On March 24, 2022, Utah became the fourth state to enact comprehensive privacy legislation—the Utah Consumer Privacy Act (UCPA). The UCPA draws from the Virginia Consumer Data Protection Act (VCDPA), the Colorado Consumer Privacy Act (CPA), and the California Consumer Privacy Act (CCPA), but also has its distinct characteristics that businesses should pay heed to.

As the UCPA will take effect on December 31, 2023, this edition of our Gearing Up for privacy law compliance series provides important information to consider. We will discuss the UCPA's scope and threshold requirements, key steps to take to gear up for compliance, and information on how the law will be enforced.

UCPA's Scope and Threshold Requirements

The UCPA applies to businesses that act as a controller or processor conducting business in Utah or producing a product or service that is targeted to consumers who are residents of the state.

Utah defines a "controller" in much the same way as the CCPA—a controller is a person, whether natural or legal, who determines the purposes for which and the means by which personal data is processed. In order to comply with the UCPA, controllers must implement and maintain reasonable administrative, technical, and physical data security practices appropriate for the volume and nature of the data. Controllers are required to provide consumers with a reasonably accessible and clear privacy notice that includes:

  • Categories of personal data processed by the controller;
  • The purposes for processing;
  • How consumers can exercise the rights granted by the UCPA;
  • Categories of personal data that the controller shares with third parties; and
  • Categories of third parties with whom a controller shares personal information.

In addition, controllers must disclose, in a clear and conspicuous manner, any sale of consumer data or engagement in targeted advertising, as well as the manner in which a consumer can opt out of the sale of personal data or processing for targeted advertising. Controllers must also give consumers clear notice and the opportunity to opt out of the processing of sensitive data, defined as data that reveals the consumer's racial or ethnic origin; religious beliefs; sexual orientation; citizenship or immigration status; or medical history, condition, treatment, or diagnosis. Finally, controllers that process personal data of consumers under the age of 13 must obtain verifiable parental consent and process such data in accordance with the Children's Online Privacy Protection Act.

A processor is someone who processes data on behalf of a controller. Processors must help controllers comply with the UCPA requirements listed above. It is important that the contracts between controllers and processors contain the necessary provisions.

Like the CCPA, the UCPA includes threshold requirements that will dictate applicability of the law to an individual entity. The UCPA implements a financial threshold and a data volume threshold. To satisfy the financial threshold, the controller or processor must have an annual revenue of $25 million or more. To satisfy the data volume threshold, the organization must either:

  • Control or process personal data of 100,000 or more consumers in a calendar year; or
  • Derive over 50 percent of the entity's gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

Both the financial threshold and the data volume threshold must be satisfied for the UCPA to apply. However, the UCPA contains broad exemptions. It does not apply to higher education institutions, nonprofits, financial institutions regulated by the Gramm-Leach-Bliley Act, or entities regulated by HIPAA, government entities, contractors, tribes, and air carriers. However, if your business falls into one of the exempt categories, it is important to remember that general industry data collection and use practices may change in other ways, as seen in California.

UCPA Consumer Rights and Exceptions

The UCPA gives consumers four main rights:

  • The right to confirm if a controller is processing a consumer's personal data and to access that data;
  • The right to delete personal data that the consumer provided to the controller;
  • The right to obtain a copy of data that the consumer provided to the controller in a portable manner;
  • The right to opt out of the processing of personal data for targeted advertising or sale.

However, unlike the CPRA, the VCDPA, and the CPA, the UCPA does not provide a right to correct inaccuracies in a consumer's data. On the other hand, the UCPA is similar in that consumers can submit a reasonable request to exercise their UCPA rights, after which, the controller or processor has a 45-day response period. Similar to the CCPA, the UCPA does not require that controllers have a process for consumers to appeal a denial of their request.

The UCPA does allow businesses to charge consumers fees for responding to their requests. A controller can charge a fee for a second request in a 12-month period or if the controller reasonably believes that the primary purpose for submitting a request is to harass, disrupt, or impose an undue burden on the controller.

What Your Business Can Do to Prepare for Compliance

While there is still time, December 2023 is nearing and entities that meet the scope and threshold requirements of the UCPA must begin to prepare for compliance. In addition to the specific criteria listed below, in general, Utah businesses need to be transparent about the personal data they collect. In order to be compliant, a business determined to be subject to the UCPA must:

  • Revise its privacy policy to be UCPA-compliant, disclosing information regarding the data collected and consumers' rights;
  • Enable consumer opt-out of personal information processing, allowing the consumer to exercise their opt-out rights to the extent the business sells their personal data or uses it for targeted advertising;
  • Implement mechanisms for collecting sensitive information that give consumers a clear notice and opportunity to opt out;
  • Obtain affirmative, verifiable parental consent for the collection of data for consumers under the age of 13;
  • Implement reasonable data security practices and ensure they are aligned with industry-recognized standards; and
  • Ensure that processing activities performed by a processor are governed by contract, although the UCPA imposes fewer requirements than the VCDPA and the CPA.

Enforcement

Once the UCPA goes into effect, the Utah attorney general will have the sole enforcement authority—there is no private right of action. However, enforcement of the UCPA will be multi-layered. The Division of Consumer Protection (DCP) receives consumer complaints and investigates any alleged violation. The DCP will then refer the matter to the attorney general, and in fact, must refer the matter if there is reasonable cause to believe that substantial evidence of a violation exists. The attorney general can then decide whether or not to take action.

In the event of non-compliance, the attorney general can initiate enforcement actions and the UCPA provides for recovery of actual damages to the consumer, as well as a penalty up to $7,500.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.