Utah About To Become The Fourth State To Pass Privacy Law

Written by: Richard Sheinis, Esq. 

On March 3, 2022 the Utah Consumer Privacy Act (“UCPA”) was passed by the Utah legislature and sent to the Governor to sign, which he is expected to do.  Most of you will be familiar with the requirements of the UCPA as they are similar to recently passed privacy laws in California, Virginia, and Colorado.  A few of the key takeaways from the UCPA are as follows:

1. Effective Date: The effective date is December 31, 2023.  This gives businesses almost two (2) years to bring their privacy practices into compliance.
2. Application: The UCRA applies to businesses that do business in Utah or target their goods or services to Utah residents AND (a) have annual revenue of $25 million or more and control the personal data of 100,000 or more Utah residents during a calendar year; or (b) derive 50% of its revenue from selling the data of greater than 25,000 Utah residents.

Non-profits and businesses covered by HIPAA, FERPA, or Gramm-Leach-Bliley are exempted, as is employment related and business-to-business related information.

3. Consumer Rights: Utah residents will have the rights typical of privacy laws, including the right to delete, correct, access, and receive a copy of their personal data.  Residents also have the right to opt-out of their personal data being sold or used for targeted advertising.  An exception is made for targeted advertising by the business to which the resident provided their personal data.  Like other privacy laws, the goal is to allow residents to opt-out of receiving targeted advertising from companies with whom they have not interacted.

The definition of “sale” or “selling” for purposes of the right to opt out of the sale of personal data is more limited than privacy laws in California.  Sale is defined as the exchange of personal data for “monetary consideration.”  This is more limited than the California law which defines sale as the exchange of personal data for “valuable consideration.”

4. Contracts With Processors: Businesses are required to have certain contractual provisions with companies that process personal data on their behalf.  This requirement is not quite as detailed as some other privacy laws, but there are still requirements for confidentiality, and that processing of personal data only be done for purposes of the services provided.
5. Enforcement: There is no private right of action.  The UCPA goes a little further than other privacy laws by stating that it also cannot be used to provide a basis for a privacy right of action under any other law.

Enforcement authority lies with the Utah Attorney General’s office after any alleged violation has been investigated by the Utah Division of Consumer Protection.  If the Utah Attorney General believes a violation has occurred, notice is provided to the offending business, which then has thirty (30) days to cure the violation.  Penalties can be up to $7,500 per violation, as well as the recovery of any actual damages to residents.