State Regulatory Developments

Utah is the Latest State to Enact Comprehensive Data Privacy Law

The Utah legislature recently enacted the Utah Consumer Privacy Act (UCPA or the Act), which will take effect December 31, 2023.  In doing so, Utah joins California, Virginia, and Colorado in enacting comprehensive data privacy laws. 

Applicability and Scope

The UCPA applies to controllers or processors that do business in Utah or that produce a product or service targeted to Utah residents, subject to the following thresholds: the entity must have an annual revenue of $25,000,000 or more; and either (i) control or process personal data of 100,000 or more consumers during a calendar year; or (ii) derive over 50% of the entity’s gross revenue from the sale of personal data and also control or process personal data of 25,000 or more consumers.

As used in the UCPA, a “controller” is defined as a person doing business in the state who determines the purposes for which and the means by which personal data are processed, (regardless of whether the person makes the determination alone or with others).  A “processor” is a person who processes personal data on behalf of a controller.  “Process” or “processing” under the Act means an operation performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

The UCPA includes a number of exemptions, including for:

  • Financial institutions or affiliates of a financial institution governed by GLBA and its related regulations;
  • Certain activities regulated under FCRA;
  • Personal data collected in accordance with the federal Driver’s Privacy Protection Act; and
  • Data related to an individual acting in an employment or commercial context.

There are also limitations that permit a controller to cooperate with law enforcement, respond to security incidents, and conduct certain internal processes, among other things.

Consumer Rights

The UCPA grants consumers certain rights with respect to their personal data. These rights include that a consumer may submit a request to a controller to:

  • Confirm whether a controller is processing the consumer’s personal data;
  • Access the consumer’s personal data;
  • Delete the consumer’s personal data that the consumer provided to the controller;
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller where processing is carried out by automated means; and
  • Opt-out of the processing of the consumer’s personal data for purposes of targeting advertising or the sale of personal data.

The controller has 45 days to take action on the request and inform the consumer of the action taken.  This 45-day period may be extended by another 45 days, subject to certain requirements, if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller.  A controller generally may not charge a fee to respond to the consumer’s first request during a 12-month time period, however administrative fees are permitted under certain circumstances.

There are certain exceptions for controllers that maintain “pseudonymous data,” meaning that the personal data that cannot be attributed to a specific individual without the use of additional information, which is kept separate from the personal data and subject to appropriate technical and organizational measures.

Requirements on Controllers and Processors

The UCPA includes certain requirements that must be included in contracts between processors and controllers related to personal data. The law notes that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed.  A processor that adheres to a controller’s instructions with respect to a specific processing remains a processor.

In addition, the UCPA places obligations on controllers, including that controllers must:

  • Provide consumers with a “reasonably accessible and clear” privacy notice that includes, among other items, what personal data is processed and how consumers may exercise their rights;
  • Implement and maintain reasonable administrative, technical, and physical data security practices related to its use of consumer data and use data security practices that are appropriate for the volume and nature of the personal data at issue; and
  • Except as otherwise noted in the act, only process certain sensitive data (as defined under the UCPA) after giving the consumer an opportunity to opt out.

Subject to certain parameters, a controller is also prohibited from discriminating against a consumer who exercised one of their rights under the law by denying the consumer a good or service, charging the consumer a different price, or providing a different level of quality.

Enforcement

The UCPA does not create a private right of action for consumers.  The law gives investigative authority to a newly-created Division of Consumer Protection and enforcement authority to the Utah Attorney General (with consultation and assistance from the Division of Consumer Protection).  An entity that receives a notice of an alleged violation has 30 days to cure the violation.  The law allows the Utah AG to recover actual damages to the consumer and a penalty of up to $7,500 per violation.

See WBK’s previous posts on the privacy laws previously enacted in California, Virginia, and Colorado.