On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law with an effective date of December 31, 2023. Utah became the fourth US state after California, Virginia, and Colorado to enact a comprehensive privacy law. Similar to the European Union’s General Data Protection Regulation (GDPR), Utah, with the UCPA, has adopted the controller-processor approach within the law. The controller is the one who determines the purpose and means of processing, while the processor is the one who processes the personal data on behalf of the controller. Virginia, with its Virginia Consumer Data Protection Act, and Colorado, with its Colorado Consumer Protection Act, adopted a very similar approach.
The UCPA applies to:
Entities that process the personal data of 100,000 or more consumers during a calendar year or “derives over 50% of the entity’s gross revenue from the sale of personal data”1 and “controls or processes the personal data of 25,000 consumers or more.”2
A controller or processor who “conducts business in the state”3 of Utah or who “produces a product or service targeted toward the consumers who are residents of the state.”4
Entities with “annual revenue of $25,000,000 or more.”5
Residents of the state in an individual or household context (note, commercial or employment context is not included in the scope of the law, so, for example, the law does not apply to business-related or employment data).
Similar to other US state laws, the UCPA provides certain rights to the consumer as outlined below:
Right of Access: Consumer has the right to confirm “whether a controller is processing personal data concerning the consumer”6 and the consumer can request access to the data.
Right of Deletion: Consumer has the right to request deletion of personal data that the consumer has provided to the controller.
Right to Data Portability: Consumer has the right to request access to personal data in a portable format that will allow the consumer to transfer data to another entity.
Right to Opt Out: Consumer has the right to opt out of the sale of personal information, as well as where that information is used for targeted advertising.
While responding to consumer requests, the law expects the controller to authenticate the identity of the consumer “using commercially reasonable efforts.”7 The law allows a controller to request additional information to authenticate a consumer request. The controller needs to fulfill the consumer request free of charge within forty-five (45) days with an option to extend it for another forty-five (45) days, depending on the “complexity of the request or the volume of requests.”8 However, for any subsequent consumer request within a 12-month period, the controller may charge a fee. The UCPA provides certain exceptions where a controller may deny a consumer request; however, the “burden of demonstrating”9 that the request falls under such exceptions is on the controller.
As previously mentioned, the UCPA delineates the responsibilities of controllers and processors. The law requires the controllers to follow certain requirements as outlined below:
Transparency: The UCPA mandates the controller to “provide consumers with reasonably accessible and clear privacy notice.”10
Purpose Specifications: The controller needs to specify the purpose of collection and processing of personal data.
Consent for Secondary Use: Controllers must disclose if they share personal data of consumers with third parties or engage in targeted advertising. They also need to disclose the manner in which a consumer may exercise the right to opt out of such processing.
Security: The controller needs to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices”11 to maintain confidentiality and integrity of personal data during processing and storage.
Non-Discrimination: The law prohibits the controller from making unlawful discrimination against consumers for exercising their privacy rights. However, the law does not prohibit controllers from providing goods or services for no fee or at a discount as part of a “bona fide loyalty, rewards, premium features, discounts, or club card program.”12
Nonwaiver of consumer rights: “Any provision of a contract that purports to waive or limit a consumer's right”13 is unlawful.
Duty Regarding Sensitive Data:14 The controller may not process sensitive data of consumers without providing clear notice and an opportunity to opt out of the processing. The personal data concerning a child will be processed in accordance with the federal Children’s Online Privacy Protection Act.15
The law mandates that a processor will only process personal data based on a contract established between a processor and a controller, and the processor will “adhere to the controller’s instructions.”16
The attorney general has the “exclusive authority to enforce the law. The Division of Consumer Protection (Division) within the Department of Commerce will accept complaints related to the alleged violation of the law. The Division will investigate the validity of a complaint and, based on its determination, the Division may refer the matter to the attorney general. The attorney general may request consultation from the Division. Prior to initiating any action against a controller or a processor, the attorney general will issue a notice of violation explaining the provisions that are violated. The attorney general may not take action if the violation is cured within 30 days. The attorney general may recover actual damages or an amount up to $7,500 for each violation if the entity fails to cure the violation. The law does not include a provision for private right of action.
With many other state laws in the pipeline and a shifting definition of personal data that brings more private data within the scope of a privacy law, data privacy compliance continues to be an evolving challenge. A piecemeal approach to data privacy based on individual regulatory requirement will only compound the difficulty. Instead, organizations should prepare themselves with a comprehensive privacy compliance program. To ensure being ready when the UCPA and other state laws go into effect, organizations should develop/review data inventories across all applicable products and consumer/corporate functions to understand the flow of consumer personal information across business units, service providers, and third parties, as well as the purpose behind it. Additionally, organizations should conduct a current state assessment against the new state obligations to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements.
1 Consumer Privacy Act, State of Utah.
2 Consumer Privacy Act, State of Utah.
3 Consumer Privacy Act, State of Utah.
4 Consumer Privacy Act, State of Utah.
5 Consumer Privacy Act, State of Utah.
6 Consumer Privacy Act, State of Utah.
7 Consumer Privacy Act, State of Utah.
8 Consumer Privacy Act, State of Utah.
9 Consumer Privacy Act, State of Utah.
10 Consumer Privacy Act, State of Utah.
11 Consumer Privacy Act, State of Utah.
12 Consumer Privacy Act, State of Utah.
13 Consumer Privacy Act, State of Utah.
14 Sensitive data is defined as personal data related to “racial origin, religious belief, sexual orientation, citizenship or immigration status, mental or physical health condition,” etc.
15 Child is defined as an “individual younger than 13 years old.”
16 Consumer Privacy Act, State of Utah.