New Data Protection Law in the State of Utah

The Utah Consumer Privacy Act or UCPA, also known as S.B. 227, is a comprehensive data privacy law that was recently enacted in the U.S. state of Utah in March of 2022. With the passing of the UCPA, Utah becomes the fourth state within the U.S. to pass comprehensive data privacy legislation for the purposes of regulating the collection and processing of personal information, including the Colorado Privacy Act and the California Consumer Privacy Act. To this point, the law establishes the requirements that data controllers and processors within Utah must adhere to when collecting, processing, using, disclosing, and destroying personal information concerning consumers within the state. Moreover, the law also outlines the punishments that can be imposed against individuals and businesses within Utah that are found to be in violation of the law.

What is the scope and applicability of the UCPA?

In terms of the scope and applicability of the Utah Consumer Privacy Act, the provisions of the law apply to data “controllers and processors that 1) conduct business in Utah or produce a product or service targeted to consumers who are Utah residents; 2) have annual revenue of $25 million or more; and 3) meet at least one of the following thresholds: i) during a calendar year, control or process the personal data of 100,000 or more consumers; or ii) derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.” Conversely, the law defines consumers as “Utah residents acting in an individual or household context; individuals acting in an employment or commercial context are expressly excluded from the scope of the statute.”

What are the duties of data controllers and processors under the law?

Under the Utah Consumer Privacy Act, data controllers and processors that operate within the state are responsible for providing Utah consumers with a “reasonably accessible and clear privacy notice” containing the following information:

• The categories of personal data that will be collected and processed by the data controller and processor respectively.
• The purposes for which personal data is to be collected and processed.
• The ways in which Utah consumers can exercise their rights under the law.
• Any categories of personal data that a data controller or processor intends to disclose to third parties, if applicable.
• Any categories of third parties that a data controller intends to disclose personal data to, if applicable.

Furthermore, if a data controller or processor intends to use the personal data of a Utah consumer for the purposes of engaging in targeted marketing, the data controller or processor must also provide said consumer with information detailing the manner in which they can opt out of such practices. Alternatively, the UCPA also mandates that data controllers and processors enter into a contractual agreement that outlines the instructions governing the collection and processing of personal data, the nature and purpose of the collection and processing of personal data, and the duration of such collection and processing, among other pertinent details.

What are the rights of consumers within Utah under the UCPA?

Under the Utah Consumer Privacy Act, consumers within the state are entitled to the following data protection and personal privacy rights:

• The right to be informed of the collection and processing of their personal data.
• The right to access their personal data.
• The right to rectify or erase their personal data.
• The right to object to or opt out of consent.
• The right to prohibit the processing of their personal data for direct marketing purposes.
• The right to obtain a copy of their personal data
• The right to transmit their personal data to another controller without impediment, in instances where data processing is carried out via automated means.

What are the penalties for violating the UCPA?

In terms of the enforcement of the Utah Consumer Privacy Act, the provisions set forth in the law are enforced by the Utah attorney general. Notably, the Utah Consumer Privacy Act does not provide consumers within the state with a private right of action, as all penalties that are imposed under the law are issued at the discretion of the Utah attorney general. With this being said, businesses and organizations within Utah that are found to be in violation of the law are subject to a monetary penalty of up to $7,500 per violation. Additionally, the law also tasks the Utah Department of Commerce, Division of Consumer Protection with establishing a system that consumers within the state can access for the purpose of filing complaints against business entities that they feel have violated their rights under the law.

Following the enactment of the Colorado Privacy Act, the Virginia Consumer Data Protection Act or VCDPA, and the California Consumer Privacy Act or the CCPA, Utah’s Consumer Privacy Act represents the fourth comprehensive data protection law to be passed at the U.S. state level as of 2022. As the issues of data protection and personal privacy have become far more pronounced in the past decade, as online communication continues to become the standard way of communication around the world, many other U.S. states are sure to pass similar laws in the near future, as a data privacy law at the federal level does not appear to be forthcoming at this time. More importantly, however, the Utah Consumer Privacy Act ensures that consumers within the state have the means to protect their personal data and in turn, their privacy.