Is Your State Next? The Adoption of Consumer Privacy Laws
Aylix K. Jensen offers analysis and insights for the debt collection industry in her monthly newsletter, The Safe Harbor: Debt Collection Law Update by Aylix Jensen. This monthly newsletter provides an update of changes and developments in the law that impact the debt collection industry. It highlights new debt collection laws and practices, discusses what these may mean for the collection industry, and provides tips to ensure compliance. This article is featured in the April 2022 edition.
On March 24, 2022, Utah became the fourth state, behind California, Colorado, and Virginia, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA moved from introduction to enrollment in less than a month and becomes effective on December 31, 2023.
The UCPA applies to any controller or processer who:
- Conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah;
- Has annual revenue of $25,000 or more; and
- Satisfies one or more of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 or more consumers; or
- Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The UCPA provides an exhaustive list of exemptions, including, but not limited to, non-profit corporations, business associates, covered entities, information that meets the definition of protected health information for purposes of HIPAA, financial institutions, or personal data collected, processed, sold or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act, and an individual’s processing of personal data for purely personal or household purposes.
The UCPA provides consumers with the right to:
- Confirm whether a controller is processing their personal data and access their personal data;
- Delete their personal data that they provided to the controller;
- Obtain a copy of their personal data that they previously provided to the controller; and
- Opt-out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.
The UCPA adopts Virginia’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Also, unlike the privacy laws in California, Colorado, and Virginia, the UCPA does not include the right to correct personal data. Moreover, unlike California and Virginia, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data.” However, it will require controllers to first provide consumers with clear notice and an opportunity to opt-out of the processing of his or her sensitive data. The UCPA defines “sensitive data” as personal data that reveals racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health information, genetic or biometric data or geolocation data.
Like Colorado and Virginia, the UCPA does not include a private right of action. Rather, the law will be enforced by the Utah Attorney General, who may bring an enforcement action seeking actual damages to a consumer and an amount not to exceed $7,500 per violation. The UCPA provides that the Utah Attorney General must provide 30 days for a controller or processer to cure any violation.
Given the similarities between the UCPA and other state privacy laws, there should not be any significant challenges with preparing for compliance with the Utah requirements. However, with active consumer privacy bills awaiting approval by at least 17 other state legislatures, it is imperative that companies are ready to develop a plan for compliance before this legislation goes into effect.