2023 State Data Privacy Laws Series: UCPA
The Utah Consumer Privacy Act is the final state data privacy law to be coming into effect this year. It will become effective at the tail end of the year on December 31st, 2023. Enforcement will begin on the same day. However, one of the unique features of UCPA as it stands now, is that the Utah Attorney General and the Division of Consumer Protection will be required to submit a report evaluating the effectiveness of the statute by July 1st, 2025.Amendments should be expected to be derived from that report to augment the effectiveness of the current statute. UCPA is one of the more unique state data privacy laws and is considered to be the most business friendly to come into effect this year. It is heavily modeled after VCDPA, but with more scope and more leniency towards violations.
The Utah law extends consumer privacy rights similar to those found in VCDPA and the other laws modeled from it. However, unlike VCDPA and CPA, UCPA does not afford consumers the right to rectify their personal data, nor does it allow consumers to opt out of data profiling. Notably, UCPA does not provide consumers a right to request a data controller to delete all personal data collected on a consumer. The data controller is only obligated to delete personal data the consumer has provided the data controller.
Another way in which UCPA differs from VCDPA and CPA is that data controllers or processors are not required to establish an appeal process if they deny requests to exercise consumer rights. However, similarly to VCDPA and CPA businesses must respond to these data privacy right requests free of charge to the consumer, but have protections against “excessive, repetitive, technically infeasible, or manifestly unfounded.” Another area where UCPA separates itself from VCDPA and CPA is that not only does it exclude deidentified data, and publicly available information from its definition of personal data, but it also excludes aggregated data as well.
One of the parts of UCPA that separates it from its peer consumer privacy laws is the multi-layered enforcement approach. UCPA gives the Utah Attorney General exclusive enforcement authority, however that is not the first stage of enforcement. The Division of Consumer Protection is obligated to create a “system to receive consumer complaints.” If after investigating consumer complaints they believe there is “reasonable cause to believe that substantial evidence (of a violation) exists,” the director of the Division of Consumer Protection may submit a referral to the Utah Attorney General. The attorney general may then decide to take action, by notifying the offending party. The offending party then has 30 days to cure the violation or be subject to fines up to $7,500 per violation.
With the level of leniency provided in this first iteration of UCPA there are real questions about how effective the enforcement arm of law will be and whether it will provide sufficient motivation to businesses subject to the law. Activity out of the Division of Consumer Protection and the Office of the Utah Attorney General will certainly be something to compare against the California Privacy Protection Agency and the Colorado and Virginia Attorneys General.