The Utah Consumer Privacy Act (UCPA) joins comprehensive consumer privacy laws in the states of California, Virginia, and Colorado. Similar to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), the UCPA is aimed at companies that make more than $25 million in annual revenue and either (a) hold personal data of more than 100,000 Utah consumers each year; or (b) derive more than 50% of their gross revenue from the sale of personal data of 25,000 or more consumers. These companies will have just under two years to come into compliance with the UCPA that takes effect on December 31, 2023.
The UCPA, similar the CCPA/CPRA, the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CoPA), applies to controllers or processors that conduct business in the state or produce products or services targeted to its residents. These controller/processor classifications align with the European Union’s General Data Protection Regulation. Controllers dictate why and how personal data is processed and processors process personal data on behalf of controllers.
The UCPA includes many of the same rights, obligations, and exceptions as other state laws, but also includes important nuances that companies need to factor into their compliance efforts. The UCPA’s applicability is narrower than any currently enacted state privacy laws and holds broad exemptions for certain entities and data categories. For example, the UCPA’s definition of “sale,” “sell,” or “sold” excludes exchanges of personal data for monetary consideration by a controller to a third party where, “considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party […] is consistent with a consumer’s reasonable expectations.”
Similar to the other state privacy laws, under the UCPA consumers have the right to:
· confirm whether a controller is processing their personal data;
· obtain a copy of their personal data in a format that is readily usable and portable;
· opt-out of the sale of their data but “sale” is traditionally defined; and
· opt-out from the processing of personal information for purposes of targeted advertising, which is narrowly defined.
The UCPA is different from other comprehensive state privacy laws in that:
· consumers do not have the right to correct their personal data;
· unlike VCDPA and CCPA/CPRA, consumers do not have the right to opt-out of profiling;
· unlike VCDPA and CoPA, which require affirmative consent before collecting and processing sensitive information, UCPA requires controllers to provide notice and the opportunity for customers to opt-out from the processing of “sensitive data;” and
· unlike CCPA/CPRA, employee data and business-to-business contact information are outside the scope of the law.
Under the UCPA, companies must also publish privacy notices that explain:
· what categories of personal data will be processed;
· the purpose for the processing;
· how consumers may exercise a right to delete their personal data or stop selling their personal data;
· the categories of personal data the controller shares with third parties; and
· the categories of third parties with whom the controller shares personal data.
No Private Right of Action
The UCPA is exclusively enforced by the Utah Attorney General and does not provide for a consumer’s private right of action. The Utah Department of Commerce Division of Consumer Protection will have the power to investigate consumer complaints regarding the processing of their personal data and will refer the matter to the Attorney General if appropriate. Companies will have a 30-day cure period to fix alleged violations before the Attorney General can begin an enforcement action.