Following California’s successful passage of its Consumer Privacy Act (CCPA) four other US states enacted similar consumer privacy laws.
On March 24th, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law, making Utah the fourth state in the United States to enact comprehensive consumer privacy legislation. The UCPA shares many similarities with the US state privacy laws in Virginia, Colorado and Connecticut; less so with California’s CCPA/CPRA.
Businesses that operate in or serve Utah residents—specifically, those entities that control or process personal data—need to prepare for compliance for the UCPA’s commencement on December 31st, 2023.
But what does the new Utah comprehensive privacy law entail?
We’ll review the general framework below so you can prepare your company for compliance and protect Utah consumers.
Utah’s Data Privacy Law Explained
UCPA governs Utah businesses that control or process personal information and data while guaranteeing consumer data protection and privacy rights to Utah residents. Let’s break the new law down into the most notable categories:
Who does UCPA apply to?
Generally speaking, it imposes obligations on two parties: “controllers” and “processors.” Additionally, UCPA applies to any controller or processor who:
- Conducts business in Utah or produces a product or service that is targeted to Utah residents
- Has annual revenue ot $25M or more
- Controls or processes personal data of 100,000 or more consumers in a calendar year
- Derives more than 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The law defines a controller as an entity that “determines the purposes for which and means by which personal data is processed.” Controllers are required to:
- Provide a privacy notice that divulges the types of data used, the purpose for processing, consumer’s rights under the UCPA, and the third parties with whom the controller shares data.
- Disclose any sale of consumer data or use of targeted advertising.
- Install administrative, technical and physical data security practices to protect consumer data.
- Provide Utah consumers with a notice of sensitive data processing and the opportunity to opt-out.
Processors are entities that process personal data on behalf of a controller. According to the UCPA, processors must follow many, if not all, of the same regulations governing controllers.
Furthermore, there are specific obligations the two must follow when working with one another. For example, to legally process consumer data, there must be a written contract between the controller and processor that details:
- The purposes behind data processing
- The data processing procedures (set by the controller)
- Consumer privacy provisions
Utah’s privacy law is unique in that controllers don’t need to obtain opt-in consent to collect and process sensitive data. Instead, they’re required to provide a clear notice and an opportunity to opt-out.
Defining and Distinguishing Personal Data and Sensitive Data
It’s important to note that there are two types of consumer data the bill applies to, with sensitive data having enhanced obligations and protections:
- Personal data – “Information that is linked or reasonably linkable to an identified individual or an identifiable individual.” That doesn’t include aggregate, publicly available, or de-identified data.
- Sensitive data – “Personal data that reveal an individual’s race, ethnicity, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health condition, medical treatment or diagnosis, genetic or biometric data.”
Under the new legal framework, Utah residents are granted the following six categories of rights:
- Right to know – Consumers have the right to verify if a data controller is processing their personal data.
- Right to access – Consumers have the right to access their personal data.
- Right to deletion – Consumers have a limited right to request their personal data be deleted by the controller.
- Right to copy – Consumers have the right to obtain a copy of their personal data in a format that’s both portable and legible.
- Right to opt-out – Consumers have the right to opt-out of personal data processing if it’s used for targeted advertising or if the data is sold.
- Right to avoid discrimination – Consumers have the right to avoid discrimination for exercising their UCPA rights.
Who’s in charge of enforcing this new consumer protection law?
Investigations will occur under the Utah Division of Consumer Protection. If they receive a complaint, they may escalate it to the Utah Attorney General (AG). From there, the Utah AG has exclusive enforcement authority.
If the AG’s office receives a complaint and decides to pursue the matter, the AG is required to provide the impacted entities with written notice of the allegations, with a 30-day window to rectify the problem. If the controller or processor fails to address the issue, the Utah Attorney General can pursue a civil suit that includes a $7,500 penalty for each violation.
Unlike the other state laws, Utah:
- Makes a distinction under the sensitive data category to exclude personal information that reveals an individual’s race if a video communications company processes it.
- Excludes the right to correct inaccurate or incomplete data.
- Excludes the right to opt-out of profiling and automated decisioning.
- Does not require controllers subject to the UCPA to recognize universal opt-out signals (like GPC) as a method for consumers to opt-out of data sales.
- Does not require controllers subject to the UCPA to conduct privacy impact assessments (although the practical utility of such DPIA/PIAs does not go away).
Finally, the Utah privacy law does not provide for a private right of action. In other words, impacted citizens can’t privately sue a company under UCPA.
DataGrail—The Platform for Utah Data Privacy Law Compliance
Utah is just the fifth state in the United States to pass its own comprehensive consumer privacy law. It is unlikely to be the last.
Is your privacy program ready for a fragmented US privacy landscape?
DataGrail is your company’s privacy control center. Our integrated data privacy platform is a centralized solution you can use to manage your entire privacy program. From automating privacy requests to mapping all of your consumers’ data, we can help you maintain compliance with UCPA, VCDPA, CCPA, GDPR, and more.
Contact us today to start simplifying your data privacy and protection compliance efforts!
Utah State Legislature. S.B. 227 Consumer Privacy Act. https://le.utah.gov/~2022/bills/static/SB0227.html
Sullivan & Cromwell. Utah Consumer Privacy Act. https://www.sullcrom.com/files/upload/sc-publication-utah-becomes-fourth-us-state-to-enact-comprehensive-privacy-law.pdf