On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act ("UCPA") into law. The UCPA, which will become effective December 31, 2023, largely mirrors the Virginia Consumer Data Privacy Act ("VCDPA"), explained in more detail here, or Europe's General Data Protection Regulation ("GDPR").
The UCPA applies to businesses that control or process consumers' personal information if they:
- (a) conduct business in Utah or (b) produce products or services that are targeted to residence of Utah;
- Has an annual revenue of $25,000,000 or more; and
- Satisfies one or more of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 or more consumers; or
- Derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of more than 25,000 consumers
The UCPA confers five rights to consumers:
- Right to confirm whether a controller is processing a consumer's personal data
- Right to access the personal data processed by a controller
- Right to delete personal data provided by or obtained by a controller
- Right to obtain a copy of the personal data a consumer has provided to the controller in a portable and readily usable format; and
- Right to opt out of processing of personal
- Targeted advertising
- Sale of personal data
Notably, these are the same rights as granted in the VCDPA and the Colorado Privacy Act ("CPA"), with two minor modifications—there is no right to correct the personal data or right to opt out of processing of personal data for the purposes of profiling.
As with the VCDPA and the CPA, businesses must establish a secure and reliable process for consumers to submit authenticated requests to exercise their consumer rights. A controller of data must respond to consumer requests within 45 days of receipt and respond, free of charge, by informing the consumer of any action taken on the consumer's request. A controller may also extend this period by 45 days, but must inform the consumer of the extension, the length of the extension, and provide the reasons the extension is necessary. Rather than completely adopting the VCDPA and CPA in this regard, the UCPA does not provide consumers the opportunity to appeal a denial of a consumer rights request.
Utah consumers also have the right to opt out of processing of personal data for the purposes of targeted advertising and the sale of personal data. The UCPA provides some level of guidance to businesses by defining both "targeted advertising" and "sale of personal data" and providing a list of activities that are explicitly not targeted advertising and/or the sale of personal data.
The UCPA also follows in the footsteps of the VCDPA and the CPA by prohibiting the processing of "sensitive data." While the definition of sensitive data is the identical to the VCDPA and the CPA, the UCPA does contain one major difference. While the VCDPA and the CPA require consumer consent prior to processing sensitive data, the UCPA requires a business to present the consumer with clear notice and an opportunity to opt out of the processing of sensitive data.
The UCPA establishes a host of additional obligations for businesses that are controlling or processing personal data. Such obligations include:
- Establish, implement, and maintain reasonable technical and physical data security practices
- Disclosure of sale of personal data or processing of personal data for targeted advertising
- Entering into contracts with data processors that contain specific provisions
The UCPA also mandates contractual requirements between controllers and processors. Such requirements should govern the processor's data processing procedures, and must include, among other things, instructions for processing the data, the nature and purpose of processing, the type of data subject to processing, how long the processing will continue, and the rights and obligations of both parties.
The enforcement process described in the UCPA largely mirrors that of the VCDPA. The UCPA does not have a private right of action—the Attorney General has exclusive enforcement authority. The Utah Attorney General also has the right to establish and administer a system to receive consumer complaints concerning a potential violation of the UCPA. If a business violates the UCPA and does not cure the problem within 30 days, the Attorney General may initiate an action and seek both an injunction to restrain any violations of the UCPA and civil penalties up to $7,500 for each violation.
As more and more states begin to pass legislation concerning data privacy, it is of the utmost importance that controllers and processors of data are aware of their obligations under these statutes. Each statute contains nuances that differentiates it from the others, and depending on the nature and size of a business, it may need to comply with all statutes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.