On March 3, 2022, the Utah Senate voted unanimously to pass the Utah Consumer Privacy Act (UCPA), pushing the bill to the desk of Utah Governor Spencer Cox, and putting Utah a signature away from becoming the fourth state in the United States to pass a comprehensive data privacy bill.
If passed, the UCPA will join the increasingly complex patchwork of comprehensive state, national, and foreign privacy laws US businesses must comply with, alongside the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA), and international laws such as the EU’s General Data Protection Regulation (GDPR).
In this blog, we’ll examine the new law, the rights it guarantees for Utah citizens, how it compares to other state privacy laws, and what your business will need to do to stay compliant.
For a more in-depth view of the emerging privacy landscape in the US, check out our new State Law Tracker, where we track the progress of privacy bills through state legislatures and explain the rights and requirements of each bill.
The Utah Consumer Privacy Act (UCPA): Key Facts
When Does the UCPA Take Effect?
If signed into law, the UCPA will take effect on December 31, 2023.
What is the Scope/Application Threshold of the UCPA?
The UCPA applies to any data controller or processor who conducts business in the state of Utah, or produces a product or service targeted to consumers in Utah, and meets one or more of the following thresholds:
- Has an annual revenue of $25 million or more.
- Controls or processes the personal data of 25,000 or more consumers.
What Consumer Rights are Granted by the UCPA?
Right to Access:
Consumers have the right to access personal data maintained by businesses.
Right to Deletion:
Consumers have the right to delete personal information retained by businesses. The right to deletion is limited to the deletion of personal data that they have provided directly to the organization.
Right to Data Portability:
A consumer has the right to obtain a copy of the consumer's personal data in a format that is portable and readily useable, to the extent technically feasible.
Right to Opt-Out of Data Processing:
A consumer has the right to opt-out of the processing of personal data for purposes of targeted advertising or the sale of personal data.
Is There a Private Right of Action Under the UCPA?
There is no private right of action under the UCPA.
How do data subject rights requests work?
Organizations must provide at least one way for consumers to submit rights requests and will have 45 days from receipt of the request to respond. Extensions are possible for particularly complex requests.
Are there exemptions to the UCPA?
Exemptions include employee data and data already regulated under laws such as the Gramm-Leach-Bliley Act (GLBA). The UCPA does not apply to non-profit or higher-education organizations.
What Obligations do Data Controllers Have Under the UCPA?
Covered organizations must comply with several requirements under the UCPA, including requirements on data security, transparency, purpose specification, and data minimization.
While the UCPA does not require opt-in consent to process sensitive personal information, it does require the data controller to give the data subject a chance to opt out before the processing of sensitive personal information can begin. Additionally, parental consent is required for the processing of a minor’s personal data.
The UCPA would also require data controllers to complete annual data protection assessments which must be kept for three years and may be requested by the AG as part of any investigation.
Is There a Cure Period Under the UCPA?
Yes. Organizations found to be in violation of the UCPA will have 30-days to remediate areas of non-compliance before penalties are levied.
How Will the UCPA be Enforced?
The UCPA will be enforced by the Utah Attorney General (AG), but first, cases must be deemed valid by the Utah Department of Commerce’s Division of Consumer Protection.
If organizations fail to address noncompliance within the cure period, the AG may collect damages for the consumer(s) as well as $1000 per violation, per consumer.
UCPA Compliance with Ensighten
State privacy laws like the UCPA are pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the UCPA, CCPA, CPA. CDPA, GDPR, and any future privacy laws.