On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law with an effective date of December 31, 2023. Utah became the fourth US state after California, Virginia, and Colorado to enact a comprehensive privacy law. Similar to the European Union’s General Data Protection Regulation (GDPR), Utah, with the UCPA, has adopted the controller-processor approach within the law. The controller is the one who determines the purpose and means of processing, while the processor is the one who processes the personal data on behalf of the controller. Virginia, with its Virginia Consumer Data Protection Act, and Colorado, with its Colorado Consumer Protection Act, adopted a very similar approach.
The UCPA applies to:
Similar to other US state laws, the UCPA provides certain rights to the consumer as outlined below:
While responding to consumer requests, the law expects the controller to authenticate the identity of the consumer “using commercially reasonable efforts.”7 The law allows a controller to request additional information to authenticate a consumer request. The controller needs to fulfill the consumer request free of charge within forty-five (45) days with an option to extend it for another forty-five (45) days, depending on the “complexity of the request or the volume of requests.”8 However, for any subsequent consumer request within a 12-month period, the controller may charge a fee. The UCPA provides certain exceptions where a controller may deny a consumer request; however, the “burden of demonstrating”9 that the request falls under such exceptions is on the controller.
As previously mentioned, the UCPA delineates the responsibilities of controllers and processors. The law requires the controllers to follow certain requirements as outlined below:
The attorney general has the “exclusive authority to enforce the law. The Division of Consumer Protection (Division) within the Department of Commerce will accept complaints related to the alleged violation of the law. The Division will investigate the validity of a complaint and, based on its determination, the Division may refer the matter to the attorney general. The attorney general may request consultation from the Division. Prior to initiating any action against a controller or a processor, the attorney general will issue a notice of violation explaining the provisions that are violated. The attorney general may not take action if the violation is cured within 30 days. The attorney general may recover actual damages or an amount up to $7,500 for each violation if the entity fails to cure the violation. The law does not include a provision for private right of action.
With many other state laws in the pipeline and a shifting definition of personal data that brings more private data within the scope of a privacy law, data privacy compliance continues to be an evolving challenge. A piecemeal approach to data privacy based on individual regulatory requirement will only compound the difficulty. Instead, organizations should prepare themselves with a comprehensive privacy compliance program. To ensure being ready when the UCPA and other state laws go into effect, organizations should develop/review data inventories across all applicable products and consumer/corporate functions to understand the flow of consumer personal information across business units, service providers, and third parties, as well as the purpose behind it. Additionally, organizations should conduct a current state assessment against the new state obligations to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements.
1 Consumer Privacy Act, State of Utah.
2 Consumer Privacy Act, State of Utah.
3 Consumer Privacy Act, State of Utah.
4 Consumer Privacy Act, State of Utah.
5 Consumer Privacy Act, State of Utah.
6 Consumer Privacy Act, State of Utah.
7 Consumer Privacy Act, State of Utah.
8 Consumer Privacy Act, State of Utah.
9 Consumer Privacy Act, State of Utah.
10 Consumer Privacy Act, State of Utah.
11 Consumer Privacy Act, State of Utah.
12 Consumer Privacy Act, State of Utah.
13 Consumer Privacy Act, State of Utah.
14 Sensitive data is defined as personal data related to “racial origin, religious belief, sexual orientation, citizenship or immigration status, mental or physical health condition,” etc.
15 Child is defined as an “individual younger than 13 years old.”
16 Consumer Privacy Act, State of Utah.