Any day now, Utah almost certainly will become the fourth state to enact comprehensive data privacy legislation. As I have written previously, in a series of posts to the Free State Foundation's blog and Perspectives from FSF Scholars, Congress bears the increasingly urgent responsibility to pass a federal privacy statute, one that preempts state laws, rejects a private right of action, and establishes a single set of clear rules that businesses can abide and consumers can understand.
Even President Biden, in his State of the Union Address, acknowledged the need for Congress to break the privacy logjam.
The California Consumer Privacy Act and the California Privacy Rights Act. The Virginia Consumer Data Protection Act. The Colorado Privacy Act. Four laws in three states, each imposing a unique set of rights and responsibilities on the border-defying Internet.
In "Inconsistent State Data Privacy Laws Increase Confusion and Costs," a March 2021 Perspectives from FSF Scholars, I explained the headaches that result. Companies must either (1) take high-risk pains to associate accurately each customer interaction with the appropriate state, or (2) craft one-size-fits-all compliance programs that reflect the "greatest hits" imposed by the growing list of states taking steps to fill the federal void. Consumers, meanwhile, are left to try to make sense of these overlapping and contradictory state-specific regimes on their own.
The Utah Consumer Privacy Act is poised to further complicate this already untenable situation. Based upon, but by no means identical to, the Virginia Consumer Data Protection Act, it was passed unanimously by both the Utah Senate and House of Representatives. Last Friday, it landed on the desk of Governor Spencer Cox, who is "nearly certain" to sign it into law. Assuming he does, it will become effective at the end of next year.
Similar to the other state privacy laws already enacted, the Utah Consumer Privacy Act (Act) would establish rights for consumers (to know what personal data is collected, to access or delete that information, to opt out of the collection, use, and sale of personal data for certain purposes, and so on) and responsibilities for covered entities (such as obligations to provide adequate notice to consumers, to safeguard collected personal data, and to respond within a defined window to consumer requests).
However, and as is already the case regarding the laws passed in California, Virginia, and Colorado, the specifics of the Act in many instances are one of a kind.
For example, and subject to exceptions, the Act would apply to a "controller" (defined as "a person … who determines the purposes for which and the means by which personal data is processed") or "processor" (defined as "a person who processes personal data on behalf of a controller") who:
- Does business in Utah or targets state residents with a product or service;
- Generates at least $25 million in annual revenues; and
- Either (a) accesses the personal data of at least 100,000 consumers in a year or (b) derives more than half of its gross revenues from the sale of personal data and accesses the personal data of more than 25,000 consumers.
In the March 2021 Perspectives referenced above, I pointed out that applicability is one of the many ways in which the various state laws deviate from one another – and thereby complicate matters for all involved: "As an initial matter, these bills establish different minimum thresholds – including annual gross revenue amounts and number of individuals, or individuals, households, and devices, subject to data collection – for a business to be deemed covered."
Other ways in which the Act would differ from other state laws:
- The Act would create the consumer right to delete personal information – but only that data in fact provided by the consumer, not data the covered entity has obtained from other sources.
- It would define "sensitive data," a subset of personal data, to include information such as racial and ethnic origin, religious beliefs, sexual orientation, medical history, and genetic, biometric data, and geolocation data. Covered entities would be required to provide notice and an opportunity to opt-out of the collection and/or use of "sensitive data" – rather than requiring that consumers first opt-in.
- It would define "sale" in a manner that, unlike, say, the California Privacy Rights Act, does not include "other monetary consideration."
To be clear, I am not saying these variations are good or bad – just complicating.
Finally, I want to point out approvingly that the Act states unambiguously that "[a] violation of this chapter does not provide a basis for, nor is a violation of this chapter subject to, a private right of action under this chapter or any other law."
Instead, the Act would task the Department of Commerce's Division of Consumer Protection with investigating consumer complaints. The Office of the Attorney General, in turn, would have exclusive enforcement responsibility. Covered entities would be provided with a 30-day right to cure, after which penalties up to $7,500 per violation could be imposed.