Last Thursday, the Utah Consumer Privacy Act (UCPA) became law. Utah is now the fourth state to pass significant data privacy and security legislation, behind California, Colorado and Virginia. The UCPA goes into effect December 31, 2023.
To Whom Does the UCPA Apply?
The UCPA applies to for-profit entities that: (1) generate at least $25 million in annual revenue; (2) conduct business in Utah or target Utah consumers; and (3) either process or control personal data of at least 100,000 Utah residents or process or control personal data of at least 25,000 Utah residents and derive 50% or more of their profits from processing or controlling that data.
The UCPA has a significant number of exemptions for entities and data, including: nonprofit organizations; business-to-business contact information and employee data; and entities and data subject to federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the Family Educational Rights and Privacy Act (FERPA).
What Rights Do Consumers Have?
Under the UCPA, Utah residents who are acting in an individual or household context (not in an employment or commercial context) have the following rights:
What Duties Do Businesses Have?
The new law imposes a number of duties on businesses that determine the purposes for which and the means by which personal data of Utah residents is processed (“controllers”), specifically addressing:
How Does the UCPA Compare With Other Privacy Laws?
The UCPA closely tracks the provisions and thresholds of the Virginia Consumer Data Privacy Act, including adopting its narrower definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. It also scales back some of the more onerous (and often confusing) provisions of the other three state acts, leading many to view it as the most “business friendly” of the bunch. For example, the UCPA does not include a right for consumers to correct inaccuracies in their personal data, nor does it require a business to conduct and document risk assessments about their internal data processing practices. Additionally, the UCPA does not require businesses to obtain opt-in consent for selling personal information or processing certain sensitive information as long as consumers are presented with “clear” notice of the processing and an opportunity to opt out. The UCPA also allows businesses to charge a reasonable fee when responding to a consumer rights request if the request is particularly burdensome, excessive, harassing or disruptive. In short, businesses subject to the UCPA are not likely to need to expend much additional effort if they already comply with California, Colorado or Virginia privacy laws.
What Are the Penalties for Non-Compliance?
There is no private right of action under the UCPA; rather, violations are enforceable by the Utah attorney general after being referred by the Utah Department of Commerce’s Division of Consumer Protection. There is a 30-day cure period after notice of the violation, with uncured or continual violations subject to penalties of up to $7,500 per violation and payment of any actual damages to consumers.
We Can Help!
If you need help complying with the UCPA, please contact a member of Warner’s Cybersecurity and Privacy Practice Group. For more information on the UCPA and other U.S. privacy law updates, please register to attend Warner’s webinar, “Legal Update on State Privacy Laws and What You Need To Do Now,” on May 12, 2022. Warner will also be hosting a webinar focused on international privacy laws on May 24, 2022. You can register here.