use of video surveillance, the increasing use of video-conferencing, the fact that every smartphone has a camera, the sophistication of facial recognition software, etc. “Sensitive data” also does not include any data “if the personal data are processed by a person licensed to provide health care…” Another enormous exception. With respect to “specific geolocation data,” the following are excluded:
- The content of a communication and
- Any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility
Similar exemptions are listed for “biometric data.” Biometric data is covered by the UCPA, but the definition of “biometric data” does not include physical or digital photographs, video or audio recordings or “information captured from a patient in a health care setting.”
As another example of the lack of robustness, the UCPA exempts from its requirements a very long list of businesses and organizations including:
- Pretty much any type of healthcare organization or provider
- A governmental entity or a third party under contract with a governmental entity
- A tribe
- An institution of higher education
- A nonprofit corporation
- An air carrier
- Credit reporting agencies “… involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living
- Financial institutions or affiliates for personal data collected, processed, sold, or disclosed in accordance with the federal Gramm-Leach-Bliley Act
As yet another example, § 13-61-304 of the UCPA contains a long list of limitations on liability and applicability. For example, the UCPA does not restrict a controller’s or processor’s ability to:
- Comply with a federal, state, or local law, rule, or regulation
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena or summons by a federal, state, local, or other governmental entity
- Cooperate with law enforcement
- Investigate, establish, exercise, prepare for, or defend a legal claim
- Process personal data to: (i) conduct internal analytics or other research to develop, improve, or repair a controller’s or processor’s product, service, or technology
- Process personal data to perform an internal operation that is “reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller …”
In any event, like similar laws, the UCPA seeks to protect personal consumer information by requiring various notices prior to the collection of consumer data and the obtaining of consent. The UCPA divides businesses into either “controllers” or “processors” of consumer data. The UCPA mandates that controllers must provide consumers with “a reasonably accessible and clear privacy notice” telling the consumer what categories of personal data are collected and processed, the purposes for which the categories of personal data are processed, how consumers may exercise their rights under the UCPA, the categories of personal data that the controller shares with third parties (if any) and the categories of third parties (if any) with whom the controller shares personal data.
Further, if personal data is used for the purpose of targeted advertising or otherwise sold, the controller is required to “clearly and conspicuously disclose” to the consumer the methods and manner in which the consumer can opt-out of having their data sold or used for targeted advertising.
The UCPA also grants a number of rights including the following:
- The right to know — confirm — that a business is collecting/processing their personal data
- The right to obtain a copy of their personal data
- The right to have their personal data deleted
- The right of data portability
- The right to opt-out for purposes of targeted advertising or the sale of personal data
- The right to be free from retaliation
The UCPA does not provide a private right of action for consumers in the event of violation. Rather, enforcement power is given to the Utah Attorney General.
For more information, or if you have legal questions about data privacy, contact the data privacy lawyers at Revision Legal at 231-714-0100.