On March 24th, the Utah Consumer Privacy Act (UCPA) was signed into law, with an effective date of December 31, 2023. Utah is the fourth state to enact this type of legislation, following California, Virginia, and Colorado. And while similar in many respects, the UCPA takes a more business-friendly approach than the laws in the other three states.
The UCPA applies to any controller or processor who:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
By including these multiple threshold requirements, the scope of the UCPA is narrower compared to the other state privacy laws. Another big difference from California’s and Colorado’s laws is the definition of “sale” itself. The UCPA defines “sale” as “the exchange of personal data for monetary consideration by a controller to a third party,” whereas the other states define it as the exchange for “monetary or other valuable consideration” (emphasis added). As such, under the UCPA, an exchange of personal data will qualify as a sale only if the consideration is monetary.
The UCPA also has many exclusions, including individuals “acting in an employment or commercial context,” as well as certain disclosures:
- to processors and a controller’s affiliate,
- to a third party to provide a product or service requested by the consumer, and
- “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.”
It further excludes publicly available information from its definition of “personal data,” as well as “aggregated data,” defined as “information that relates to a group or category of consumers: (a) from which individual consumer identities have been removed; and (b) that is not linked or reasonably linkable to any consumer.”
Additionally, the UCPA contains broad exemptions for those falling outside of its scope, including institutions of higher education, nonprofits, covered entities and business associates pursuant to the Health Insurance Portability and Accountability Act, financial institutions governed by the Gramm-Leach-Bliley Act, government entities and contractors, tribes, and air carriers.
Notably, it does not apply to data processed or maintained in the course of employment, including job applicant data. It also exempts information subject to HIPAA, GLBA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act.
Utah’s law is much narrower in scope and more tolerant than similar laws in California, Virginia, and Colorado, as it applies to a smaller set of entities, excludes more categories of data, and exempts more institutions. However, it was noted that it this version is intended as a starting point and that future amendments are possible.
As Hire Image predicted in our Top Ten Background Screening Predictions for 2022, we will likely see similar laws being passed this year. Hire Image will continue to keep you updated of any additional movement from the Utah legislature, as well as the passage of additional privacy laws in other states.
Click here for the full text of the law.
Contact us if you have any questions about how this law may affect you or about your background screening processes in general.