Photo of Laura Riposo VanDruff

Email
(202) 342-8435
Bio  LinkedIn

How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

As companies wait to see whether the Utah Consumer Privacy Act (UCPA) becomes the fourth comprehensive state privacy law, we are providing an overview of some of the Act’s key provisions – and how they depart from comprehensive privacy laws in California, Colorado, and Virginia.

Utah’s Senate unanimously passed the UCPA on February 25.  The House – also through a unanimous vote – followed on March 2.  The Legislature sent the UCPA to Governor Spencer Cox on March 15.  Because the Legislature adjourned on March 4, Governor Cox has 20 days from the date of adjournment – March 24 – to sign or veto the Act.  If Governor Cox takes no action, the UCPA will become law, with an effective date of December 31, 2023.

In broad strokes, the UCPA is similar to the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).  And, like the laws in Colorado and Virginia, the UCPA borrows some concepts from the CCPA – including a version of the right to opt out of the “sale” of personal data.

However, the UCPA pares back important features of all three of these laws.  Some of the significant changes include:

  • Applicability.  The UCPA’s applicability is narrower than the three other comprehensive state privacy laws.  The UCPA applies only to controllers or processors that (1) do business in the state (or target Utah residents with products or services); (2) earn at least $25 million in revenue; and (3) either: (a) control or process personal data of 100,000 or more consumers in a calendar year; or (b) derive more than 50 percent of gross revenue from selling personal data and control or process data of 25,000 or more consumers.  By contrast, the $25 million revenue threshold is an independent basis for the CCPA to apply to a business; and neither the CPA nor VCDPA includes a revenue-based exemption.
  • Exemptions.  In addition to exempting personal data that is subject to sector-specific privacy laws and regulations, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act, the UCPA provides that the Act does not apply to certain entities, including a tribes, institutions of higher education, and nonprofit corporations.
  • Sale and Targeted Advertising Opt-Out Rights.  Although the UCPA requires controllers to provide consumers with the ability to opt out of sale and targeted advertising, the Act does not provide a right to opt out of profiling (or otherwise address profiling).  Like the VCDPA, the UCPA restricts the definition of “sale” to “the exchange of personal data for monetary consideration by a controller to a third party.”  This definition does not include “other valuable consideration,” found in the definitions of “sale” under the CCPA and CPA.
  • Opt-Out Consent to Process Most Sensitive Data.  The UCPA does not require opt-in consent to process most sensitive data, unless the data “concern[s] a known child,”  unlike the opt-in requirements of the CPA and VCDPA.  Instead, the UCPA requires controllers to “present[] the consumer with clear notice and an opportunity to opt out” of sensitive data processing.
  • Other Consumer Rights.  The UCPA provides consumers the right to confirm processing and to delete personal data they provided to a controller.  Consumers also have the right to obtain a portable copy of personal data that the consumer “previously provided to the controller.”  This “provided to” language follows the VCDPA’s access and portability right and contrasts with obligations to provide personal data “concerning” (CPA) or “about” (CCPA) a consumer.  The UCPA does not provide a right of correction or accuracy.
  • Enforcement and Regulation.  The UCPA does not include a private cause of action, nor does it authorize the Attorney General or other state official or agency to issue regulations.  The Division of Consumer Protection, in the Utah Department of Commerce, investigates potential violations and can refer an action to the Utah Attorney General for enforcement.  The Attorney General can recover actual damages for consumers and a penalty of up to $7,500 per violation, but only after a 30 day notice and right to cure period.


Continue Reading How the Utah Consumer Privacy Act Stacks Up Against Other State Privacy Laws

New Federal Bill to Protect Kids’ Privacy: Will This One Break Through?Last October, we blogged that bipartisan momentum was building in Congress to enact stronger privacy protections for children, even if (and especially if) Congress remains stalled on broader federal privacy legislation. Of particular significance, we noted a strong push to protect, not just kids under 13 (the cutoff under COPPA), but also teens.

Since

ICYMI: Momentum Continues with the Colorado Privacy ActLast week, the Attorney General Alliance hosted a seminar to address the Colorado Privacy Act (CPA)—what it does and how to prepare for its July 1, 2023 effective date. The seminar featured a discussion with the bill’s sponsors, legal experts, practitioners, and the Attorneys General for Colorado and Wyoming. As the third state to enact

In guidance released last week, the New York State Office of the Attorney General urged businesses to incorporate safeguards to detect and prevent credential-stuffing attacks in their data security programs.  The guidance stemmed from the AG’s finding that 1.1 million customer accounts at “well-known” companies appeared to have been compromised in credential-stuffing attacks.

Credential stuffing

FTC Advises Companies to Remediate Log4j VulnerabilityIn an unusual warning to companies running Java applications with Log4j in their environments, the Federal Trade Commission (FTC) recently cautioned that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j[] or similar known vulnerabilities in

State Attorneys General 2022 Predictions

State Attorneys General are already off to the races in 2022 – both with a significant number of election campaigns in full swing and an uptick in their consumer protection enforcement efforts.  As a result, State AG consumer protection topics will play a big part of 2022.  Our Kelley Drye State Attorneys General team

On December 13, the New Mexico Attorney General announced a settlement with Google to resolve claims regarding children’s privacy, including in the burgeoning EdTech space. The federal lawsuits Balderas v. Tiny Lab Productions, et al. and Balderas v. Google LLC, respectively, alleged COPPA and privacy violations related to collection of children’s information on

As we’ve all been following in the news, the House reconciliation bill to fund “human infrastructure” is still mired in negotiations, ever on the verge of either passing to monumental fanfare, or cratering in failure. Tucked away on page 671 of the 1684-page bill is a short provision that, despite scant attention, has the potential

In a much-anticipated announcement last week, the FTC amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and proposed a further amendment requiring certain financial institutions to provide the FTC with notice in the event of certain security events.  Although these changes were announced after FTC Commissioner Chopra left the agency to lead the CFPB, he apparently voted prior to leaving to ensure 3/2 approval of the amendments in a Commission that remains divided.

What is GLBA Safeguards?

For nearly 20 years the Safeguards Rule has required financial institutions to develop, implement, and maintain comprehensive information security programs to protect their customers’ personal information.  Such programs must be appropriate to each entity’s “size and complexity, the nature and scope of [its] activities, and the sensitive of the customer information at issue.” For a generation, the Rule’s requirements have influenced data security standards in other sectors, emphasizing a flexible, process-based approach.  The amended Rule replaces some of that flexibility with more specificity.
Continue Reading GLBA Safeguards Gets a Makeover: Why it Matters for Businesses with Customer Information

On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.


Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?