With the passage and signing of the Utah Consumer Privacy Act ("UCPA"), Utah joins the ranks of California, Virginia, and Colorado in enacting a comprehensive data privacy law. The UCPA will officially go into effect on December 23, 2023, and largely mirrors existing data privacy regimes in the United States, with a few notable exceptions.
The UCPA applies to businesses that meet minimum thresholds related to revenue and the number of Utah residents whose data they control or process. Specifically, the UCPA applies to (a) data controllers and processors (b) conducting business in Utah or targeting Utah consumers (c) with more than $25 million in annual revenue, and (d) who process or control personal data of 100,000 or more Utah residents or derive 50% of their business from the processing or controlling of the data of at least 25,000 Utah residents.
Utah consumers engaging with a covered business will now have (a) the right to confirm that the business processes their data, (b) the right to request deletion of data they provided to the business, (c) the right to obtain a readily portable, usable, and transmittable copy of the data the business controls, and (d) the right to opt-out of the processing of their data for targeted advertisement.
The law also requires data controllers to establish clear privacy notices that define the types of data processed by the controller, the purpose of processing, and the categories of information it shares with third parties and notifies consumers on how to exercise data privacy rights. For controllers of sensitive data, the controller must give the data subject clear notice and an opportunity to opt out of processing. Finally, the UCPA establishes requirements for contracts between data controllers and processors. These contracts must include confidentiality guarantees and "clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations."
Although this law provides new data privacy protections for Utah residents, it takes a less aggressive approach than other states. First and foremost, the UCPA includes no private right of action and instead depends on the state attorney general to enforce it. The law requires the attorney general to give the target of an enforcement action notice and thirty days to cure the infraction before it may seek fines of $7,500 per violation or actual damages to consumers. It does not require businesses to conduct assessments about data protection practices, and it gives businesses some flexibility to charge fees when responding to some consumer requests to exercise privacy rights.
Tip: Companies can take steps now to transition to the new UCPA requirements by the December 31, 2023, deadline by 1) updating consumer rights response procedures, 2) auditing and updating the privacy policies, and 3) reviewing existing and new contracts for compliance with UCPA provisions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
