July 2024

1. Governing Texts

The Utah State Governor signed, on March 24, 2022, Senate Bill 227 for the Consumer Privacy Act (UCPA), making Utah the fourth US State to enact comprehensive privacy legislation. The UCPA establishes consumers' rights around access, deletion, portability, and provides for the right to opt-out of targeted advertising and sale of personal data, while also establishing various controller and processor obligations, privacy notice requirements, and granting the Utah Attorney General (AG) exclusive authority to enforce its provisions.

1.1. Key acts, regulations, directives, bills

The UCPA regulates privacy and data protection matters in Utah. In addition, the following legislation provides further requirements for data protection:

• Senate Bill 127 for the Cybersecurity Amendments (the Cybersecurity Amendments) (signed into law on March 23, 2023);
• Senate Bill 152 for the Social Media Regulation Amendments (entered into effect December 31, 2023) (the Social Media Regulations);
• Senate Bill 226 for the Electronic Information or Data Privacy Act Amendments (signed into law on March 23, 2023);
• Senate Bill 215 for Motor Vehicle Consumer Data Protection (entered into force May 1, 2024) (Motor Vehicle Consumer Data Protection Amendments);
• Senate Bill 194 for the Social Media Regulation Amendments (signed into law on March 13, 2024) (Utah Minor Protection in Social Media Act);
• House Bill 427 on Access to Protected Health Information (entered into force May 1, 2024);
• Senate Bill 131 for the Information Technology Act Amendments (entered into force May 1, 2024);
• Senate Bill 149 for the Artificial Intelligence Policy Act (entered into force May 1, 2024) (AI Policy Act);
• House Bill 491 for the Government Data Privacy Act (entered into force May 1, 2024); and
• Senate Bill 98 on Online Data Security and Privacy Amendments (entered into force May 1, 2024) (the Data Security Amendments).

1.2. Guidelines

The AG has not yet issued any guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The UCPA applies to (§13-61-102(1) of the UCPA):

• any controller or processor who:
  • conducts business in the state; or 
  • produces a product or service that is targeted to consumers who are residents of the state; 
• any controller or processor who: 
  • has annual revenue of $25,000,000 or more; and 
  • satisfies one or more of the following thresholds:
    • during a calendar year, controls, or processes personal data of 100,000 or more consumers; or 
    • derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

However, the UCPA does not apply to, among others (§13-61-102(2) of the UCPA):

• a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity; 
• a tribe; 
• an institution of higher education; 
• a nonprofit corporation; 
• a covered entity; or
• a business associate.

2.2. Territorial scope

The UCPA applies to controllers or processors who conduct business in the State of Utah, or produce a product or service that is targeted to consumers who are residents of Utah (§13-61-102(1) of the UCPA).

2.3. Material scope

The UCPA applies to the personal data of individuals, which is defined as information that is linked or reasonably linkable to an identified individual or an identifiable individual (§13-61-101(24)(a) of the UCPA).

The UCPA does not apply to (§13-61-102 of the UCPA):

• protected health information;
• patient identifying information;
• identifiable private information;
• deidentified information;
• identifiable private information or personal data collected as part of human subjects research pursuant to federal and international laws and requirements;
• any personal data bearing on a consumers' credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;
• personal data processed or maintained in the course of applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role; or
• personal data processed for a purely personal or household purpose.

The UCPA further does not apply to, among other things (§13-61-102 of the UCPA):

• personal data collected, processed, sold, or disclosed, in accordance with the Driver's Privacy Protection Act of 1994;
• personal data collected, processed, sold, or disclosed, in accordance with the Farm Credit Act of 1971;
• a financial institution of an affiliate governed by, or personal data collected, processed, sold, or disclosed, in accordance Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA); or
• personal data regulated by the Family Education Rights and Privacy Act of 1974 (FERPA).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator of the UCPA in Utah.

In addition, the UCPA provides the Division of Consumer Protection within the Utah Department of Commerce with certain assistance powers to the AG.

Regarding artificial intelligence (AI), the AI Policy Act created the Office of Artificial Intelligence Policy (OAIP) under the Utah Department of Commerce, which is responsible for studying how to regulate AI effectively, and will create regulatory mitigation agreements for AI products.

3.2. Main powers, duties and responsibilities

The AG has the exclusive authority to enforce the UCPA (§13-61-402(1) of the UCPA).In addition, and upon referral from the Division of Consumer Protection, the AG may initiate an enforcement action against a controller or processor for a violation of the UCPA (§13-61-402(2) of the UCPA). However, the UCPA provides that at least 30 days before the day on which the AG initiates an enforcement action, the AG must provide written notice identifying the violations alleged, and an explanation of the basis for each allegation, and may then initiate an action where a violation is not cured within this 30-day cure period (§13-61-402(3) of the UCPA).

The UCPA grants the Division of Consumer Protection with investigative powers, and requires it to establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of the UCPA (§13-61-401(1) of the UCPA). Additionally, the Division of Consumer Protection may investigate a consumer complaint to determine whether the controller or processor violated or is violating the UCPA, and if it determines that there is reasonable cause to believe that substantial evidence exists for a violation of the UCPA, the matter should be referred to the AG (§13-61-401(2)(a) and (b) of the UCPA). The Division of Consumer Protection is also authorized to, upon request, provide consultation and assistance to the AG in enforcing the UCPA (§13-61-401(2)(c) of the UCPA).

Moreover, the UCPA provides that the AG and the Division of Consumer Protection must compile a report which:

• evaluates the liability and enforcement provisions of the UCPA, including the AG's and the Division of Consumer Protection's enforcement effectiveness; and
• summarises the data protected and not protected by the UCPA including, with reasonable detail, a list of the types of information that are publicly available from local, state, and federal government sources.

4. Key Definitions

Data controller: A person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others (§13-61-101(12) of the UCPA).

Data processor: A person who processes personal data on behalf of a controller (§13-61-101(26) of the UCPA).

In addition, the UCPA provides, in relation to the concepts of 'data controller' and 'data processor', that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed (§13-61-301(3)(a) of the UCPA).

Personal data: Information that is linked or reasonably linkable to an identified individual or an identifiable individual (§13-61-101(24)(a) of the UCPA). 'Personal data' does not include de-identified data, aggregated data, or publicly available information (§13-61-101(24)(b) of the UCPA).

Sensitive data: 'Sensitive data' is defined as (§13-61-101(32)(a) of the UCPA):

• personal data that reveals: 
  • racial or ethnic origin; 
  • religious beliefs; 
  • sexual orientation; 
  • citizenship or immigration status; or 
  • information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; 
• the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or 
• specific geolocation data. 

'Sensitive data' does not include personal data that reveals an individual's (§13-61-101(32)(b) of the UCPA): 

• racial or ethnic origin, if the personal data are processed by a video communication service; or 
• if the personal data are processed by a person licensed to provide health care under applicable laws with respect to information regarding medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional.

Health data: The UCPA does not expressly define 'health data', but instead refers to 'protected health information' as defined under §160.103 of the General Administrative Requirements of Subpart A, Part 160, Subchapter C, Subtitle A of Title 45 of the Code of Federal Regulations. As such, 'protected health information' is defined as individually identifiable health information that is:

• transmitted by electronic media; 
• maintained in electronic media; or
• transmitted or maintained in any other form or medium. 

'Individually identifiable health information' is defined as information that is a subset of health information, including demographic information collected from an individual, and: 

• is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 
• relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and 
  • that identifies the individual; or 
  • with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Biometric data: Data that is generated by automatic measurements of an individual's unique biological characteristics (§13-61-101(6)(a) of the UCPA), specifically, data that are generated by automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual (§13-61-101(6)(b) of the UCPA). 

'Biometric data' does not however include (§13-61-101(6)(c) of the UCPA):

• a physical or digital photograph; 
• a video or audio recording; 
• data generated from a physical or digital photograph or a video or audio recording;
• information captured from a patient in a health care setting; or 
• information collected, used, or stored for treatment, payment, or health care operations as defined under applicable federal law.

Pseudonymisation: The UCPA does not define 'pseudonymization' but instead defines 'pseudonymous data' as personal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is (§13-61-101(28) of the UCPA):

• kept separate from the consumer's personal data; and
• subject to appropriate technical and organizational measures to ensure that the personal data are not attributable to an identified individual or an identifiable individual.

Data Subject: The UCPA does not expressly define 'data subject', but instead refers to 'consumers' which is defined as an individual who is a resident of Utah and is acting in an individual or household context (§13-61-101(10)(a) of the UCPA). However, 'consumer' does not include an individual acting in an employment or commercial context (§13-61-101(10)(b) of the UCPA).

5. Legal Bases

Regarding the various legal bases of processing, the UCPA clarifies that if a controller processes personal data under an exemption provided under §13-61-304 of the UCPA, they bear the burden of demonstrating that the processing qualifies for the exemption (§13-61-304(4) of the UCPA).

5.1. Consent

The UCPA defines 'consent' as an affirmative act by a consumer that unambiguously indicates their voluntary and informed agreement to allow a person to process personal data related to them (§13-61-101(9) of the UCPA).

The UCPA also notes that controllers are deemed to be in compliance with any obligation to obtain parental consent under the UCPA if they comply with the verifiable parental consent mechanisms under the Children's Online Privacy Protection Act of 1998 (COPPA) and its implementing regulations and exemptions (§13-61-102(3) of the UCPA).

5.2. Contract with the data subject

The UCPA does not specifically provide that personal data can be processed for the performance of a contract with a consumer. However, the UCPA provides that its requirements do not restrict a controller or processor's ability to perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer, parent, or legal guardian before entering into the contract with the consumer (§13-61-304(1)(f) of the UCPA).

Moreover, the UCPA's requirements do not restrict a controller or processor's ability to process personal data to perform an internal operation that is reasonably aligned with the consumer's expectations based on their existing relationship with the controller, or otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer, parent, or legal guardian of a child or the performance of a contract to which they are a party (§13-61-304(1)(m) of the UCPA).

5.3. Legal obligations

The UCPA does not specifically provide that personal data can be processed based on legal obligations. However, the UCPA provides that its requirements do not restrict a controller or processor's ability to (§13-61-304(1)(a) to (d) of the UCPA):

• comply with a federal, state, or local law, rule, or regulation;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;
• cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; or
• investigate, establish, exercise, prepare for, or defend a legal claim.

5.4. Interests of the data subject

The UCPA does not specifically provide that personal data can be processed based on the interest of consumers. However, the UCPA states that it does not apply if a controller's or processor's compliance with the UCPA adversely affects the privacy or other rights of any person (§13-61-304(2)(c) of the UCPA).

The UCPA also provides that its requirements do not restrict a controller or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual (§13-61-304(1)(g) of the UCPA).

Moreover, any provision of a contract that purports to waive or limit a consumer's right under the UCPA is void (§13-61-302(6) of the UCPA). 

5.5. Public interest

The UCPA does not specifically provide that personal data can be processed based on public interest. However, the UCPA provides that its requirements do not restrict a controller or processor's ability to disclose processing in a notice where it is engaged in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws (§13-61-304(1)(j) of the UCPA).

5.6. Legitimate interests of the data controller

The UCPA does not specifically provide that personal data can be processed based on the legitimate interests of a data controller.

However, the UCPA provides that its requirements do not restrict a controller or processor's ability to:

• detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity (§13-61-304(1)(h)(i) of the UCPA);
• preserve the integrity or security of systems (§13-61-304(1)(h)(ii) of the UCPA);
• investigate, report, or prosecute a person responsible for harming or threatening the integrity or security of systems (§13-61-304(1)(h)(iii) of the UCPA); or
• process personal data to (§13-61-304(1)(l) of the UCPA):
  • conduct internal analytics or other research to develop, improve, or repair a controller's or processor's product, service, or technology;
  • identify and repair technical errors that impair existing or intended functionality; or
  • effectuate a product recall.

5.7. Legal bases in other instances

The UCPA states that it does not apply if a controller's or processor's compliance with the UCPA violates an evidentiary privilege under Utah law, or as part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law (§13-61-304(2)(a) and (b) of the UCPA).

The UCPA also provides that its requirements do not restrict a controller's or processor's ability to:

• assist another person with an obligation described under this subsection (§13-61-304(1)(k) of the UCPA); or
• retain a customer's email address to comply with the consumer's request to exercise a right (§13-61-304(1)(n) of the UCPA).

The UCPA also notes that nothing under its provisions requires a controller, processor, third party, or consumer to disclose a trade secret (§13-61-304(5) of the UCPA).

6. Principles

The UCPA provides for various data protection principles through their incorporation into legal provisions and requirements for controllers.

In this respect, §13-61-302(1)(a) of the UCPA relates to the principle of transparency and requires controllers to provide consumers with a reasonably accessible and clear privacy notice.

Additionally, §13-61-302(5)(a) of the UCPA relates to the principle of purpose limitation and data minimization, providing that a controller is not required to provide a product, service, or functionality to a consumer if, among other things, the consumer's personal data are or the processing of the consumer's personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality.

The UCPA also refers to the principle of confidentiality, by requiring that a controller establishes, implements, and maintains reasonable administrative, technical, and physical data security practices designed to, among others, protect the confidentiality and integrity of personal data (§13-61-302(2)(a)(i) of the UCPA).

7. Controller and Processor Obligations

Pseudonymous Data and Deidentified Data

The UCPA defines 'deidentified data' as 'data that (§13-61-101(14) of the UCPA:

• cannot reasonably be linked to an identified individual or an identifiable individual; and
• are possessed by a controller who:
  • takes reasonable measures to ensure that a person cannot associate the data with an individual;
  • publicly commits to maintain and use the data only in deidentified form and not attempt to reidentify the data; and
  • contractually obligates any recipients of the data to comply with the requirements above.

The UCPA provides that its provisions do not require a controller or processor to reidentify deidentified data or pseudonymous data (§13-61-303(1)(a) of the UCPA).

Controllers who use pseudonymous data or deidentified data must take reasonable steps to ensure a processor (§13-61-303(3) of the UCPA):

• complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and
• promptly addresses any breach of a contractual obligation as provided under the UCPA.

7.1. Data processing notification

The UCPA does not expressly provide for data processing notification requirements.

7.2. Data transfers

The UCPA does not specifically address data transfers but defines the sale, sell, or sold as the exchange of personal data for monetary consideration by a controller to a third party. Importantly, the bill confirms that sale, sell, or sold does not include:

• a controller's disclosure of personal data to a processor who processes the personal data on behalf of the controller;
• a controller's disclosure of personal data to an affiliate of the controller;
• considering the context in which the consumer provided the personal data to the controller, a controller's disclosure of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations;
• the disclosure or transfer of personal data when a consumer directs a controller to:
  • disclose the personal data; or
  • interact with one or more third parties;
• a consumer's disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child;
• the disclosure of information that the consumer:
  • intentionally makes available to the general public via a channel of mass media;
  • does not restrict to a specific audience; or
• a controller's transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller's assets.

In addition, the UCPA provides that a controller or processor is not in violation of the UCPA's provisions if (§13-61-303(3) of the UCPA):

• the controller or processor discloses personal data to a third party controller or processor in compliance with the UCPA;
• the third party processes the personal data in violation of the UCPA; and
• the disclosing controller or processor did not have actual knowledge of the third party's intent to commit a violation of the UCPA.

7.3. Data processing records

The UCPA does not expressly provide for record-keeping requirements.

7.4. Data protection impact assessment

The UCPA does not expressly provide for data protection or privacy impact assessment requirements.

7.5. Data protection officer appointment

The UCPA does not expressly provide for data protection officer appointment requirements.

7.6. Data breach notification

The UCPA itself does not provide for breach notification requirements. Under, §13-61-301(1)(b) of the UCPA, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act, under §13-44-101 et seq. of Chapter 44 of Title 13 of the Utah Code.

For further information, see Utah - Data Breach.

7.7. Data retention

Not applicable.

7.8. Children's data

Under §13-61-102(3) of the UCPA, a controller is in compliance with any obligation to obtain parental consent under the UCPA if they comply with the verifiable parental consent mechanisms under the COPPA.

In the case of processing personal data concerning a known child, the parent or legal guardian of the known child will have the authority to exercise a right on the child's behalf (§13-61-202(2) of the UCPA).

In addition, the Social Media Regulations provide obligations on social media companies requiring them to (§13-63-102(1) of the Social Media Regulations):

• verify the age of an existing or new Utah account holder;
• obtain the consent of a parent or guardian before a Utah resident under the age of 18 may maintain or open an account; and
• prohibit a person to open an account if that person does not meet age requirements under state or federal law.

The Utah Minor Protection in Social Media Act defines an 'age verification system ' as 'measures reasonably calculated to enable a social media company to identify whether a user is a minor with an accuracy rate of at least 95%.'

While 'verifiable parental consent' is defined under the Utah Minor Protection Act as 'authorization from a parent for a social media service to collect, use, and disclose personal information of a Utah minor account holder, that complies with the following verifiability requirements:

(a) the social media service shall provide advance notice to the parent describing information practices related to the minor account holder's personal information;

(b) the social media service shall receive confirmation that the parent received the notice described in Subsection (17)(a).'

Social media companies must, pursuant to the Utah Minor Protection in Social Media Act, for Utah minor account holders:

• set default privacy settings to prioritize maximum privacy, including settings that:
  • restrict the visibility of a minor's account to only connected accounts;
  • limit the account holder's ability to share content to only connected accounts;
  • restrict any data collection and sale of data from a minor's account that is not required for core functioning of the social media service;
  • disable search engine indexing;
  • restrict a minor account's direct messaging capabilities to only direct messaging to connected accounts; and
  • allow a minor account to download a file with all information associated with the minor's account;
• implement and maintain reasonable security measures, including data encryption, to protect the confidentiality, security, and integrity of personal information collected from a minor's account;
• provide an easily accessible and understandable notice that:
  • describes any information the social media company collects from a minor's account; and
  • explains how the information may be used or disclosed;
• upon request of a minor:
  • delete the personal information of the minor's account, unless the information is required to be retained; and
  • remove any information or material the minor made publicly available through the social media service; and
• disable the following features that prolong user engagement:
  • autoplay functions;
  • scroll or pagination; and
  • except for direct messages from connected accounts, push notifications prompting repeated user engagement.

In addition, social media companies may not allow Utah minor account holders to change their default privacy settings without obtaining verifiable parental consent. The terms of service of social media companies must be presumed to include an assurance of confidentiality for the Utah minor account holder's personal information.

7.9. Special categories of personal data

Under §13-61-302(3) of the UCPA, and except as otherwise provided in the UCPA, a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing, or in the case of the processing of personal data concerning a known child, processing the data in accordance with the COPPA and its implementing regulations and exemptions.

7.10. Controller and processor contracts

The UCPA requires a contract to be in place between controllers and processors as well as subcontractors. Specifically, §13-61-301(2) of the UCPA provides that before a processor performs processing on behalf of a controller, they must enter into a contract that: 

• clearly sets forth: 
  • instructions for processing personal data;
  • the nature and purpose of the processing; 
  • the type of data subject to processing; 
  • the duration of the processing; and 
  • the parties' rights and obligations; 
• requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and 
• requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to personal data.

The UCPA clarifies that determining whether a person is acting as a controller or processor regarding the specific processing of data is a fact-based determination that depends on the context in which personal data are to be processed (§13-61-301(3) of the UCPA).

The Motor Vehicle Consumer Data Protection Amendments outline specific requirements for vendor management for the automotive sector.

8. Data Subject Rights

Submitting a request

Consumers may exercise their rights under the UCPA by submitting a request to a controller, by means prescribed by them, specifying the right they intend to exercise (§13-61-202(1) of the UCPA).

When processing the personal data concerning a known child, the parent or legal guardian of the known child must exercise a right on the child's behalf (§13-61-202(2) of the UCPA).

Where processing personal data concerning a consumer subject to guardianship, conservatorship, or other protective arrangement the guardian or the conservator of the consumer shall exercise a right on the consumer's behalf (§13-61-202(3) of the UCPA).

Timeline

Controllers must respond to a consumer request within 45 days of receiving such a request, and must (§13-61-203(2)(a) of the UCPA):

• take action on the consumer's request; and
• inform the consumer of any action taken on the request.

The response timeframe may be extended by an additional 45 days, after the initial 45 day period, if reasonably necessary due to the complexity of the request or the volume of the requests received by the controller (§13-61-203(2)(b) of the UCPA). Where the timeframe is extended by an additional 45 days, the controller must (§13-61-203(2)(c) of the UCPA):

• inform the consumer of the extension, including the length of the extension; and
• provide the reasons the extension is reasonably necessary.

The 45 day period does not apply if the controller reasonably suspects the consumer's request is fraudulent and the controller is not able to authenticate the request before the 45 day period expires (§13-61-203(2)(d) of the UCPA). Where a controller chooses not to take action on a consumer's request, the controller must within 45 days of receiving the request, inform the consumer of the reasons for not taking action (§13-61-203(3) of the UCPA).

Fees

Controllers may not charge a fee for information in response to a request unless the request is the consumer's second or subsequent request during the same 12-month period (§13-61-203(4)(a) of the UCPA). Controller's may charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request if (§13-61-203(4)(b)(i) of the UCPA):

• the request is excessive, repetitive, technically infeasible, or manifestly unfounded;
• the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or
• the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business.

Controllers bear the burden of demonstrating a request satisfied the above criteria (§13-61-203(4)(b)(ii) of the UCPA).

Authentication

Where controllers are unable to authenticate a consumer request to exercise a right using commercially reasonable efforts, the controller (§13-61-203(5) of the UCPA):

• is not required to comply with the request; and
• may request that the consumer provide additional information reasonably necessary to authenticate the request.

Non-discrimination

Controllers may not discriminate against a consumer for exercising a right by (§13-61-302(4)(a) of the UCPA):

• denying a good or service to a consumer;
• charging the consumer a different price or rate for a good or service; or
• providing the consumer a different level of quality of a good or service.

However, the above provisions do not prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if (§13-61-302(4)(b) of the UCPA)

• the consumer has opted out of targeted advertising; or
• the offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Notably, any provision of a contract that purports to waive or limit a consumer's right under the UCPA is void (§13-61-302(6) of the UCPA).

Pseudonymous data

Consumer rights under the UCPA do not apply to pseudonymous data if the controller demonstrates that any information necessary to identify a consumer is kept (§13-61-303(2) of the UCPA):

• separately; and
• subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.

8.1. Right to be informed

Under §13-61-201(1)(a) of the UCPA, consumers have the right to confirm whether a controller is processing the consumer's personal data. Additionally, controllers are required to provide consumers with a reasonably accessible and clear privacy notice and inform them of (§13-61-302(1)(a) of the UCPA):

• the categories of personal data processed by the controller; 
• the purposes for which the categories of personal data are processed; 
• how consumers may exercise a right; 
• the categories of personal data that the controller shares with third parties, if any; and 
• the categories of third parties, if any, with whom the controller shares personal data.

In addition, where a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose to the consumer, the manner in which the consumer may exercise the right to opt out of the (§13-61-302(1)(b) of the UCPA):

• sale of the consumer's personal data; or
• processing for targeted advertising.

8.2. Right to access

Under §13-61-201(1)(b) of the UCPA, consumers have the right to access their personal data.

8.3. Right to rectification

The UCPA does not expressly refer to a right to rectify personal data.

8.4. Right to erasure

Under §13-61-201(2) of the UCPA, consumers have the right to delete their personal data.

8.5. Right to object/opt-out

Under §13-61-201(4) of the UCPA, consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.

8.6. Right to data portability

Under §13-61-201(3) of the UCPA, consumers have the right to obtain a copy of their personal data in a format that:

• to the extent technically feasible, is portable; 
• to the extent practicable, is readily usable; and 
• allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

The UCPA does not expressly provide for a right not to be subject to automated decision-making.

8.8. Other rights

Not applicable.

9. Penalties

and for each violation an amount not to exceed $7,500 (§13-61-402(3)(d) of the UCPA).

All money that is received from an action under the UCPA is to be deposited into the Consumer Privacy Account (§13-61-402(4) of the UCPA, in conjunction with §13-61-403 of the UCPA).

Importantly, the UCPA does not provide a private right of action (§13-61-305(4) of the> UCPA).

9.1 Enforcement decisions

Not applicable.