On March 24, 2022, the Utah governor signed a consumer privacy law (the Utah Consumer Privacy Act, UCPA), marking the fourth state law to create enhanced data privacy rights and protections for consumers. The law will go into effect on December 31, 2023.

Because the UCPA is narrower and provides more exemptions than privacy laws in California, Colorado and Virginia, as well as the GDPR, it is unlikely to add any significant burdens to companies already complying with these laws.

In addition, unlike the California Consumer Protection Action Act (CCPA) and the California Privacy Rights Act (CPRA), the Utah law provides only for regulatory enforcement with no private right of action, and it does not cover individuals acting in an employment or commercial context.

It also exempts entities covered by the federal Gramm-Leach-Bliley Act (GLBA); but only exempts protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), not the HIPAA-regulated entities themselves.¹

Jurisdiction

The law is applicable to organizations that conduct business in Utah; but like other privacy laws, it has extraterritorial reach, applying to organizations that: 1) create products or services targeted to residents of Utah; 2) have annual revenues of $25MM or more; and 3).

• control or process personal data of 100,000 or more consumers (defined as a Utah resident) in a calendar year, or
• derive over 50% of revenue from the sale of personal data, and control or process the personal data of 25,000 or more consumers.

Unlike the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (ColoPA), it requires that a business not operating within the state have a minimum annual revenue of $25MM, a provision that is part of the California law.

However, unlike California, the UCPA requires that a business manage the personal data of at least 100,000 consumers, whereas California only requires 50,000.

Privacy Notice

As with the other privacy laws, the UCPA requires covered entities to publish “reasonably accessible and clear” privacy notices explaining the categories of personal data collected, the purpose for processing, the categories of data the controller shares with third parties, the categories of third parties with whom the controller shares the data, and how consumers can exercise their rights under the law.

Accordingly, a privacy notice that complies with the CCPA/CPRA, VCPA and ColoPA and GDPR, should largely satisfy the UCPA.

Access and Deletion Rights

Like the VCDPA and ColoPA, the UCPA gives consumers rights to:

• Be informed as to whether their personal data is being processed, and if so, which categories of personal data are collected, how the data is used and whether it is sold
• Confirm whether a controller is processing the consumer's personal data
• Access the consumer's personal data
• Delete the consumer's personal data “that the consumer provided to the controller,” and subject to certain conditions and exceptions
• Obtain a copy of the consumer's personal data, “that the consumer previously provided to the controller”

No Right of Rectification

The Utah law does not grant consumers the right to correct inaccurate data.

Sale of Data

The UCPA allows consumers to opt out of the sale of their personal data, which it defines as “the exchange of personal data for monetary consideration by a controller to a third party;” but it excludes from the definition of sale affiliate transfers and transfers to service providers (which the Utah law refers to as processors). To qualify as a processor, the UCPA requires a contract be in place limiting what the service provider can do with the personal data, but with fewer required provisions than detailed in the CPRA and GDPR.

The UCPA also includes an exception to the term “sale” for disclosures “consistent with the consumer’s reasonable expectations” or at the consumers direction.

Data Security

Like California, Virginia and Colorado (and similar to the GDPR’s “appropriate” standard), controllers are obligated to use “reasonable” administrative, technical and physical data security practices to protect personal data, which will vary with the business’s size, scope, and type, and the volume and nature of the personal data they control.

Enforcement

Similar to the Virginia and Colorado laws, the UCPA does not create a private right of action for individuals. While the Utah Department of Commerce’s Consumer Protection Division can accept complaints and investigate, only the Utah Office of the Attorney General can enforce these rights and responsibilities, while like the CCPA (although not for the CPRA which replaces the CCPA on January 1, 2023), the UCPA affords a 30-day opportunity for organizations to cure any defects. Uncured violations can result in actual damages to the consumer and $7,500 in civil fines per violation.

Sensitive Data

UCPA identifies certain categories of “sensitive” data, including race, religion, sexual orientation, citizenship, medical history, biometric data, and geolocation; consumers must be notified if these data are being collected and they may opt out. The Virginia and Colorado laws require affirmative, opt-in consent to collect this type of data.

Profiling

Unlike California, Colorado and Virginia, the UCPA does not reference the term “profiling.” The other three states define profiling as an automated process designed to analyze and predict the personal characteristics of an identified individual’s economic status, health, personal preferences, interests, behavior, location or movements, and allow consumers to opt out of profiling. These automated profiles are generally used to create targeted advertisements that are personalized to a specific consumer.

The UCPA allows a more narrow right for consumers, allowing them to opt out of “targeted advertising,” or advertising that is based on personal data obtained from the consumer’s online activity over time, but not the entire profiling process.

Right to Appeal

The UCPA does not include a mechanism for consumers to appeal a denial of their request to exercise their rights.

---------------------------------------------------

_{1 That said, the law will not require a person “to take any action in conflict with” HIPAA.}

[View source.]