The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws.
What Businesses Are Covered By UCPA?
The UCPA does not refer to businesses, but rather borrows GDPR terms of “controllers” or “processors.”: The UCPA applies to any entity that:
- Conducts business in Utah or produces products or services targeted to consumers who are Utah residents;
- Has an annual revenue of $25 million or more; and
- Processes or controls personal data (information that is linked or reasonably linkable to an identified individual or identifiable individual) of 100,000 or more Utah citizens or derives more than 50% of its gross revenue from processing or controlling data of 25,000 or more Utah consumers.
- Processor is defined as a person who processes personal data on behalf of a controller.
- Controller is defined as a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.
What Is a Controller’s Obligations?
A Controller shall:
- Provide consumers with a reasonably accessible and clear privacy notice that includes:
- Categories of personal data processed by the controller
- Purposes for which personal data are processed
- How consumers may exercise a right awarded by UCPA
- Categories of personal data the controller shares with third parties
- Categories of third parties with whom controller shares personal data
- Clear and conspicuous disclosure of opt-out of sale of personal data or processing for targeted advertising, if controller sells for those purposes
- Maintain reasonable administrative, technical, and physical data security practices designed to:
- Protect the confidentiality and integrity of personal data and
- Reduce reasonably foreseeable risks of harm to consumers relating to processing of personal data
- Considering the controller’s business size, scope, and type, the controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue
- Present the consumer with a clear notice and opportunity to opt-out before processing sensitive data collected by a consumer
- Not discriminate against a consumer for exercising a right.
- Not be required to provide a product, service, or functionality to a consumer if the consumer’s data is necessary to provide that good or service and the consumer refuses to provide or grant access to the personal data.
- Not contract in a way that waives or limits a UCPA right.
What Rights Do Utah Consumers Have?
The UCPA allows consumers to assert the following rights:
These rights overlap with the existing consumer rights in other jurisdictions, although the Right to Delete in the UCPA is narrower, applying only to information provided by the consumer to the controller.
Are There Exemptions?
The UCPA exempts both certain types of personal data and some entities altogether from the application of the UPCA. The UCPA not only exempts personal data subject to HIPAA, GLBA, FCRA, and FERPA but also exempts certain types of entities outright. The UCPA does not apply to government entities, tribes, higher education institutions, nonprofit institutions, consumer reporting entities, or financial institutions governed by GLBA and regulated regulations.
How is the UCPA Enforced?
The Utah Attorney General has exclusive authority to enforce the UCPA, although the Utah Division of Consumer Protection may accept and investigate consumer complaints. If the Division has reasonable cause to believe substantial evidence exists that a complaint indicates a violation of the UCPA, the complaint may be referred to the Attorney General.
The UCPA provides a safe harbor and right to cure to for up to 30 days after the day the controller or processor receives notice of the enforcement action.
What Issues Are not Addressed in the UCPA?
- Private Right of Action
- Right Against Automated Decision Making
- Right to Correct
- Dark Patterns
- Opt-out Preference Signals or Global Privacy Controls
- Mandatory Risk Assessment of Businesses
- Auditing of Businesses
- Creation of Government Agency Dedicated to Enforcement of Privacy Laws
However, these topics may be addressed in the future. The UCPA requires the Attorney General to compile a report before July 1, 2025 evaluating the statute’s liability and enforcement provisions and summarizing what data is and is not protected. The Attorney General may comment on some of these issues in its report. For best practices, Businesses should monitor these updates and interpretations of the UCPA in order to comply with all provisions of the law.
What Should Businesses in Compliance with Existing Privacy Laws Do?
With only minor deviations from existing law, compliant businesses should have relatively marginal work necessary to achieve compliance with the UCPA assuming the statute applies to the business. A business in compliance with California, Colorado, and Virginia’s laws should have no issue meeting the UCPA’s deadline of December 31, 2023. As always, it is important to actively monitor changes in the law because Utah’s law. Diligent awareness of updates to privacy laws will be critical for compliance in this ever-changing landscape.
 The UCPA does not clarify what it means to provide products or services targeted to consumers. However, this language largely tracks Virginia’s Consumer Data Protection Act, which applies when an entity conducts business in the Commonwealth or that produce products or services that are targeted to residents of the Commonwealth.