On December 31, 2023, Utah’s new consumer privacy legislation will take effect. Utah is the fourth state to join the growing wave of comprehensive consumer privacy laws at the state level in recent months.
The Utah Consumer Privacy Act (UCPA) regulates businesses that operate in Utah with annual revenue of $25 million or more and either (i) controls or processes the data of 100,000 or more Utah residents; or (ii) derives over 50% of the business's gross revenue from the sale of personal data.
The Act imposes certain obligations upon controllers and processors. A “controller” is defined as “a person doing business in the state who determines the purposes for which and the means by which personal data is processed, regardless of whether the person makes the determination alone or with others.” A “processor” under the UCPA means “a person who processes personal data on behalf of a controller.”
Like the California Consumer Privacy Act, the UCPA requires the controller to be transparent regarding their collection and use of consumer data. Privacy notices must include the categories of personal data processed by the controller, the purposes for which the categories of personal data are processed, how and where consumers may exercise a right, the categories of personal data that the controller shares with third parties, and the categories of third parties with whom the controller shares personal data. If the business sells the personal data of consumers to third parties or processes it for targeted advertising, the notice must disclose the manner in which the consumer may exercise their right to opt-out of such activities.
Businesses must also establish certain security protocols to protect consumer data. The UCPA requires a controller to implement and maintain “reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.” In designing these protocols, a business should consider the volume and nature of the personal data it is controlling or processing.
The Act provides consumers with data subject rights, such as the right to confirm whether their data is being processed, the right to access, the right to delete, and the right to opt of the collection and processing of their personal data for targeted advertising and for the sale of data. For sensitive data, controllers must provide specific notice and opportunities to opt-out of processing. Businesses should provide at least one method for consumers to submit a request to exercise a right. Businesses must respond within 45 days from receipt of the consumer request.
By its terms, the UCPA does not provide for a private right of action for consumers. The Act does provide the Utah Attorney General with the exclusive authority to enforce the law. (However, note that similar provisions in other laws do not always prevent some private plaintiffs from advancing claims.) If a business has been notified of a violation of the UCPA by the Attorney General, businesses will then have 30 days after receiving written notice from the Attorney General to cure the violation. The Attorney General may seek up to $7,500 for each violation.
This legal update was authored by MMM's Privacy & Cybersecurity Team. If you have any questions about the content, please contact Michael Young.