Utah has become the fourth state, following California, Virginia and Colorado, to enact a comprehensive consumer data privacy law. The Utah Consumer Privacy Act (“UCPA”), formerly known as Senate Bill 227, passed the Utah Senate and House with no opposition, and was signed by Governor Cox on March 24, 2022.

The UCPA shares many similarities with Virginia’s Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“CPA”), and some similarities with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). That said, the UCPA is somewhat narrower and more business friendly than other state privacy law analogs. The UCPA will go into effect on December 31, 2023.

Scope

The UCPA applies to controllers or processers who:

1. conduct business in Utah or produce products or services targeted to Utah consumers;

a. have an annual revenue of $25,000,000 or more; and

2. satisfy at least one of the following thresholds:

a. during a calendar year, control or process the personal data of 100,000 or more Utah residents, or

b. derive over 50% of their gross revenue from the sale of personal data, and control or process the personal data of 25,000 or more consumers.

Similar to the applicability of the VCDPA and the CPA, the UCPA applies only to Utah residents, and personal data relating to individuals acting in an employment or commercial context are exempted. The UCPA also exempts covered entities, business associates and protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), activities by credit reporting agencies, personal information subject to regulation under the federal Fair Credit Reporting Act, and financial institutions or personal data subject to the Gramm-Leach-Bliley Act. The law also does not apply to non-profits.

Definitions

A controller is defined as a “person doing business in the state who determines the purposes for which and the means by which personal data is processed, regardless of whether the person makes the determination alone or with others.” A processor is defined as “a person who processes personal data on behalf of a controller.” For its definition of personal data, the UCPA excludes deidentified data, aggregated data, and publicly available information.

Like the other new state privacy laws, the UCPA creates new rights around the sale of personal information. Importantly, the UCPA defines “sale” as the exchange of personal data for monetary consideration by a controller to a third party. This definition resembles the VCDPA definition, but is narrower. It does not include:

  • a controller’s disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • a controller’s disclosure of personal data to an affiliate of the controller; or
  • a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations depending on the context of the consumer providing the personal data to the controller.

Individual Rights

The UCPA provides Utah residents with the following rights:

  1. To access their personal data;
  2. To delete their personal data; 
  3. To obtain a copy of their personal data that is portable, easily useable, and transmittable;
  4. To opt out of the “sale” of their personal data; and
  5. To opt out of “targeted advertising,” which is defined as an advertisement that is selected to be displayed to the consumer based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications.

Compared to the VCDPA and the CPA, these opt-out rights are more limited in scope and do not include the right to opt-out of data profiling. Unlike the CCPA, VCDPA, and the CPA, the UCPA also does not give consumers the right to correct inaccuracies. Moreover, the UCPA does not require controllers to obtain prior opt-in consent to process “sensitive data,” (i.e., personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). However, controllers are required to provide consumers with clear notice and an opportunity to opt out of the processing of their sensitive data. Controllers are also required to disclose to consumers how to opt out of the sale of their personal data to third parties or for purposes of targeted advertising.

The UCPA does not require controllers to conduct data protection assessments prior to engaging in data processing activities that may increase the risk of harm to consumers. This differs from requirements set forth by the CCPA, the VCDPA, and the CPA. Additionally, while controllers must have certain contractual provisions in place for the processing of data by a data processor, the UCPA does not require the contract to specify cybersecurity audits or risk assessments to be performed by the controller.

Enforcement

Enforcement of the UCPA rests with the Utah Attorney General, and there is no private right of action. Additionally, if a business fails to comply with the law, the UCPA allows the Division of Consumer Protection, within the Utah Department of Commerce, to receive and investigate consumer complaints related to the UCPA. The Attorney General must provide 30 days after the day on which the controller or processor receives the written notice to remediate or cure any violations. If the violation is not cured, the UCPA authorizes penalties of up to $7,500 for each violation.

Future Evolution of the Law

The UCPA largely aligns with the content and developments in the other three comprehensive state privacy laws. However, the UCPA recognizes that the law may need to evolve. To this end, it contains a built-in review period that requires the Utah Attorney General and Division of Consumer Protection to submit a report evaluating the effectiveness of the law by July 1, 2025. This flexibility means that the Utah law could continue to evolve to contribute to the complexity of the regulatory regime, and should continue to be monitored along with the developments in California, Virginia, Colorado and the many other states considering comprehensive state legislation in the absence of a federal comprehensive privacy law.