Data Privacy Protections Come to Utah
DATA PRIVACY PROTECTIONS COME TO UTAH
On March 24, 2022, Utah became the fourth state to pass a comprehensive data privacy law, the Utah Consumer Privacy Act (UCPA), which will become effective December 31, 2023. It blends elements of the California, Virginia, and Colorado privacy laws that preceded it. This legal alert provides a brief overview of the scope of the UCPA, the obligations it imposes, the rights it grants, and its enforcement mechanisms.
The UCPA applies to a subset of organizations doing business in Utah or that target their services or products to Utah residents. The UCPA does not apply to nonprofits, indigenous tribes, higher education institutions, government entities, and third parties under contract with government. For the UCPA to apply, the business must have annual revenues of at least $25 million and:
- Control or process the data of at least 25,000 consumers and generate over 50 percent of its gross revenue from selling data; or
- Control or process 100,000 or more Utah residents’ personal data in calendar year.
The UCPA defines “personal data” broadly as any “information that is linked or reasonably linked to an identified individual or an identifiable individual.” True to its name, the UCPA only regulates consumer data and excludes personal data gathered in employment or business-to-business scenarios. Exemptions also exist for publicly available data, deidentified data, and data already subject to certain laws or regulations, like the Gramm-Leach-Bliley Act.
The UCPA affords special protections to sensitive data. Sensitive data “includes personal data that reveals” religious beliefs, racial or ethnic origin, citizenship or immigration status, sexual orientation, health and medical treatment or conditions, geolocation data, and individually identifiable biometric or genetic data. Controllers must provide notice and an opportunity to opt out prior to processing consumers’ sensitive data.
Obligations of Controllers and Processors
The UCPA requires data controllers to minimize the data collected and put in place suitable security measures to protect personal data that has been collected. A controller “determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others,” while a processor “processes personal data on behalf of a controller.”
Data controllers must post a privacy notice that contains disclosures about their personal data practices, such as the categories of personal data processed, purposes of processing, categories of disclosures to third parties, and how consumers may exercise their rights. The notice must be accessible and clear.
For transactions between controllers and/or processors involving personal data, the parties must enter a written agreement that specifies the details of processing (e.g., data to be processed), the purpose of processing, and the parties’ obligations and rights. Among the obligations included in the agreement, processors must agree to follow controllers’ instructions when processing personal data. Processors must also contractually require sub-processors to adhere to the same obligations of the processor.
Rights of Consumers
Like the California Consumer Privacy Act, the UCPA gives consumers specific rights. Some of these rights include:
- Accessing and deleting personal data;
- Opting out of the collection and use of personal data;
- Requiring an organization to stop selling personal data (exceptions apply); and
- Requiring an organization to be transparent about the collection, use, and selling of data.
Individuals should contact the controller directly to exercise their rights. The UCPA gives controllers 45 days to respond to consumer requests, with a 45-day extension if reasonably necessary. Controllers must handle the first request free of charge but may charge for second or subsequent requests within a year of the most recent request. Controllers may refuse a request if a consumer’s identity cannot be verified or if the consumer’s personal data is pseudonymized. Controllers are prohibited from discriminating against consumers who exercise their rights under the law.
Consumers may submit a complaint with the Utah Division of Consumer Protection if they believe their rights have been violated and the business has failed to resolve the problem. The Division may investigate complaints received and refer them to the attorney general. The attorney general may initiate enforcement actions to recover actual damages suffered by the consumer and impose civil penalties up to $7,500 per violation. Businesses may avoid these consequences by correcting the alleged violation within 30 days of receiving written notice. The UCPA does not provide the consumer with the right to directly sue a controller.
All funds received from an action taken by the attorney general go to the Consumer Privacy Account. These funds will support future and current actions taken by the attorney general under the UCPA. The funds also can be used to educate consumers about issues related to the UCPA.
If you have any questions about the UCPA or any other data privacy law, please contact one of the authors.
 De-identified data “cannot reasonably be linked to an identified individual or an identifiable individual.”
 If Consumer Privacy Account ever exceeds $4,000,000, the excess funds will be transferred to the General Fund, which is the primary fund for financing a state’s operations.