The Utah Consumer Privacy Act ("UCPA" or the "Act") is on its way to the Governor's desk. The Act cleared the State Senate on February 25 and was unanimously approved by the House of Representatives on March 2. If written into law, Utah will be the fourth state to pass comprehensive consumer data privacy legislation. Please note that the Utah Privacy Law presently has an effective date of December 31, 2023. As such, many businesses that have worked to comply with CaliforniaVirginia, and Colorado privacy laws may soon need to undertake Utah privacy law compliance measures as well. 

Utah Privacy Law Applicability

Prior to working toward UCPA compliance, businesses should first determine whether the Utah Privacy Law applies to them. First, only companies that make over $25 million in annual revenue must comply with the Act. Further, the Act will only regulate companies that conduct business within the State of Utah or target Utah residents and either: (1) control or process personal data of 100,000 or more consumers during a year; or (2) control or process personal data of 25,000 or more consumers and derive over 50% of gross revenue from the sale of this personal data. Please note that the Act exempts governmental entities, tribes, and nonprofit corporations.

Utah Privacy Law Consumer Rights and Compliance Requirements

The UCPA contains standard consumer protections, providing consumers with the right to:

  1. access and correct certain personal data;
  2. opt out of the collection and use of personal data for certain purposes;
  3. know what personal information a business collects, how the business uses this personal information, and whether the business sells the personal information; 
  4. require a business to delete personal information; and
  5. prohibit a business from selling their personal information.

Further, businesses that control and process consumer personal data must: 

  1. safeguard this personal data; 
  2. provide clear disclosures concerning how consumer personal data is used; 
  3. accept and comply with consumer requests to exercise their UCPA rights; 
  4. provide a process for consumers to submit requests and appeal business decisions regarding the processing of their personal data; and 
  5. conduct data protection assessments. 

Utah Privacy Law Enforcement

Pursuant to the Act, the Office of the Attorney General will enforce the UCPA. In connection therewith, the Attorney General is authorized to: (1) obtain and evaluate a business's data protection assessments; (2) take enforcement action against violators; and (3) impose penalties. While Utah privacy law closely tracks that of Virginia and other state privacy laws in general, Utah takes a unique approach with respect to consumer UCPA violation claims. Specifically, consumers may only file complaints with the Division of Consumer Protection (the "Division"). The Division may accept and investigate such complaints. If the Division determines that a business violated a consumer's rights, then it will refer the claim to the Attorney General. Thereafter, the Office of the Attorney General will conduct its own investigation and decide if it will bring an enforcement action.

Given that there are no comprehensive federal consumer data privacy regulations in effect, businesses must monitor evolving state privacy law developments and work quickly to become compliant when relevant regulations are enacted.

Similar Blog Posts:

NY Privacy Act Out of First Committee

The CPRA Sensitive Personal Information Data Category

UPDATE: Virginia Privacy Bill Signed into Law

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.