On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer J. Cox, making Utah the fourth state, behind California, Virginia, and Colorado, to pass comprehensive consumer privacy legislation.
The UCPA’s Applicability
The UCPA applies to entities that:
- conduct business in Utah or produce products and services that target Utah residents;
- have an annual revenue of $25 million or more; and
- either controls or processes the personal data of at least 100,000 Utah residents or derives 50% of its revenue from the sale of personal data and controls or processes the data of over 25,000 Utah residents.
There are also a number of exemptions under the UCPA, including, government agencies, institutions of higher education, non-profit corporations, and entities regulated under the Health Insurance Portability and Accountability Act (HIPAA).
What Rights Do Consumer Have Under the UCPA?
Utah residents have the following rights under the UCPA:
- Access: Right to confirm whether a controller is processing the consumer’s personal data and access to that data.
- Deletion: Right to delete the personal data provided to the controller.
- Portability: Right to obtain copies of the personal data provided to the controller in a format that is portable, usable, and transmittable.
- Opt-Out: Right to opt-out of the processing of personal data for targeted advertising or sale of personal data.
Responsibilities for Processors and Controllers
The UCPA specifies the following responsibilities for processors and controllers:
- Contracts between processors and controllers shall be established before processors begin processing information on behalf of a controller. The contract should provide the instructions for processing personal data, the purpose, type of data being processed, the duration, and the rights and obligations of the parties. The contract should also ensure confidentiality by the processor in relation to the personal data being processed. Any subcontractors must also enter into a contract and abide by the same obligations as the processor.
- Controllers shall provide consumers with a privacy notice that includes:
- categories of personal data processed by the controller;
- purpose of processing the personal data;
- how consumers may exercise their rights;
- categories of personal data that are shared with third parties;
- categories of third parties with whom the controller shares personal data; and
- the manner in which consumers may exercise the right to opt-out of the sale of personal data or processing for targeted advertising.
- Establish data security practices to protect the confidentiality of personal data and reduce the risk of harm to consumers in relation to the processing of their personal data.
- Controllers may not process data collected from a consumer without providing notice and the opportunity to opt-out of the processing.
- Controllers may not discriminate against consumers for exercising their rights by denying goods or services, charging different prices to consumers for goods or services, or providing the consumer with a different quality of goods or services.
The Utah attorney general has the exclusive right to enforce actions under the UCPA (i.e., consumers do not have a private right of action against business for UCPA violations). Violators of the law have a 30-day cure period upon receipt of written notification before the attorney general initiates any actions against the controller or processor. Uncured or continued violations are subject to penalties up to $7,500 per violation and may be responsible for payment of damages to the attorney general to be deposited into the Consumer Privacy Account.
The UCPA’s Effective Date
The UCPA becomes effective on December 31, 2023, giving businesses a grace period to adjust their operations. While this may seem far off, don’t underestimate the amount of time it can take for a business to adjust its practices to be legally compliant. Instead, contact Zasio to find out how you can help bring your business into compliance with this new law, as well as other comprehensive state privacy laws.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.