New Utah privacy law passes legislature
Utah became the 4th State to pass a consumer data privacy law on March 24, 2022. Joining California, Colorado, and Virginia, Governor Spencer Cox signed The Utah Consumer Privacy Act (UCPA) into law.
Given the number of consumer privacy bills currently in the legislative process, Utah is likely the first of several states to pass a privacy law in 2022.
The Utah privacy law shares similarities with the GDPR and other US State privacy laws. However, Utah does add some unique aspects for organizations to consider.
While the UCPA should remain on your privacy officer’s radar, you have time to comply. The Utah Privacy Law has an effective date of December 31, 2023.
What organizations need to know about the Utah privacy law
The Utah Consumer Privacy Act applies if you conduct business in Utah.
It also applies if you produce or deliver commercial products or services targeted to Utah residents with annual revenue of at least $25 million plus one of the following items.
- Controls or processes the personal data of 100,000 consumers or more during a calendar year or
- Derives over 50% of its gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 consumers.
Consumers refer to Utah residents but not within the B2B or employment contexts.
Personal Data is information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified, aggregated, or publicly available information.
The Utah Privacy Law blends California’s minimum revenue amount with Colorado and Virginia’s approach of viewing revenue from the sale of consumer data and processing or controlling the data of 25,000 consumers.
How will the Utah Consumer Privacy Act be enforced?
Consumer complaints and investigations will be conducted through the Utah Division of Consumer Protection.
If the division finds reasonable cause to believe that substantial evidence of a violation exists, the case will be referred to the Utah Attorney General (AG).
An organization will receive 30 days’ advance notice of any enforcement action. The notice will include an explanation and the provision being violated.
It is possible to rectify the violation within that 30 day period by providing a written explanation to the AG. Otherwise, the AG may seek actual damages to the consumer with penalties of up to $7,500 for each violation.
If multiple entities are involved in violating the Utah Privacy Law, liability will be allocated according to the principles of comparative fault. Each party is responsible for their respective contribution to the violation.
The UCPA does not restrict an organization’s ability to
- comply with a federal, state, or local law, rule, or regulation
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity
- detect, prevent, protect against, or respond to a security incident, identity theft, fraud, or any illegal activity; or investigate, report, or prosecute a person responsible for any of those actions
- engage in public or peer-reviewed scientific, historical, or statistical research in the public interest if the organization discloses required processing in a notice
- process personal data to conduct internal analytics or other research to develop, improve, or repair a controller or processor’s product, service, or technology
- process personal data to perform an internal operation that is reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller
- retain a consumer’s email address to comply with the consumer’s request to exercise a right
An organization is not considered to be in violation of the UCPA if:
- the controller or processor discloses personal data to a third party controller or processor in compliance with this chapter;
- the third party processes the personal data in violation of this chapter; and
- the disclosing controller or processor did not have actual knowledge of the third party’s intent to commit a violation of this chapter.
Consumer rights and consent under the UCPA
Similar to the GDPR and other privacy laws recently enacted, the Utah Consumer Privacy Act demands transparency around how data is processed and shared.
Organizations must provide consumers with a privacy notice that is accessible and clear.
Consumer rights
Consumers have a right to know if a controller is processing their data.
Organizations must provide consumers with advanced notice and an opportunity to opt out of the processing of personal data. This also includes the consumer right to access.
Additionally, consumers also have a right to portability. Organizations are required to provide access in a portable format that enables consumers to transmit data to another entity without barriers.
Organizations must respond to consumer requests within 45 days of receiving the request. Extensions are available depending on the number of requests as long as consumers are informed of the delay.
If a request is denied, reasons must be provided within 45 days.
Selling personal data
If your organization sells personal data, it must clearly disclose how consumers can exercise their right to opt-out of the sale or processing of their data for targeted advertising.
The Utah Privacy Law also details specific responsibilities for both controllers and processor contracts in regards to the handling of data.
Securing data
Based on the organization’s size, scope, and type, security practices that are appropriate for the nature and volume of the personal data processed are required.
Establishing technical and physical security practices protects the confidentiality and integrity of personal data and reduces reasonably foreseeable risk of harm to consumers.
Business expectations
The UCPA does allow businesses to refuse services or products in certain circumstances.
This is permitted only when personal data is needed to provide a service or product and the consumer refuses to provide the data or let the organization process it.
Consequently, the business would not be required to perform its service or product.
An organization is not permitted to charge a consumer for their first request within a 12 month period.
However, a controller may charge a reasonable fee to cover administrative costs if requests are excessive, repetitive, technically infeasible, or manifestly unfounded.
If the organization does charge a fee or refuses to act, the burden will fall on you, the controller/processor, to prove the justification.