Utah Consumer Privacy Act (UCPA)

Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act into law on 24th of March making Utah the 4th state after California, Virginia and Colorado to enact a comprehensive consumer privacy act. The law will be in effect from 31.12.2023. UCPA is largely based on the Virginia Consumer Protection Act, but uses a more business-friendly approach to consumer privacy than all three of its predecessors.

This chapter applies to any controller or processor who:

• conducts business in the state; or produces a product or service that is targeted to consumers who are residents of the state;
• has annual revenue of $25,000,000 or more; and
• satisfies one or more of the following thresholds:
  • during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
  • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

CONSUMER

• means an individual who is a resident of the state acting in an individual or household context.
• does not include an individual acting in an employment or commercial context.

SALE

The exchange of personal data for monetary consideration by a controller to a third party. It explicitly excludes “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.”

PERSONAL DATA

• “Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual.
• “Personal data” does not include de-identified data, aggregated data, or publicly available information.

CONSENT

“Consent” means an affirmative act by a consumer that unambiguously indicates the consumer’s voluntary and informed agreement to allow a person to process personal data related to the consumer.

Right to Information

A consumer has the right to:

• confirm whether a controller is processing the consumer’s personal data; and
• access the consumer’s personal data.

Right to Deletion

A consumer has the right to delete the consumer’s personal data that the consumer provided to the
controller.

Right to Data Portability

A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously
provided to the controller, in a format that:

• to the extent technically feasible, is portable;
• to the extent practicable, is readily usable; and
• allows the consumer to transmit the data to another controller without impediment, where the
  processing is carried out by automated means.

Right to Opt-Out

A consumer has the right to opt out of the processing of the consumer’s personal data for purposes of:

• targeted advertising; or
• the sale of personal data.

Transparency

A controller shall provide consumers with a reasonably accessible and clear privacy notice.

Security

A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data, and reduce reasonably foreseeable risks of harm to consumers.

Nondiscrimination

A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.

Responding to consumer requests

Responding to consumer requests. Unless an exception applies, controllers are obligated to respond to a consumer’s request within 45 days.

Consumers cannot bring a private action under the UCPA or use a violation of the law to support another lawsuit under Utah law.

To act on a referred matter, the attorney general must notify the controller or processor in writing first. After the 30 days, controllers and processors must cure the violation and provide the attorney general with an “express written statement that the violation has been cured and it will not be repeated.”

An attorney general can enact enforcement action and impose fines up to $7,500 per violation if a controller or processor both fails to cure the violation and continues to violate the law.