Utah Adopts New Data Privacy Legislation
Utah’s governor signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022, marking the fourth state in the United States to enact comprehensive data privacy legislation. The UCPA is less restrictive than privacy legislation enacted in California, Virginia and Colorado. If your organization is in compliance with those state privacy laws, posting a Utah-specific privacy notice on your website may be sufficient. Here are some key highlights from the new law.
The law will take effect December 31, 2023, and will apply to organizations that have an annual revenue of at least $25 million and conduct business in Utah or target products to Utah consumers, and either:
control or process personal data of 100,000 or more Utah consumers per year; or
derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Utah consumers
The UCPA gives consumers the right to know what personal data is being collected and to ask for it to be deleted. Controllers of the information must post a privacy notice that contains similar disclosures about their personal data practices to those under other state laws, such as the categories of personal data processed, the purposes of processing and categories of disclosures to third parties and how consumers may exercise their rights.
The UCPA guarantees consumer rights to privacy that already exist in other state data privacy laws:
Right of access: Consumers have the right to confirm whether a controller is processing the consumers’ personal data and to access such data.
Right to delete: Consumers have the right to delete personal data that they provided to the controller.
Right to data portability: Consumers have the right to obtain a copy of their personal data in a portable and readily usable format.
Right to opt out: Consumers have the right to opt out of the processing of their personal data for the purpose of targeted advertising or the sale of their data. (NOTE: the definition of ‘sale’ is narrower than the one under the California law. For example, it must involve monetary consideration, and does not include transfer of personal data as part of a merger or sale of a business.)
The UCPA similar, to other data privacy laws, creates additional protections for what is considered ‘sensitive data’, such as genetic, biometric or geolocation data, information revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or medical information. However, unlike in Virginia and Colorado where controllers may not process sensitive personal data unless consumers opt in, in Utah controllers may process sensitive data as long as they provide consumers with a clear notice and an opportunity to opt out.
Under the UCPA, ‘consumers’ are limited to Utah residents who are ‘acting only in an individual or household context’, and similarly to the other states’ privacy legislation, does not include individuals acting in an employment or commercial context.
There is no private right of action under the UCPA. Violations are only enforceable by the Utah Attorney General’s office. The damages recovered for violations of the UCPA may be up to $7,500 per violation, and only after a 30 day notice and cure period giving the controller the opportunity to remedy any violation.
In the absence of any unified federal regulations, compliance will become increasingly challenging for organizations as more states consider adopting their own privacy laws. Companies that collect or process personal information of consumers in these states should ensure that they know what personal data is collected, how the personal data is being processed, the purpose for which it is processed, and with whom the personal data is being shared. Companies need to draft the appropriate disclosures and develop processes and procedures to respond to consumer requests for information or to opt out of having personal information processed. These processes and procedures need to be reassessed annually, especially as the legislative landscape changes.