United States: Unlocking Privacy: What You Need To Know About The Utah Consumer Privacy Act

On December 23, 2023, The Utah Consumer Privacy Act (UCPA) will take effect.¹ Utah will be the fourth state to enact legislation that comprehensively protects consumer rights. While the UCPA shares familiar protections with the analogous privacy acts in its sister states (California, Virginia, and Colorado), the UCPA is narrower in scope.

In particular, the UCPA is only applicable to "a controller or processer who conducts business in the state; or produces a product or service that is targeted to consumers who are residents of the state."² Further, the controller or processor must also have an "annual revenue of $25,000,000 or more" and meet an additional requirement of "control[ling] or process[ing] personal data of 100,000 or more consumers or deriv[ing] over 50%" of its gross revenue from selling personal data and "control[ling] or process[ing] personal data of 25,000 or more consumers."³

Like other consumer privacy acts, the controller must provide the consumer with notice, including "the categories of personal data processed," why the data is being processed, "how consumers may exercise a right; the categories of personal data that the controller shares with third parties . . . and the categories of third parties . . . with whom the controller shares personal data."⁴

For consumers, the UCPA establishes several protections including the rights to access, delete, and opt out of data collection for certain purposes.⁵ (Personal data is defined as "information that is linked or reasonably linkable" to an individual; but, "does not include deidentified data, aggregated data, or publicly available data."⁶) Consistent with its business-friendly nature, the UCPA defines "consumers" narrowly, limiting its scope to individuals that reside in Utah "acting in an individual or household context."⁷ Notably, individuals "acting in an employment or commercial context" are not covered by the UCPA's definition of consumer.⁸ The UCPA is not applicable to many types of healthcare-related information nor does it apply to governmental entities, higher education institutions, tribes, and non-profits, among others.⁹

A Utah consumer may exercise their rights by following the instructions "prescribed by the controller."¹⁰ The controller must respond within 45 days, subject to exceptions and extensions.¹¹ If the violation persists, a Utah consumer may enforce their rights using a two-step approach.¹² First, the UCPA permits the Division of Consumer Protection to investigate consumer complaints "to determine whether the controller or processor violated" the UCPA.¹³ "Upon referral from the division, the attorney general may initiate an enforcement action."¹⁴ The attorney general must provide the controller or processor with 30 days notice prior to initiating an action; and, the UCPA further provides the controller or processor the opportunity to cure.¹⁵ If the violation continues, the attorney general may recover "actual damages to the consumer" in addition to up to $7,500 per violation.¹⁶ Unlike the California Consumer Privacy Act, the UCPA does not create a private right of action.¹⁷ The division and attorney general will submit a report evaluating the UCPA's effectiveness on July 1, 2025,¹⁸ potentially providing an avenue for change in the future.

Footnotes

1. Utah Consumer Privacy Act, Utah Code §§ 13-61-101 - 404.

2. § 13-61-102(1).

3. Id.

4. § 13-61-302(1)(a).

5. § 13-61-201.

6. § 13-61-101(24).

7. § 13-61-101(10).

8. Id.

9. § 13-61-102(2).

10. § 13-61-202(1).

11. § 13-61-203(2)(a).

12. §§ 13-61-401, 402.

13. § 13-61-401(2)(a).

14. § 13-61-402(2).

15. § 13-61-4020(3)(b).

16. § 13-61-402(3)(d).

17. § 13-61-305.

18. § 13-61-404(3)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.