Careers

Experiences

Industries

Offices

Our Firm

Pages

Our People

Updates

Practices

Warner Norcross + Judd LLP is a corporate law firm with over 230 attorneys serving clients in nine offices throughout Michigan. Among the largest law firms in Michigan, Warner works in virtually all areas of business law.

Michigan Law Firm - Warner Norcross + Judd LLP

Last Thursday, the Utah Consumer Privacy Act (UCPA) became law. Utah is now the fourth state to pass significant data privacy and security legislation, behind California, Colorado and Virginia. The UCPA goes into effect December 31, 2023.

contentpilot/introduction

core/heading

The UCPA applies to for-profit entities that: (1) generate at least $25 million in annual revenue; (2) conduct business in Utah or target Utah consumers; and (3) <em>either</em> process or control personal data of at least 100,000 Utah residents <em>or </em>process or control personal data of at least 25,000 Utah residents and derive 50% or more of their profits from processing or controlling that data.

core/paragraph

The UCPA has a significant number of exemptions for entities and data, including: nonprofit organizations; business-to-business contact information and employee data; and entities and data subject to federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the Family Educational Rights and Privacy Act (FERPA).

Under the UCPA, Utah residents who are acting in an individual or household context (not in an employment or commercial context) have the following rights:

core/list

The new law imposes a number of duties on businesses that determine the purposes for which and the means by which personal data of Utah residents is processed (“controllers”), specifically addressing:

How Does the UCPA Compare With Other Privacy Laws?

The UCPA closely tracks the provisions and thresholds of the Virginia Consumer Data Privacy Act, including adopting its narrower definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. It also scales back some of the more onerous (and often confusing) provisions of the other three state acts, leading many to view it as the most “business friendly” of the bunch. For example, the UCPA does not include a right for consumers to correct inaccuracies in their personal data, nor does it require a business to conduct and document risk assessments about their internal data processing practices. Additionally, the UCPA does not require businesses to obtain opt-in consent for selling personal information or processing certain sensitive information as long as consumers are presented with “clear” notice of the processing and an opportunity to opt out. The UCPA also allows businesses to charge a reasonable fee when responding to a consumer rights request if the request is particularly burdensome, excessive, harassing or disruptive. In short, businesses subject to the UCPA are not likely to need to expend much additional effort if they already comply with California, Colorado or Virginia privacy laws.

What Are the Penalties for Non-Compliance?

There is no private right of action under the UCPA; rather, violations are enforceable by the Utah attorney general after being referred by the Utah Department of Commerce’s Division of Consumer Protection. There is a 30-day cure period after notice of the violation, with uncured or continual violations subject to penalties of up to $7,500 per violation and payment of any actual damages to consumers.

If you need help complying with the UCPA, please contact a member of Warner’s Cybersecurity and Privacy Practice Group. For more information on the UCPA and other U.S. privacy law updates, please register to attend Warner’s webinar, “<a href="https://register.gotowebinar.com/register/3690675027811192331" target="_blank" rel="noreferrer noopener">Legal Update on State Privacy Laws and What You Need To Do Now</a>,” on May 12, 2022. Warner will also be hosting a webinar focused on international privacy laws on May 24, 2022. You can <a href="https://register.gotowebinar.com/register/4738413951570207244" target="_blank" rel="noreferrer noopener">register here</a>.

Associate

Alexandra E. “Alex” Haywood

Partner

Kelly R. Hollingsworth

Cybersecurity and Privacy

Utah Becomes Fourth State to  Pass Comprehensive State Privacy Law

Warner Norcross + Judd LLP is responsible for the contents of our advertising and this website. Please read our full <a href="/privacy-policy/" aria-label="see privacy policy">privacy policy</a> available on our website. If you have any questions or comments about our website or our Privacy Policy please contact us at <a href="mailto:info@wnj.com">info@wnj.com</a> or 616.752.2000. 

Utah Becomes Fourth State to Pass Comprehensive State Privacy Law

professionals