Utah has enacted the Utah Consumer Privacy Act (“UCPA”) which takes effect on December 31, 2023. This makes Utah the fourth state to implement a generally applicable consumer data privacy law, after California, Virginia and Colorado. The continued expansion of the state data privacy regulation patchwork complicates data privacy compliance efforts.
UCPA applies to any controller or processor that conducts business in Utah or produces a product or service that is targeted to Utah consumers; has an annual revenue of $25 million or more; and either (1) during a calendar year controls or processes personal data of 100,000 or more Utah residents or (2) derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents. UCPA applies to information that is linked or reasonably linkable to an identified or readily identifiable individual. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional. Sensitive data also includes the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual, and specific geolocation data.
UCPA does not apply to (1) financial institutions or their affiliates governed by, or personal data processed in accordance with, the federal Gramm-Leach-Bliley Act; (2) certain activities regulated by the Fair Credit Reporting Act; (3) information on persons acting in a commercial or employment context; (4) de-identified data, aggregated data, or, in some contexts, pseudonymous data; or (5) certain publicly available information.
UCPA also does not restrict a controller’s or processor’s ability to comply with other law, engage in certain fraud prevention and detection and security activities, or engage in certain internal processing uses, among other limited activities.
UCPA provides consumers with a number of rights related to their personal data. Under the UCPA, consumers have the right to (1) confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data; (2) access their personal data; (3) delete personal data that the consumer provided to the controller; (4) get a portable copy of personal data that the consumer previously provided to the controller in a format that is readily usable and allows the consumer to transmit the data to another controller without impediment; and (5) opt-out of the processing of personal data for (a) targeted advertising or (b) the sale of personal data.
UCPA imposes different obligations depending on whether the business is a controller or a processor. A business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing. There also are requirements for contracts between controllers and processors as well as requirements for engaging subcontractors.
The Utah attorney general has the exclusive authority to enforce the UCPA. The attorney general may seek civil penalties of up to $7,500 for each violation of the UCPA, in addition to actual damages for the consumer. The UCPA provides for a thirty-day right to cure. The UCPA does not provide for a private right of action.