Just Around the Corner: The Utah Consumer Privacy Act (“UCPA”)

2023 has seen a flurry of general state privacy laws, with twelve (12) such laws now on the books.  The next one to “go live,” on December 31, 2023, is the Utah Consumer Privacy Act (UCPA).  With no general federal privacy law in sight, the state privacy landscape continues to get more crowded and challenging to navigate, and further highlights the need to create and implement a comprehensive data privacy compliance strategy.

On March 24, 2022, Utah’s Governor Spencer J. Cox signed Senate Bill (SB) 227, enacting the UCPA. The UCPA gives consumers rights to access, obtain a copy, and have their personal data deleted, as well as the right to opt out of the sale of personal data or targeted advertising.

The UCPA draws from the Virginia Consumer Data Protection Act (VCDPA), the second of the general state privacy laws—after the California Consumer Privacy Act (CCPA). Oregon, Colorado, Connecticut, and other states also follow Virginia’s structure. Oregon’s SB 619 was approved by the Oregon State Legislature on June 25, 2023, and subsequently signed by Oregon Governor Tina Kotek on July 18, 2023. You can read more about Oregon’s new law here.

The UCPA is arguably the most business-friendly of all these states’ privacy laws, including the threshold requirements for its application.

Below are some UCPA facts that may affect you:

Who is protected? Utah consumers.

Who is subject to the law? Controllers and processors.

A “controller” is “a person doing business in the state who determines the purposes for which and means by which the personal data is processed.” A “processor” is “a person who processes personal data on behalf of a controller.”

The UCPA applies to any controller or processor who (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of at least $25,000,000; and (3) satisfies at least one of the following:

• controls or processes personal data of at least 100,000 consumers annually; or
• derives over 50% of its gross revenue from selling personal data and controls or processes the personal data of at least 25,000 consumers.

Notably, the CCPA has the same $25MM threshold, but there, an entity becomes subject to the CCPA simply by meeting this threshold.  In contrast, the UCPA requires that this threshold be met and that one of two additional requirements be met. Similarly, the new Texas Data Privacy and Security Act excludes from its application an entity that is not a small business as defined by the United States Small Business Administration.

Are non-profits exempt? Yes. 

Are there other notable exemptions? The new law would not apply to:

• a governmental entity (or a third party under contract acting on behalf of such an entity);
• a tribe;
• an institution of higher education;
• a nonprofit corporation;
• a covered entity;
• a business associate;
• protected health information;
• consumers’ credit information;
• a financial institution;
• an individual’s processing of personal data for purely personal or household purposes; or
• an air carrier.

What are the obligations of those subject to the law? Those subject to the law must “provide consumers with a reasonably accessible and clear privacy notice that includes:

• The categories of personal data processed by the controller;
• The purposes for processing the data;
• How consumers may exercise their rights;
• The categories of personal data the controller shares with third parties, if any; and
• The categories of third parties, if any, with whom the controller shares personal data.”

They must also “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.”

What are the consumers’ rights?  A consumer has the right to:

• confirm whether a controller is processing their personal data, and access the consumer’s personal data;
• delete the consumer’s personal data that the consumer provided to the controller;
• obtain a copy of their personal data; and
• opt out of the processing of their personal data for targeted advertising or the sale of personal data.

Note that while consumers have the right to delete the personal data they already provided to the controller and to opt out of future processing for certain purposes, they do not have the right to correct inaccurate information in their personal data under the UCPA.

Can a consumer appoint a representative to exercise that consumer’s opt out and other rights under the new law? No.

Is there a private right of action? No.

What does “personal data” include? Personal data is “information that is linked or reasonably linkable to an identified or identifiable individual.” This “does not include deidentified, aggregated or publicly available information.”

What does “sensitive data” include? Sensitive data is personal data that reveals an individual’s:

• racial or ethnic origin;
• religious beliefs;
• sexual orientation;
• citizenship or immigration status; or
• medical history, condition, or treatment; and
• some genetic personal data, biometric data, or geolocation data.

Sensitive data does not include personal data that reveals an individual’s: racial or ethnic origin if the data is processed by a video communication service. Nor does sensitive data include information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis if the personal data is processed by a licensed health care provider.

Also, businesses subject to the law must provide consumers notice and an opportunity to opt out of the use of their sensitive data.

Is there a security exception? Yes.

The UCPA will not restrict a controller’s or processor’s ability to:

• “detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or
• investigate, report, or prosecute a person responsible” for one of these actions.

Is consent required for the collection and other processing of sensitive personal data?
“[V]erifiable parental consent” is required when processing the personal data of consumers known to be under the age of 13. This is the only consent required under the UCPA.

Is a data protection assessment required for high-risk processing, including the sale of personal data? No.

Are affiliates of the controller or processor considered third parties? No. Third parties do not include an affiliate of a controller or processor. This means, for example, that an affiliate can disclose personal data to an affiliate without that disclosure triggering a sale of personal data.

What are the penalties for violation? Actual damages and fines up to $7,500 per violation.

Can violations be cured? Yes. There is a 30-day cure period.

What is the future of the UCPA? The UCPA may change in the future. The Utah attorney general and the Division of Consumer Protection are required to submit a report evaluating the law’s effectiveness by July 1, 2025. As of the date of this article, the Utah Division of Consumer Protection has not updated its website (https://dcp.utah.gov/statutes-and-rules/) to include the UCPA as one of the statutes that it enforces.  Presumably, this update will occur closer to December 31, 2023.