On March 24th, Utah Governor Spencer Cox signed Senate Bill 227, the Utah Consumer Privacy Act (“UCPA”), into law. Utah is the fourth state to enact a comprehensive privacy law, following California, Virginia, and Colorado. In this blog post, we cover some of the most important things that businesses should know about this new state privacy law before its effective date of December 31, 2023:
Who does the UCPA apply to?
The UCPA applies to any controller or processor that (1) conducts business in Utah or produces a product or service that is targeted to consumers residing in Utah, (2) has annual revenue of $25,000,000 or more, and (3) that satisfies one or more of the following thresholds:
- during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Governmental entities, third parties under contract with a governmental entity when those third parties are acting on behalf of the governmental entity, tribes, institutions of higher education, nonprofit corporations, “covered entities”, “business associates”, and financial institutions covered under the GLBA are exempted from the scope of the UCPA. The UCPA is unique in the sense that it explicitly exempts tribes and third parties under contract with the government. The UCPA also exempts certain types of data that are already covered under other federal laws, such as protected health information regulated by HIPAA, personal data regulated by the Driver’s Privacy Protection Act, and personal data regulated by FERPA.
What is “sensitive data” under the UCPA?
The UCPA defines “sensitive data” as personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status. Information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional is also considered “sensitive data.”
However, personal data that reveals an individual’s racial or ethnic origin – if processed by a video communication service – does not fall under the definition of “sensitive data.” Personal data processed under either the Health Care Facility Licensing and Inspection Act or Title 58 (Occupations and Professions) is also not considered “sensitive data.”
Does the UCPA provide any consumer privacy rights?
Yes. Under the UCPA, consumers have access, deletion, and portability rights, as well as the right to opt-out of the processing of personal data for purposes of targeted advertising and/or sale.
What is required of controllers and processors?
Under the UCPA, controllers are required to provide consumers with a reasonably accessible and clear privacy notice and to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Controllers will not be able to process sensitive data without first providing clear notice with an opportunity to opt out.
Processors must adhere to the controller’s instructions and take into account the nature of the processing and information available to the processor by appropriate technical and organizational measures, as reasonably practicable. Before a processor performs processing on behalf of a controller, the processor and controller must enter into a contract that sets forth several obligations concerning the handling of personal data.
What are the enforcement mechanisms?
Utah’s Division of Consumer Protection will have the ability to investigate consumer complaints regarding alleged violations of the UCPA by controllers and processors.
Before initiating an enforcement action, the attorney general must provide written notice to the entity in question outlining the provisions of the UCPA that have been or are alleged to have been, violated as well as an explanation of the basis for each allegation.
There is no private right of action.
When will the UCPA become effective?
The UCPA will become effective on December 31, 2023.
With four state privacy laws in the mix now and potentially more to come, businesses should prioritize developing a robust, scalable data privacy program. Our dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are experienced in helping businesses adapt to the constantly evolving legal landscape.
*Attorney Advertising: prior results do not guarantee similar outcomes.