State Regulatory Developments

Utah Increases Civil Penalties for Violations of Certain Consumer Protection Acts

The state of Utah recently amended provisions of the Utah Protection of Personal Information Act (PPIA) and the Utah Consumer Credit Protection Act (CCPA).

The amendments allow the Utah Attorney General to assess civil penalties over $100,000 for violations of the PPIA and the CCPA that concern 10,000 or more Utah residents and for violations that concern 10,000 or more residents of other states.  The PPIA generally applies to persons who conduct business in Utah and maintain personal information, except certain financial institutions as defined under the Gramm-Leach-Bliley Act, and the CCPA generally applies to credit reporting agencies as well as any person that has access to a Social Security number. 

Additionally, under the PPIA amendments, companies must disclose to affected Utah residents a security breach by publishing a notice of the breach in a newspaper of general circulation if it is not feasible to notify such consumers by mail, e-mail, or telephone. 

Utah also amended the statutes of limitation for both Acts.  Under the PPIA, an administrative action must be commenced no later than ten years after the day on which the alleged breach of system security last occurred and a civil action must be commenced no later than five years after the day on which the alleged breach last occurred.  Under the CCPA, a civil action must be commenced no later than five years after the day on which the alleged violation last occurred.

The amendments became effective on May 14, 2019.