Skip to Main Content
Publications | March 28, 2022
5 minute read

Utah Becomes Fourth State to Pass Comprehensive State Privacy Law

Last Thursday, the Utah Consumer Privacy Act (UCPA) became law. Utah is now the fourth state to pass significant data privacy and security legislation, behind California, Colorado and Virginia. The UCPA goes into effect December 31, 2023.

To Whom Does the UCPA Apply?

The UCPA applies to for-profit entities that: (1) generate at least $25 million in annual revenue; (2) conduct business in Utah or target Utah consumers; and (3) either process or control personal data of at least 100,000 Utah residents or process or control personal data of at least 25,000 Utah residents and derive 50% or more of their profits from processing or controlling that data.

The UCPA has a significant number of exemptions for entities and data, including: nonprofit organizations; business-to-business contact information and employee data; and entities and data subject to federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the Family Educational Rights and Privacy Act (FERPA).

What Rights Do Consumers Have?

Under the UCPA, Utah residents who are acting in an individual or household context (not in an employment or commercial context) have the following rights:

  • Right to Access:The right to confirm that a business is processing their personal data and the right to access that data.
  • Right to Delete: The right to delete the personal data they provide to the business.
  • Right to Data Portability: The right obtain a copy of their personal data in a readily portable, usable and transmittable format.
  • Right to Opt Out: The right to opt out of the processing of the personal data for purposes of targeted advertising or the sale of personal data.

What Duties Do Businesses Have?

The new law imposes a number of duties on businesses that determine the purposes for which and the means by which personal data of Utah residents is processed (“controllers”), specifically addressing:

  • Privacy Notices: Controllers must provide consumers with a reasonably accessible, clear privacy notice that includes:
    • The categories of personal data processed.
    • The purposes of processing the personal data.
    • How and where consumers may exercise their rights.
    • The categories of personal data that the controller shares with third parties.
    • The categories of third parties with whom information is shared.
    • The manner in which consumers may opt out of the sale of their data or processing of their data for targeting advertising (if applicable).
  • Security Controls: Controllers must implement and maintain reasonable administrative, technical and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce the risk of foreseeable harm to consumers.
  • Limitations on Sensitive Data: Controllers cannot process a consumer’s sensitive data without providing the consumer with clear notice and an opportunity to opt out of the processing.
  • Nondiscrimination: Controllers may not discriminate against a consumer for exercising a right by denying a good or service to the consumer, charging a different price or rate for a good or service or providing the consumer with a different level of quality of a good or service.
  • Contracts with Processors: Controllers must have contracts in place with processors that clearly set forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing and the parties' rights and obligations. These contracts must require processors to:
    • Follow the controller’s instructions and assist the controller in meeting the controller’s obligations.
    • Ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data.
    • Require its subprocessors to meet the same obligations.

How Does the UCPA Compare With Other Privacy Laws?

The UCPA closely tracks the provisions and thresholds of the Virginia Consumer Data Privacy Act, including adopting its narrower definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. It also scales back some of the more onerous (and often confusing) provisions of the other three state acts, leading many to view it as the most “business friendly” of the bunch. For example, the UCPA does not include a right for consumers to correct inaccuracies in their personal data, nor does it require a business to conduct and document risk assessments about their internal data processing practices. Additionally, the UCPA does not require businesses to obtain opt-in consent for selling personal information or processing certain sensitive information as long as consumers are presented with “clear” notice of the processing and an opportunity to opt out. The UCPA also allows businesses to charge a reasonable fee when responding to a consumer rights request if the request is particularly burdensome, excessive, harassing or disruptive. In short, businesses subject to the UCPA are not likely to need to expend much additional effort if they already comply with California, Colorado or Virginia privacy laws.

What Are the Penalties for Non-Compliance?

There is no private right of action under the UCPA; rather, violations are enforceable by the Utah attorney general after being referred by the Utah Department of Commerce’s Division of Consumer Protection. There is a 30-day cure period after notice of the violation, with uncured or continual violations subject to penalties of up to $7,500 per violation and payment of any actual damages to consumers.

We Can Help!

If you need help complying with the UCPA, please contact a member of Warner’s Cybersecurity and Privacy Practice Group. For more information on the UCPA and other U.S. privacy law updates, please register to attend Warner’s webinar, “Legal Update on State Privacy Laws and What You Need To Do Now,” on May 12, 2022. Warner will also be hosting a webinar focused on international privacy laws on May 24, 2022. You can register here.