In 2022, Utah enacted its version of an Act to protect the privacy of consumer’s personal and private data called the Utah Consumer Privacy Act (“UCPA”). Utah Code § 13-61-101, et seq. The UCPA is now fully operational, having taken effect at the end of 2023. The UCPA has the same structure and aspects as the other consumer data privacy statutes that have been enacted in Europe and here in the U.S. That is, consumers are given certain rights with respect to how their data is collected, processed, sold, shared, etc. Further, certain obligations are imposed on businesses that collect and process consumer data, including, for example, the requirement to give notices to consumers, obtain consent for the collection/processing of personal data, the install high levels of cybersecurity to prevent unauthorized access and exfiltration, and more.

As usual for these types of statutes, the UCPA differentiates between businesses that collect and control consumer personal data — called “controller” — and those businesses that manipulate and process the data — “processors.” As a simple example, the controller might be the business operating an online sales platform and the processor might be a financial institution that processes payment information. Most of the requirements imposed by the UCPA apply to controllers, but there are some mandates imposed on processors.

The UCPA generally does not apply to small businesses. Rather, that Act is intended to apply to large businesses that collect, control, and process a lot of consumer personal data. The UCPA applies to businesses that conduct business in Utah OR produce a product or service targeted to residents of Utah. Further, there are certain thresholds for applicability that exclude small businesses. This is common with these types of statutes. Utah’s thresholds are in line with most similar statutes. The thresholds are:

• Businesses that have annual revenue of at least $25,000,000 AND
• EITHER control or process personal data of 100,000 or more consumers during a calendar year
• OR derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers

The UCPA contains a long list of entities that are specifically exempt from applicability, including:

• Governmental entities or a third party under contract with a governmental entity
• Tribes
• Institutions of higher education
• Nonprofit corporations
• Certain financial institutions
• Air carriers

Certain types of data are also excluded from coverage under the UCPA, including various health data covered by federal statutes, data used for credit reporting, personal data collected as part of human subjects research, deidentification data, data collected and processed for purely personal purposes, emergency contact information, and more.

As noted, the UCPA imposes various obligations on covered controllers and processors. First, before collecting a consumer’s personal data, covered businesses must provide notice. This is generally called a “privacy notice.” The notice must inform consumers of the following:

• The categories of personal data being collected and processes
• What categories of data are shared/sold to third parties (excluding affiliated processors)
• Descriptions/categories of the third parties with whom data is shared/sold
• The business purposes for which the data is collected and processed
• How consumers can exercise their rights — such as demanding to see a copy of the personal data collected and controlled or demanding that corrections be made to inaccurate data

Businesses must also obtain consumer consent to processing of “sensitive data” for purposes like targeted advertising. And consumers must be given an easy and clear method of opting out of processing of their data for such purposes. Notably, the UCPA does not mandate that businesses provide an appeal method if the business refuses or fails to take action after a consumer requests actions pursuant to the UCPA.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.