Utah Passes Data Privacy Legislation
May 3, 2022
Utah became the fourth state—joining California, Virginia, and Colorado—to enact a comprehensive privacy law after Gov. Spencer Cox signed the Utah Consumer Privacy Act (UCPA) on March 24.
UCPA, which doesn’t go into effect until Dec. 31, 2023, closely mirrors other privacy state laws, including a requirement to publish a privacy policy and provide certain data subject rights to individuals whose information is collected by an entity that is subject to the law.
Utah’s legislation, however, excludes a private right of action. Instead, UCPA is enforced by Utah’s attorney general with fines up to $7,500 per violation, provided the offending entity has not cured the violation within 30 days of receiving the attorney general’s written notice.
In a win for the title industry, the UCPA includes a full entity exemption for entities subject to the Gramm-Leach-Bliley Act (GLBA). Virginia and Colorado also have the full GLBA exemption. Since 1999, this federal law has strictly limited financial institutions’ use and sharing of customers’ personal information. Additionally, financial institutions are required to assure the security of this information and provide comprehensive disclosures to consumers.
"This makes UCPA consistent with similar laws passed in other states and an overall win for the title insurance industry," said Michelle Ann Epley, senior vice president of regulatory compliance for WFG National Title Insurance Co. and vice chair of ALTA's Data Privacy Work Group. "As new comprehensive consumer data privacy legislation is proposed, the title insurance industry must continue to lobby to have the GLBA exemption included in state specific consumer data privacy laws. As we wait for comprehensive federal consumer data privacy regulations, it is safe to say many other states will pursue state specific privacy laws to protect their consumers.”
UCPA also does not require impact assessments. In Colorado and Virginia, entities must evaluate and document the costs and benefits of some activities, such as targeted advertising or processing sensitive data.
UCPA applies to any for-profit entity that
- conducts business in Utah or targets residents of Utah
- has annual revenue of $25 million or more
- either (a) annually controls/processes personal data of 100,000 or more consumers or (b) derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The law firm King and Spalding said this scope is narrower than the CCPA and the Colorado Privacy Act (CPA), which are applicable to entities that meet a revenue threshold regardless of information collection. UCPA’s scope is also narrower than the scope of the Virginia Consumer Data Privacy Act (VCDPA), which applies to entities that control or process a certain amount of personal data regardless of revenue.
ALTA released a set of data privacy principles that recommend the development of a single, national standard to help protect consumer private information uniformly and consistently while maintaining an efficient homebuying and selling experience.
Contact ALTA at 202-296-3671 or [email protected].