Utah Consumer Privacy Act Has Been Signed

The Utah Consumer Privacy Act (UCPA) was signed by Utah Governor Spencer Cox on Thursday, March 24, 2022. Below is a quick breakdown of what is now the fourth comprehensive state data privacy law in the United States. 

When does this law go into effect?

The UCPA goes into effect on December 31, 2023.

To whom does the UCPA apply?

The UCPA applies to controllers and processors that conduct business in the state of Utah or produce a product or service that is targeted to Utah residents, have annual revenue amounts of $25,000,000 or more, and:

• Control or process personal data of more than 100,000 consumers per calendar year; or
• Derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Please note that businesses must meet the revenue threshold and one of the other (or both) criteria.

What are the penalties and who enforces it?

The UCPA grants the Attorney General exclusive enforcement authority. Therefore, a private right of action is not available under this law.

The maximum penalty amount for violations of the UCPA is $7,500 per violation, which can add up quickly.

Similar to the CCPA, the UCPA also provides a 30-day Right to Cure for potential violations. This 30-day right to cure does not sunset. The AG must send the cure notice to the controller or processor outlining the alleged violations. The AG cannot initiate an action if the controller or processor cures the proposed violation within 30 days.

What are the Consumer Rights and Other Key Requirements?

The UCPA provides Consumer Access Rights including:

• The right to obtain a copy of the personal data that the consumer previously provided to the controller;
• The right to delete the personal data that the consumer provided to the controller; and
• The right to opt-out of processing of personal data for targeted advertising or the sale of personal data.

These requests must be honored within 45 days, with a 45-day extension available depending on the complexity and volume of requests. If an extension is exercised, the controller must notify the consumer of the extension, the length of the extension, and the reason for the extension.

Further, a controller must notify the consumer if it decides not to honor the request and the reasons for not honoring the request.

The controller is not allowed to charge a fee for the information in the request unless the request is the consumer’s second or subsequent request during the same 12-month period. The UCPA further outlines where a controller may be capable of charging a reasonable fee to act upon a consumer request.

There are also specific processor obligations, including:

• Adhering to the controller’s instructions;
• Implementing appropriate security controls; and
• Assisting the controller in meeting their obligations.

Additional Obligations:

Considering the controller’s business size, scope, and type, a controller must use data security practices that are appropriate for the volume and nature of the personal data at issue.

Controllers are also required to make disclosures to consumers surrounding, but not limited to:

• The categories of personal data processed;
• The purposes for which the personal data are processed;
• How to exercise their rights; and,
• Sharing activities.

Further, controllers are prohibited from processing sensitive data collected from the consumer without first presenting the consumer with a clear notice of collection and the ability to opt out.

Controllers are also required to ensure they operate from common privacy principles:

• Purpose specification;
• Nondiscrimination upon consumers exercising their rights (unless they opt out of targeted advertising).

Exceptions:

The UCPA does not apply to:

• Non-profit organizations;
• Financial institutions or affiliates governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the GLBA;
• Institutions of higher education; or
• Covered entities and business associates under HIPAA.

As you can see, there is both a data and entity-specific exemption for GLBA covered entities which differs from the CCPA.

Please reach out to connect@compliancepoint.com if you have any questions about the UCPA or other state data privacy regulations.