Utah hops on the privacy law bandwagon
A study in business-friendly legislation
“Industry” has been Utah’s official state motto since 1959, a nod to how its early pioneers leaned on their own “industry” for survival. The word is emblazoned on Utah’s state seal and flag, and that focus has carried over into policy, leading to Utah having a reputation as one of the country's most business-friendly states.
Fittingly, some would say, Utah’s industry interests were big winners on March 24, 2022, when Gov. Spencer J. Cox signed into law the Utah Consumer Privacy Act (UCPA), following in the footsteps of California, Virginia, and Colorado to become the fourth state in the US to pass comprehensive privacy legislation.
Utah is the nation’s 13th largest state by size and 30th most populous state, with 3.2 million residents. Utah is similarly ranked for gross domestic product, which clocked in at around $230 billion in 2021, which is on par with Peru, Czech Republic, and Portugal. The Beehive State only contributes about 1% of the nation’s overall GDP, but that’s growing quickly, putting Utah in the top spot of Forbes’ best-performing economies in 2021.
Beginning on Dec. 31, 2023, companies in Utah will have to disclose why they are collecting Utahns’ data and if they sell it to third parties. The state will give its residents more control over their personal data and how companies use it, but consumers will lack some of the enforcement tools that would allow them to seek certain types of recourse, such as the right to sue or correct their personal information. UCPA’s scope is narrower than other state privacy laws, and it includes broad, business-friendly exemptions. As a result, smaller organizations will mostly be off the hook, and even some larger companies may be able to skirt UCPA compliance needs if they fail to meet a set of specific thresholds.
As privacy laws like UCPA proliferate around the world, they tend to take inspiration from earlier regulations. For example, Virginia’s Consumer Data Protection Act (VCDPA), which passed in 2021, clearly borrowed a few pages from the playbook of the California Consumer Privacy Act (CCPA), which itself reflects the General Data Protection Regulation (GDPR), Europe’s landmark privacy law that came into force in 2018. Although there are similarities among all the various regulations, Utah clearly modeled its law most closely on Virginia’s, which some criticized as lacking teeth. Utah’s law is even less restrictive.
"By and large, if you're placing these laws on the scale from business-friendly to consumer-friendly, this Utah law is going to fall in on the side of being the most business-friendly of the four we have so far,"
— David Stauss, a partner at Husch Blackwell LLP, told Law360.
For Republican State Senator Kirk Cullimore, who sponsored the bill, that was the point. UCPA “guarantees rights to consumers while avoiding unnecessary regulation for corporations,” Cullimore said in a statement. “This bill is a win for both Utahns and businesses, and I hope it will serve as a model for other states.”
But would that really be considered a win-win? There has never been more momentum for state-level privacy laws, according to IAPP. In the absence of an overarching federal framework on par with GDPR, the states have moved forward to fill the vacuum. As we’ve previously written, we believe this piecemeal approach to privacy protection is the wrong path forward. The sheer scale of the US consumer market was a huge benefit and key driver in the formation of its robust internet-driven economy, and a scenario with 50 different private laws has the potential to splinter this lucrative market. That would hurt, not help, enterprises and significantly drive up the cost of compliance.
Many companies will decide that it’s simpler and more cost-effective to just comply with the country’s most restrictive state privacy law, which largely renders weaker state regulations like Utah’s moot. At this point, the most stringent law in the US is the California Consumer Privacy Act (CCPA), which went into effect in 2020. The CCPA is getting amended and expanded with the California Privacy Rights Act (CPRA), which goes into effect — and becomes the de facto standard — on Jan. 1, 2023.
The law(s), in brief
Covered businesses: UCPA covers organizations that operate in the state or have products and services that target Utahns. Covered organizations must process or control the personal information of 100,000 residents annually, or only 25,000 residents if half of their revenue is derived from selling this data. These data processors or controllers must also have at least $25 million in annual revenue. That revenue threshold is in line with California’s privacy laws but is not included in Virginia’s and Colorado’s laws. Unlike other state privacy laws, covered businesses in Utah do not have to perform a data protection risk assessment for their activities.
Consent: Companies can process Utahns’ sensitive data, but they must first provide notice and the opportunity to opt out, unlike Virginia’s and Colorado’s laws, which require prior consent.
Who is protected: UCPA protects people who live in Utah and are acting in the context of an individual or household. It doesn’t cover those who are “acting in an employment or commercial context.”
Consumer rights: UCPA gives consumers four privacy rights. 1) They have the right to access their personal data and confirm that it is being processed by a controller. 2) Utahns can delete any personal data they have given directly to a controller, but they can’t delete any personal data that has been collected about them through other sources. 3) Utahns have a right to portability, meaning they can get a copy of the data they’ve shared with a controller and share it with another controller. 4) Residents can opt out of having their personal data sold or processed for targeted advertising; a “sale” is narrowly defined as “the exchange of personal data for monetary consideration by a controller to a third party,” which is similar to Virginia’s law, whereas an exchange for "other valuable consideration" would constitute a sale in California and Colorado. However, unlike Virginia’s and Colorado’s laws, UCPA doesn’t allow Utahns to opt out of profiling. UCPA is the only state privacy law that doesn’t allow residents to correct their personal information. Data controllers in Utah also aren’t bound to recognize universal opt-out signals, such as a global privacy control.
Enforcement: Utahns can’t sue companies that violate the UCPA, as can be done in California, nor can Utahns use a UCPA violation to sue under other Utah laws. Only Utah’s attorney general can enforce UCPA if referred by the state’s Consumer Protection Division following an investigation, which essentially strips the AG of the ability to independently investigate violations. Utah’s AG must then formally notify the offender and provide 30 days to correct the violation before launching an enforcement action. In contrast, consumer complaints are first lodged with the attorney generals in California, Colorado, and Virginia. UCPA violations may incur fines of up to $7,500.
The many nuances in each of these privacy bills — along with the patchwork of other data privacy rules such as the Children’s Online Privacy Protection Rule (COPPA) and Health Insurance Portability and Accountability Act (HIPAA) — underscore the need for an overarching privacy regime that would give authorities the modern tools they need to properly regulate the internet economy. Rep. Frank Pallone (D-NJ), the House Energy and Commerce Committee chairman, is reportedly attempting to bring Democrats and Republicans together to forge a path on comprehensive legislation. It’s a long haul before their efforts would materialize into a bill that would be signed by the president, and if they were to succeed, it’s unclear what would make it into the final package.
One question
Now that we have four state-level laws, what should a federal framework look like? Which state law should it borrow from the most?
Dig Deeper
Historical views of IAPP’s State Privacy Legislation Tracker for 2018-19, 2020 and 2021
Thumbnail image by Taylor Brandon on Unsplash
Thanks for reading,
Ana, Maja, and the Sparrow team
Enjoyed this piece? Share it, like it, and send us comments (you can reply to this email).
Who we are: Sparrow Advisers
We’re a results oriented management consultancy bringing deep operational expertise to solve strategic and tactical objectives of companies in and around the ad tech and mar tech space.
Our unique perspective rooted deeply in AdTech, MarTech, SaaS, media, entertainment, commerce, software, technology, and services allows us to accelerate your business from strategy to day-to-day execution.
Founded in 2015 by Ana and Maja Milicevic, principals & industry veterans who combined their product, strategy, sales, marketing, and company scaling chops and built the type of consultancy they wish existed when they were in operational roles at industry-leading adtech, martech, and software companies. Now a global team, Sparrow Advisers help solve the most pressing commercial challenges and connect all the necessary dots across people, process, and technology to simplify paths to revenue from strategic vision down to execution. We believe that expertise with fast-changing, emerging technologies at the crossroads of media, technology, creativity, innovation, and commerce are a differentiator and that every company should have access to wise Sherpas who’ve solved complex cross-sectional problems before. Contact us here.