Slalom Through Sensitive Data: Utah Skis Into Consumer Privacy Protection

On March 24, 2022, Utah became the fourth state to enact comprehensive consumer privacy legislation when Governor Spencer Cox signed S.B. 227 into law.

The Utah Consumer Privacy Act (UCPA or the Act) took effect on December 31, 2023. At the time, it joined the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA) in imposing obligations upon businesses that control or process personal data and in granting to consumers certain rights over the personal data they provide.

Though it largely matches these other states' data privacy protections, the UCPA contains several distinct provisions that necessitate additional compliance steps.

Applicability Threshold

The UCPA impacts both "controllers" and "processors." "Controllers" are persons or entities that determine the purposes for which and the means by which personal data is processed. "Processors" are persons or entities that process personal data on behalf of controllers. "Personal data" is information that is linked or reasonably linkable to an identified or identifiable individual. These definitions are similar to those in the other states' privacy statutes.

The UCPA applies only to controllers and processors that meet the following geographical, financial, and data-volume thresholds:

1. The controller or processor either conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah.
2. The controller or processor has an annual revenue of at least $25 million.
3. During the immediately preceding calendar year, the entity (a) controls or processes the personal data of at least 100,000 consumers or (b) controls or processes personal data of at least 25,000 consumers and derives 50% of its gross revenue from the sale of personal data.

Exemptions

In addition to exempting employee and contractor information, the UCPA enumerates several entity-level and data-level exemptions.

The Act does not apply to state government agencies, third parties under contract with the government, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), nonprofit organizations, public and private higher education institutions, air carriers, tribes, and consumer reporting agencies subject to the Fair Credit Reporting Act (FCRA).

The Act follows other states' legislation by adopting standard data-level exemptions, including patient-identifying information, information relating to human clinical research subjects, and information protected under federal statutes such as GLBA, HIPAA, FCRA, the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA), and the Driver's Privacy Protection Act.

Consumer Rights

The rights granted to consumers under the UCPA are consistent with those granted in other states' data privacy legislation. The Act provides that consumers have the right to do all the following:

• Confirm whether the controller or processor is processing their personal data.
• Access their personal data.
• Obtain a copy of the data that they previously provided in a portable, readily usable format.
• Delete any personal data that they previously provided.
• Opt out of the sale of personal information and the use of personal data for targeted advertising.

Effective July 1, 2026, the UCPA will also provide consumers with a right to correct inaccuracies in the consumers' personal data, considering the nature of the personal data and the purposes for which the personal data is processed.

The UCPA's protections are a bit narrower than those afforded in California, Virginia, and Colorado. Unlike the statutes in those states, the UCPA does not create a right to limit further processing of one's personal data. The UCPA also does not provide a right to appeal a controller's denial of a consumer's request or a right to opt out of profiling or automated decision-making processes.

Consumers who wish to exercise any of their rights under the UCPA must submit a request to a controller by specifying the right they intend to exercise. The controller must respond to the request within 45 days and must inform the consumer of any action taken upon the request.

As in the other states' statutes, the UCPA does not permit controllers to discriminate against consumers who exercise their rights by denying the consumers a good or service, charging the consumers a different price, or providing the consumers with a different level of quality.

Controller Obligations

Controllers have several responsibilities under the UCPA.

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. These efforts are designed to protect the confidentiality and integrity of consumers' personal data and reduce reasonably foreseeable risks of harm to consumers. Related to this is the requirement to execute a data processing agreement with any processors (as described in the Processor Obligations section below).

Controllers also must provide consumers with reasonably accessible, clear, and meaningful privacy notices that describe the purposes for collecting and processing personal data, the categories of personal data processed, the categories of personal data shared with third parties, the categories of third parties with whom the controllers share personal data, and the steps required to exercise consumers' rights under the UCPA.

If the controller sells personal data or uses it for targeted advertising, the controller must disclose in a clear and conspicuous manner both (1) any sale of the consumer's data or any engagement in targeted advertising and (2) the manner in which the consumer may opt out of either activity.

Under the UCPA, controllers cannot process a consumer's sensitive personal data without first providing the consumer with clear notice and an opportunity to opt out of such processing. "Sensitive data" is information that reveals an individual's race, ethnicity, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health condition, medical treatment or diagnosis, specific geolocation, or genetic or biometric data (if the purpose for processing is to identify a specific individual). Sensitive data does not include data processed by a video communication service that reveals an individual's race or ethnicity.

Unlike the VCDPA and the CPA, the UCPA does not require controllers to conduct data protection impact assessments, which are systematic processes to identify, assess, and mitigate the privacy risks associated with processing activities for certain kinds of person data.

Processor Obligations

Under the UCPA, processors are required to adhere to controllers' instructions regarding how personal information is processed. Processors must aid controllers in complying with the provisions of the Act, including by fulfilling obligations to respond to consumer requests, processing personal data securely, and notifying others of breaches in system security.

The Act requires that all processing be governed by a contract between the controller and processor. These contracts must provide clear instructions for processing data. The contracts also must describe the nature and purpose of processing, the type of personal data involved, the duration of processing, and the parties' respective rights and obligations. As in other states, processors are subject to a duty of confidentiality. However, unlike the VCDPA and the CPA, the UCPA does not impose additional obligations upon processors regarding the performance of an audit or the return or deletion of personal data.

Enforcement

The Utah Attorney General (AG) holds the exclusive right to enforce violations of the UCPA. The Act expressly prohibits a private right of action.

The UCPA provides that the Division of Consumer Protection shall receive and investigate consumer complaints. The Division refers complaints to the AG when it has "reasonable cause to believe that substantial evidence" of a violation exists. The AG must give written notice to any controller or processor alleged to have violated the Act, identifying the provision that the controller or processor is alleged to have violated and explaining the basis for the violation. The AG must allow the controller or processor 30 days to cure the violation. Unlike in other states' privacy laws, the right to cure under the UCPA does not sunset.

A controller or processor who breaches and fails to cure a breach within the 30-day cure period may incur a civil penalty equal to the consumer's actual damages, totaling up to $7,500 per violation.

The UCPA also creates a restricted Consumer Privacy Account—a special fund in which money received from the civil enforcement actions is deposited to support the AG's enforcement efforts.

Important Dates

December 31, 2023: The UCPA, as originally written, took effect.

July 1, 2026: An amendment creating the consumers' right to correct inaccuracies in personal data takes effect.

Our team will continue to monitor the UCPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.