State Attorneys General

How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

As companies wait to see whether the Utah Consumer Privacy Act (UCPA) becomes the fourth comprehensive state privacy law, we are providing an overview of some of the Act’s key provisions – and how they depart from comprehensive privacy laws in California, Colorado, and Virginia.

Utah’s Senate unanimously passed the UCPA on February 25.  The House – also through a unanimous vote – followed on March 2.  The Legislature sent the UCPA to Governor Spencer Cox on March 15.  Because the Legislature adjourned on March 4, Governor Cox has 20 days from the date of adjournment – March 24 – to sign or veto the Act.  If Governor Cox takes no action, the UCPA will become law, with an effective date of December 31, 2023.

In broad strokes, the UCPA is similar to the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).  And, like the laws in Colorado and Virginia, the UCPA borrows some concepts from the CCPA – including a version of the right to opt out of the “sale” of personal data.

However, the UCPA pares back important features of all three of these laws.  Some of the significant changes include:

  • Applicability.  The UCPA’s applicability is narrower than the three other comprehensive state privacy laws.  The UCPA applies only to controllers or processors that (1) do business in the state (or target Utah residents with products or services); (2) earn at least $25 million in revenue; and (3) either: (a) control or process personal data of 100,000 or more consumers in a calendar year; or (b) derive more than 50 percent of gross revenue from selling personal data and control or process data of 25,000 or more consumers.  By contrast, the $25 million revenue threshold is an independent basis for the CCPA to apply to a business; and neither the CPA nor VCDPA includes a revenue-based exemption.
  • Exemptions.  In addition to exempting personal data that is subject to sector-specific privacy laws and regulations, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, the UCPA provides that the Act does not apply to certain entities, including a tribes, institutions of higher education, and nonprofit corporations.
  • Sale and Targeted Advertising Opt-Out Rights.  Although the UCPA requires controllers to provide consumers with the ability to opt out of sale and targeted advertising, the Act does not provide a right to opt out of profiling (or otherwise address profiling).  Like the VCDPA, the UCPA restricts the definition of “sale” to “the exchange of personal data for monetary consideration by a controller to a third party.”  This definition does not include “other valuable consideration,” found in the definitions of “sale” under the CCPA and CPA.
  • Opt-Out Consent to Process Most Sensitive Data.  The UCPA does not require opt-in consent to process most sensitive data, unless the data “concern[s] a known child,”  unlike the opt-in requirements of the CPA and VCDPA.  Instead, the UCPA requires controllers to “present[] the consumer with clear notice and an opportunity to opt out” of sensitive data processing.
  • Other Consumer Rights.  The UCPA provides consumers the right to confirm processing and to delete personal data they provided to a controller.  Consumers also have the right to obtain a portable copy of personal data that the consumer “previously provided to the controller.”  This “provided to” language follows the VCDPA’s access and portability right and contrasts with obligations to provide personal data “concerning” (CPA) or “about” (CCPA) a consumer.  The UCPA does not provide a right of correction or accuracy.
  • Enforcement and Regulation.  The UCPA does not include a private cause of action, nor does it authorize the Attorney General or other state official or agency to issue regulations.  The Division of Consumer Protection, in the Utah Department of Commerce, investigates potential violations and can refer an action to the Utah Attorney General for enforcement.  The Attorney General can recover actual damages for consumers and a penalty of up to $7,500 per violation, but only after a 30 day notice and right to cure period.


Continue Reading How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

Remington recently agreed to a groundbreaking $73 million settlement of claims brought by families of Sandy Hook school shooting victims. Notably, the plaintiffs secured this settlement by deploying consumer protection claims, which are exempted from the otherwise broad immunity provided to firearm manufacturers under the Protection of Lawful Commerce in Arms Act (“PLCAA”).

Attorneys General now appear to be pursuing a similar strategy of using consumer protection laws against firearm manufacturers, including by using their authority to investigate the companies’ internal files. For example, litigation concerning the New Jersey Attorney General’s subpoena to Smith & Wesson demonstrates how AGs will seek to use their consumer protection investigative powers in this area and further how courts in response will continue to grapple with the intersection between consumer protection law, the PLCAA, and the Second Amendment.

On October 13, 2020, the New Jersey Attorney General served an investigative subpoena to Smith & Wesson pursuant to its authority under the New Jersey Consumer Fraud Act (“CFA”).The New Jersey Division of Consumer Affairs’ preliminary investigation suggested the company’s advertisements to New Jersey residents “may misrepresent the impact owning a firearm has on personal safety and/or safety in the home.” The Agency also noted that certain of the manufacturer’s advertisements “market the concealed carry of firearms while omitting the material fact that, in New Jersey, concealed carry of a firearm requires a permit.”
Continue Reading After Remington Settlement, Attorneys General Aim To Press Forward With Consumer Protection Investigations of Firearms Manufacturers

Last week, 49 State Attorneys General joined in a National Association of Attorneys General letter authored by Florida, Iowa, Mississippi, Pennsylvania, and Tennessee responding to the FTC’s Request for Public Comment concerning impersonation scams. While a bipartisan coalition from the State AGs on consumer issues isn’t particularly surprising, the call for additional federal oversight into

Food + Personal Care Litigation and Regulatory Highlights – January 2022Welcome to our 2022 inaugural issue of Food and Personal Care Litigation and Regulatory Highlights, where we explore trends and developments from around these industries.  It’s fair to say that the year has started off very busy in both the courtroom and the regulatory arena.  On this chilly winter day, our first stop is in California.

Prop 65

Our friends at Kelley Green Law Blog get the starting position for this issue by highlighting a precipitous uptick in the number of Prop 65 filings over the prior year.  While the Covid-19 pandemic caused all sorts of disruptions to society and the economy, at least one area of business has thrived over the last two years:  private plaintiff enforcement of California Proposition 65.  In 2020-2021, over 40% more Prop 65 actions were brought by private plaintiff “bounty hunters” than in the two years prior to the pandemic (2018-2019).  Compared to a decade ago, private plaintiff groups now initiate three times more Prop 65 actions each year, and five times more than in 2008.  Learn more here about the most frequently cited chemicals and those that are emerging, including PFAS.
Continue Reading Food + Personal Care Litigation and Regulatory Highlights – January 2022

Dark Patterns: A New Legal Standard or Just a Catchy Name? (Part Two)In Part One of this discussion, we provided background on the concept of dark patterns and analyzed some recent examples from State AG enforcement. We concluded that, in alleging dark patterns, State AGs are building primarily on existing precedent governing deception and unfairness but also are trying to push the envelope. Whereas earlier precedent mostly

Dark Patterns- A New Legal Standard or Just a Catchy Name? (Part One)State and federal regulators have definitely put a new emphasis on combatting so-called “dark patterns” – a term attributed in 2010 to user-experience expert Harry Brignull, who runs the website darkpatterns.org. Consider some of the actions of 2021: In April, the FTC hosted a workshop dedicated to dark patterns. In July, Colorado passed the Colorado Privacy Act that specifically defines and prohibits the use of dark patterns.  In October, the FTC issued a policy statement warning against the use of dark patterns in subscription services.  And just last week, a bipartisan group of four states sued Google alleging in part violations of state law for Google’s use of dark patterns in obtaining consumers’ consent to collect geolocation information.  But other than a catchy name, is there really anything new about the types of conduct that state and federal officials are calling illegal?  This two-part blogpost will take a closer look at that question.

What are “Dark Patterns?”

There are a number of definitions of “dark patterns” that are bandied about.  Darkpatterns.org calls them, “tricks used in websites and apps that make you do things that you didn’t mean to, like buying or signing up for something.”  In the Colorado Privacy Act, dark patterns are defined as, “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”  And in the recent Google lawsuits, each State defined dark patterns as, “deceptive design choices that take advantage of behavioral tendencies to manipulate users to make choices for the designer’s benefit and to the user’s detriment.”
Continue Reading Dark Patterns: A New Legal Standard or Just a Catchy Name? (Part One)

(Un) Check Your Checkboxes- States not Preempted by FECAOn January 26, Minnesota Federal District Court Judge John Tunheim dismissed a pending action for declaratory relief brought by WinRed, Inc., seeking to enjoin an ongoing consumer protection investigation brought by the Attorneys General of Minnesota, New York, Connecticut, and Maryland.  This decision highlights two important points regarding State Attorneys General (AGs): 1) their consumer protection laws are rarely found to be subject to broad federal preemption, and 2) they often can’t be hauled into other states, even if operating as a multistate.

The AG Investigation and WinRed’s Lawsuit

In April of last year, the AGs sent a letter to WinRed identifying certain fundraising practices they alleged were misleading, including the use of pre-checked boxes that would obligate donors to a recurring donation.  The AGs noted their significant experience in dealing with “negative option” marketing, a subject we have previously identified as a focus for State AG enforcement.  The use of pre-checked boxes is a red flag for States, even those without a specific statute regarding auto-renewals, as they can assert the practice is a deceptive act under their general UDAP laws.
Continue Reading (Un) Check Your Checkboxes: States not Preempted by FECA

Join Kelley Drye this week for:

Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle
Wednesday, January 26 at 4:00pm ET/ 1:00pm PT

Privacy compliance is a daunting task, particularly when the legal and tech landscape keeps shifting. Many companies are still updating their privacy compliance programs to address CCPA requirements, FTC warnings on avoiding dark patterns and unauthorized data sharing, and tech platform disclosure, consent, and data sharing changes. But in the not too distant future, new privacy laws in California, Colorado, and Virginia also will go into effect. Addressing these expanded obligations requires budget, prioritizing action items, and keeping up to date on privacy technology innovations that can help make some tasks more scalable.

This joint webinar with Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform, will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth.

Register Here


Continue Reading Upcoming Webinars

Texas AG Sues Google over Misleading EndorsementsWhen a company uses an influencer or other person to endorse the company’s products, it’s important that endorsement reflects the endorser’s honest opinions, beliefs, or experiences with the products. Of course, in order for that to happen, the endorser must have actually used the products. This week, the Texas Attorney General filed a lawsuit against