Publications

The Utah Consumer Privacy Act (the “UCPA”), S.B. 227, is on the verge of becoming the fourth comprehensive state consumer privacy law in the United States. Both houses of the Utah Legislature passed the UCPA on March 3, 2022 and are expected to deliver the bill to Governor Spencer Cox, who has 20 days from adjournment to sign or veto the bill. If Governor Cox elects not to act, the bill will become law at the end of the 20-day period without his signature.

Assuming the bill makes it across the finish line, Utah will join California, Virginia, and Colorado in enacting comprehensive privacy reform for its residents. This year, nearly two dozen state legislatures across the country have introduced legislation that aims to protect the personal data of their residents. Utah’s Act is the first to pass in 2022, and it will go into effect on December 31, 2023.

The UCPA is closely modeled after the Virginia Consumer Data Protection Act (the “VCDPA”); however, there are important differences. For one, the UCPA contains a revenue threshold: the law will only apply to businesses with annual revenue of $25 million or greater. The UCPA will apply to for-profit businesses that conduct business in Utah or produce products or services targeted to Utah consumers, and either (1) control or process the personal data of 100,000 or more Utah consumers, or (2) derive more than 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Utah consumers. Utah residents acting in a commercial or employment context are excluded from the definition of “consumer.” The Act also contains a long list of exemptions similar to that of the VCDPA.

Under the UCPA, Utah consumers will have the following rights: (1) right to know whether a covered business is processing their personal data; (2) right to access such data; (3) right to delete the personal data that they have provided to a business; (4) right of data portability, whereby the business must provide consumers with a portable, readily usable copy of their personal data; and (5) right to opt out of the processing of the consumers’ personal data for sales or targeted advertising.

A few additional rights granted to consumers in the VCDPA are not part of the UCPA. Utah consumers will not have the right to correct the personal data collected about them or the right to appeal a business’s decision regarding their rights. Covered businesses will not be required to provide consumers with an opportunity to opt out of profiling. Also, though the UCPA mimics the other state privacy laws in providing special protections for “sensitive data,” the Act does not adopt the VCDPA’s affirmative opt-in requirement. Instead, the UCPA requires businesses to provide consumers with notice that the business will process sensitive data and an opportunity to opt out of such processing.

As under the VCDPA, processors have certain obligations under the UCPA, and controllers and processors must enter written contracts governing the processing of personal data. Unlike the VCDPA, the UCPA will not require businesses to conduct data protection assessments. Other obligations imposed on controllers by the VCDPA, like maintaining a privacy notice and implementing reasonable data security practices, are incorporated into the UCPA.

As for enforcement, the UCPA will not provide a private right of action to consumers. The Act authorizes Utah’s Division of Consumer Privacy to receive and investigate consumer complaints. Complaints deemed to provide substantial evidence of a violation will be referred to the Utah Attorney General, who will have exclusive enforcement authority. The Utah Attorney General can recover actual damages to the consumer and up to $7,500.00 per violation.

Koley Jessen will continue to monitor developments related to the UCPA and advise as updates become available. If you have questions on whether your business needs to comply with the UCPA or what steps you must take to comply with the UCPA, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.