2022’s data privacy laws: UCPA and CTDPA

Now that we’ve made some headway into 2022, it’s a good time to pause and look back on the most recent data privacy laws enacted in the US.

There have been so many developments in data privacy legislation that it can be easy to miss the newest laws on the books or even fail to realize your business is subject to one law or another. To help businesses take a moment and catch their breath, let’s take a look at the two laws enacted in 2022 thus far: the Utah Consumer Privacy Act (UCPA) and the Connecticut Data Privacy Act (CTDPA).

Business or consumer?

Incidentally, these are an interesting pair to examine because they represent very different approaches for US data privacy laws. The UCPA is quite business-friendly, while the CTDPA is quite consumer-friendly.

In the US, the most consumer-friendly law is California’s CCPA/CPRA, but even that doesn’t quite match up to the consumer-first attitude seen in the EU’s GDPR. While the spectrum of business- vs. consumer-friendliness in the data privacy world is broad, the UCPA and CTDPA serve as two good examples of the different approaches.

Unpacking the UCPA

Important highlights

• When was the UCPA enacted? ​​March 24, 2022.
• When does the UCPA go into effect? December 31, 2023.
• Who is subject to the UCPA? Businesses earning over $25 million in revenue per year must comply with the UCPA if they conduct business in Utah or provide product or services targeted to Utah. Furthermore, businesses must meet one of the following additional threshold criteria before they are subject to the UCPA:
  • They control or process the personal data of 100,000 or more Utah consumers annually.
  • Fifty percent of their gross revenue comes from the sale of personal data, and they control or process the personal data of 25,000 or more Utah consumers.

Notable features

As we mentioned before, the UCPA is one of the more business-friendly data privacy laws in the US. There are a few different features that make this the case.

Namely, there are some large exceptions to what the UCPA considers “data” and what activities it covers. For example, it defines the “sale” of data as actually requiring an exchange of money, whereas other laws define the “sale” of data as any exchange of data at all or explicitly cover sharing data as well.

Moreover, the UCPA defines “data” as “information that is linked or reasonably linkable to an identified individual or an identifiable individual,” which seems pretty broad. However, it carves out exceptions for aggregated and de-identified data. These refer to personal information related to a group or category of consumers and data related to an individual, respectively, that cannot be linked back to the original data subject(s). In contrast, most data privacy laws only make exceptions for de-identified data, if at all.

Organizations are also freely permitted to collect data on employees, commercial partners, and the like, as they do not constitute “consumers” under the UCPA. And if the organization in question is a higher education institution, a nonprofit, or a government contractor, the UCPA doesn’t apply to them at all (though often other privacy-related regulations cover these entities).

Even though there are looser requirements under the UCPA relative to other data privacy laws, it’s worth noting that the bulk of businesses operating within or serving Utah are still subject to it. There are plenty of businesses with $25 million in revenue that control or process at least 100k Utah residents’ data. Their energy will be better spent becoming compliant rather than searching for a loophole.

What’s more, the UCPA is one of the easier privacy laws to become compliant with anyhow. For example, the UCPA, like many other data privacy laws, requires data controllers (e.g., the business collecting data) and processors (e.g., a vendor analyzing that data) to have a contract in place with one another laying out how data will be processed and protected. Among other requirements, the UCPA requires these contracts to:

• Provide instructions on how to process data
• What data will be processed
• How long the data will be processed
• What the purpose of the data processing is
• What security measures are in place
• Affirm that every person processing data must keep it confidential

But compared to other data privacy laws, UCPA has the fewest requirements for these data processing agreements.

There are other business-friendly aspects to the UCPA, like the inability for private citizens to sue over noncompliance and requiring consumers to opt-out of collection (rather than opt-in), but these are common to most US privacy laws — which are generally more favorable to businesses than, say, the EU’s GDPR.

Considering the CTDPA

Important highlights

• When was the CTDPA enacted? ​​May 10, 2022
• When does the CTDPA go into effect? July 1, 2023
• Who is subject to the CTDPA? Individuals are subject to the CTDPA if they conduct business in Connecticut or provide products and services to Connecticut residents — regardless of annual revenue. Additionally, individuals must meet one of the following criteria before being subject to the CTDPA:
  • They control or process the personal data of 100,000 or more Connecticut consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction.
  • Derive over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers.

Notable features

Unlike the UCPA, the CTDPA skews more toward consumer-friendliness. It doesn’t feature the broad exceptions and carve-outs that the UCPA features, although it does exempt businesses that solely process data to complete a payment transaction. The thinking here is that data privacy regulations really shouldn’t apply to businesses like convenience stores, barbers, and others that aren’t really analyzing or profiting off of customer data.

It also does not feature a revenue threshold. Under the UCPA, businesses have to have at least $25 million in revenue before they are subject to the regulation, but the CTDPA covers any business that processes at least 100k consumers’ data or earns a quarter of its revenue from processing the data of at least 25k consumers.

Like the UCPA, the CTDPA exempts state and local government entities, nonprofits, and higher education institutions from the regulation, as well as employees and commercial partners. It also does not give private citizens a right to sue for noncompliance — in fact, the only regulation that does permit a limited “private right of action” is the CCPA/CPRA.

The CTDPA also defines the “sale” of data as involving a monetary transaction as well as “other valuable considerations.” Thus, it covers a broader swathe of data transfers, including sharing the data for targeted advertising.

Furthermore, the CTDPA defines a special category of personal information known as “sensitive information.” This includes certain types of information like race, sexual orientation, health information, citizenship status, and more.

While the UCPA and several other data privacy regulations recognize this category, they don’t treat it particularly differently. The CTDPA, however, requires consumers to explicitly opt-in when sensitive information is being collected. Under most other circumstances, the US takes an opt-out approach to consumer consent; consumers are assumed to consent to data collection by continuing to use the website or app. When sensitive information is collected, the CTDPA says you have to get consumers to explicitly consent to its collection first.

Lastly, the CTDPA explicitly forbids the use of so-called dark patterns — or manipulative design practices — from securing user consent. The CPA (Colorado’s Consumer Protection Act) and CCPA/CPRA also share this feature.

Between the lack of a revenue threshold, the opt-in requirements for sensitive information, and the ban against dark patterns, we can see that the CTDPA generally takes the consumer’s side in data privacy. But even more business-friendly regulations like the UCPA are a far cry from the wild west of broad data collection that we saw in the 2000s and 2010s with companies like Facebook, Amazon, and Google.

How to stay up to date and compliant

While reviewing the notable aspects of each of these laws is a good way to build a general awareness of the regulations that might apply to you and your business, there really isn't any substitute for reviewing the text of the laws yourself and/or with legal counsel. That's not to say there isn't any benefit to reading blogs like this one — they're a good way to stay alert to the comings and goings of the privacy world without needing to be plugged into the minutiae of every state legislature in the US.

That’s especially true considering the fact that states are producing new data privacy laws all the time, and states even tweak old laws that you thought you were familiar with (case in point: California’s CPRA, which revises its previous data privacy regulation, CCPA).

If you’re looking for a quick and digestible way to stay up to date on data privacy, subscribing to the Osano newsletter is a great place to start. But if you don’t want to have to think about data privacy anymore whatsoever, then trying a free trial of Osano’s Consent Management Platform (CMP) might be what you’re looking for.

CMPs help companies stay compliant with data privacy laws, and we designed ours specifically for non-experts. If reading about the most recent data privacy laws made you feel a bit overwhelmed, the Osano CMP can help you get compliant without feeling like you’re out of your depth.