Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Utah - Data Protection Overview
Back

Utah - Data Protection Overview

April 2022

1. Governing Texts

The Utah State Governor signed, on 24 March 2022, Senate Bill 227 for the Consumer Privacy Act ('UCPA'), making Utah the fourth US State to enact comprehensive privacy legislation. The UCPA establishes consumers' rights around access, deletion, portability, and provides for the right to opt-out of targeted advertising and sale of personal data, while also establishing various controller and processor obligations, privacy notice requirements, and granting the Utah Attorney General ('AG') exclusive authority to enforce its provisions. 

The UCPA will enter into effect on 31 December 2023.

1.1. Key acts, regulations, directives, bills

The UCPA regulates privacy and data protection matters in Utah.

1.2. Guidelines

The AG has not yet issued any guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The UCPA applies to (§13-61-102(1) of the UCPA):

  • any controller or processor who:
    • conducts business in the state; or 
    • produces a product or service that is targeted to consumers who are residents of the state; 
  • any controller or processor who: 
    • has annual revenue of $25,000,000 or more; and 
    • satisfies one or more of the following thresholds:
      • during a calendar year, controls, or processes personal data of 100,000 or more consumers; or 
      • derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

However, the UCPA does not apply to, among others (§13-61-102(2) of the UCPA):

  • a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity; 
  • a tribe; 
  • an institution of higher education; 
  • a nonprofit corporation; 
  • a covered entity; or
  • a business associate.

2.2. Territorial scope

The UCPA applies to controllers or processors who conduct business in the State of Utah, or produce a product or service that is targeted to consumers who are residents of Utah (§13-61-102(1) of the UCPA).

2.3. Material scope

The UCPA applies to the personal data of individuals, which is defined as information that is linked or reasonably linkable to an identified individual or an identifiable individual (§13-61-101(24)(a) of the UCPA).

The UCPA does not apply to, among other things, protected health information, patient identifying information, identifiable private information, deidentified information, or identifiable private information or personal data collected as part of human subjects research pursuant to federal and international laws and requirements (§13-61-102).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator of the UCPA in Utah.

In addition, the UCPA provides the Division of Consumer Protection within the Utah Department of Commerce with certain assistance powers to the AG.

3.2. Main powers, duties and responsibilities

The AG has the exclusive authority to enforce the UCPA (§13-61-402(1) of the UCPA). In addition, and upon referral from the Division of Consumer Protection, the AG may initiate an enforcement action against a controller or processor for a violation of the UCPA (§13-61-402(2) of the UCPA). However, the UCPA provides that at least 30 days before the day on which the AG initiates an enforcement action, the AG must provide written notice identifying the violations alleged, and an explanation of the basis for each allegation, and may then initiate an action where a violation is not cured within this 30-day cure period (§13-61-402(3) of the UCPA).

The UCPA grants the Division of Consumer Protection with investigative powers, and requires it to establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of the UCPA (§13-61-401(1) of the UCPA). Additionally, the Division of Consumer Protection may investigate a consumer complaint to determine whether the controller or processor violated or is violating the UCPA, and if it determines that there is reasonable cause to believe that substantial evidence exists for a violation of the UCPA, the matter should be referred to the AG (§13-61-401(2)(a) and (b) of the UCPA). The Division of Consumer Protection is also authorised to, upon request, provide consultation and assistance to the AG in enforcing the UCPA (§13-61-401(2)(c) of the UCPA).

Moreover, the UCPA provides that the AG and the Division of Consumer Protection must compile a report which: 

  • evaluates the liability and enforcement provisions of the UCPA, including the AG's and the Division of Consumer Protection's enforcement effectiveness; and 
  • summarises the data protected and not protected by the UCPA including, with reasonable detail, a list of the types of information that are publicly available from local, state, and federal government sources.

4. Key Definitions

Data controller: A person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others (§13-61-101(12) of the UCPA).

Data processor: A person who processes personal data on behalf of a controller (§13-61-101(26) of the UCPA).

In addition, the UCPA provides, in relation to the concepts of 'data controller' and 'data processor', that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed (§13-61-301(3)(a) of the UCPA).

Personal data: Information that is linked or reasonably linkable to an identified individual or an identifiable individual (§13-61-101(24)(a) of the UCPA).

'Personal data' does not include deidentified data, aggregated data, or publicly available information (§13-61-101(24)(b) of the UCPA).

Sensitive data: 'Sensitive data' is defined as (§13-61-101(32)(a) of the UCPA):

  • personal data that reveals: 
    • racial or ethnic origin; 
    • religious beliefs; 
    • sexual orientation; 
    • citizenship or immigration status; or 
    • information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; 
  • the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or 
  • specific geolocation data. 

'Sensitive data' does not include personal data that reveals an individual's (§13-61-101(32)(b) of the UCPA): 

  • racial or ethnic origin, if the personal data are processed by a video communication service; or 
  • if the personal data are processed by a person licensed to provide health care under applicable laws with respect to information regarding medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional.

Health data: The UCPA does not expressly define 'health data', but instead refers to 'protected health information' as defined under §160.103 of the General Administrative Requirements of Subpart A, Part 160, Subchapter C, Subtitle A of Title 45 of the Code of Federal Regulations. As such, 'protected health information' is defined as individually identifiable health information that is:

  • transmitted by electronic media; 
  • maintained in electronic media; or
  • transmitted or maintained in any other form or medium. 

'Individually identifiable health information' is defined as information that is a subset of health information, including demographic information collected from an individual, and: 

  • is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 
  • relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and 
    • that identifies the individual; or 
    • with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Biometric data: Data that is generated by automatic measurements of an individual's unique biological characteristics (§13-61-101(6)(a) of the UCPA), specifically, data that are generated by automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual (§13-61-101(6)(b) of the UCPA). 

'Biometric data' does not however include (§13-61-101(6)(c) of the UCPA):

  • a physical or digital photograph; 
  • a video or audio recording; 
  • data generated from a physical or digital photograph or a video or audio recording;
  • information captured from a patient in a health care setting; or 
  • information collected, used, or stored for treatment, payment, or health care operations as defined under applicable federal law.

Pseudonymisation: The UCPA does not define 'pseudonymisation' but instead defines 'pseudonymous data' as personal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is (§13-61-101(28) of the UCPA): 

  • kept separate from the consumer's personal data; and 
  • subject to appropriate technical and organisational measures to ensure that the personal data are not attributable to an identified individual or an identifiable individual.

Data Subject: The UCPA does not expressly define 'data subject', but instead refers to 'consumers' which is defined as an individual who is a resident of Utah and is acting in an individual or household context (§13-61-101(10)(a) of the UCPA). However, 'consumer' does not include an individual acting in an employment or commercial context (§13-61-101(10)(b) of the UCPA).

5. Legal Bases

5.1. Consent

The UCPA defines 'consent' as an affirmative act by a consumer that unambiguously indicates their voluntary and informed agreement to allow a person to process personal data related to them (§13-61-101(9) of the UCPA).

The UCPA also notes that controllers are deemed to be in compliance with any obligation to obtain parental consent under the UCPA if they comply with the verifiable parental consent mechanisms under the Children's Online Privacy Protection Act of 1998 ('COPPA') and its implementing regulations and exemptions (§13-61-102(3) of the UCPA).

5.2. Contract with the data subject

The UCPA provides that its requirements do not restrict a controller or processor's ability to perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer, parent, or legal guardian before entering into the contract with the consumer (§13-61-304(1)(f) of the UCPA).

Moreover, the UCPA's requirements do not restrict a controller or processor's ability to process personal data to perform an internal operation that is reasonably aligned with the consumer's expectations based on their existing relationship with the controller, or otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer, parent, or legal guardian of a child or the performance of a contract to which they are a party (§13-61-304(1)(m) of the UCPA).

5.3. Legal obligations

The UCPA provides that its requirements do not restrict a controller or processor's ability to (§13-61-304(1)(a) to (d) of the UCPA):

  • comply with a federal, state, or local law, rule, or regulation; 
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity; 
  • cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; or
  • investigate, establish, exercise, prepare for, or defend a legal claim.

Moreover, the UCPA states that it does not apply if a controller's or processor's compliance with the UCPA violates an evidentiary privilege under Utah law, or as part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law (§13-61-304(2)(a) and (b) of the UCPA).

5.4. Interests of the data subject

The UCPA states that it does not apply if a controller's or processor's compliance with the UCPA adversely affects the privacy or other rights of any person (§13-61-304(2)(c) of the UCPA).

Moreover, any provision of a contract that purports to waive or limit a consumer's right under the UCPA is void (§13-61-302(6) of the UCPA). Additionally, the UCPA provides that its requirements do not restrict a controller or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual (§13-61-304(1)(g) of the UCPA).

5.5. Public interest

The UCPA provides that its requirements do not restrict a controller or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual (§13-61-304(1)(g) of the UCPA).

5.6. Legitimate interests of the data controller

The UCPA provides that its requirements do not restrict a controller or processor's ability to detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity, or to investigate, report, or prosecute a person responsible for any of the aforementioned actions (§13-61-304(1)(h) of the UCPA).

5.7. Legal bases in other instances

Not applicable.

6. Principles

The UCPA provides for various data protection principles through their incorporation into legal provisions and requirements for controllers.

In this respect, §13-61-302(1)(a) of the UCPA relates to the principle of transparency and requires controllers to provide consumers with a reasonably accessible and clear privacy notice.

Additionally, §13-61-302(5)(a) of the UCPA relates to the principle of purpose limitation and data minimisation, providing that a controller is not required to provide a product, service, or functionality to a consumer if, among other things, the consumer's personal data are or the processing of the consumer's personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality.

The UCPA also refers to the principle of confidentiality, by requiring that a controller establishes, implements, and maintains reasonable administrative, technical, and physical data security practices designed to, among others, protect the confidentiality and integrity of personal data (§13-61-302(2)(a)(i) of the UCPA).

Moreover, §13-61-302(4) of the UCPA prohibits unlawful discrimination.

7. Controller and Processor Obligations

7.1. Data processing notification

The UCPA does not expressly provide for data processing notification requirements.

7.2. Data transfers

The UCPA does not expressly provide for data transfer requirements.

7.3. Data processing records

The UCPA does not expressly provide for record-keeping requirements.

7.4. Data protection impact assessment

The UCPA does not expressly provide for data protection or privacy impact assessment requirements.

7.5. Data protection officer appointment

The UCPA does not expressly provide for data protection officer appointment requirements.

7.6. Data breach notification

The UCPA does not provide for breach notification requirements. Under, §13-61-301(1)(b) of the UCPA, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act, under §13-44-101 et seq. of Chapter 44 of Title 13 of the Utah Code.

7.7. Data retention

The UCPA provides that its provisions do not require a controller or processor to, among other things, maintain data in identifiable form or, among others, retain any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data (§13-61-303(1)(b) of the UCPA).

Under §13-61-304(1)(n) of the UCPA, the requirements of the UCPA do not restrict a controller or processor's ability to retain a consumer's email address to comply with the consumer's request to exercise a right.

7.8. Children's data

Under §13-61-102(3) of the UCPA, a controller is in compliance with any obligation to obtain parental consent under the UCPA if they comply with the verifiable parental consent mechanisms under the COPPA.

In the case of processing personal data concerning a known child, the parent or legal guardian of the known child will have the authority to exercise a right on the child's behalf (§13-61-202(2) of the UCPA).

7.9. Special categories of personal data

Under §13-61-302(3) of the UCPA, and except as otherwise provided in the UCPA, a controller may not process sensitive data collected from a consumer without

first presenting the consumer with clear notice and an opportunity to opt out of the processing, or in the case of the processing of personal data concerning a known child, processing the data in accordance with the COPPA and its implementing regulations and exemptions.

7.10. Controller and processor contracts

The UCPA requires a contract to be in place between controllers and processors as well as subcontractors. Specifically, §13-61-301(2) of the UCPA provides that before a processor performs processing on behalf of a controller, they must enter into a contract that: 

  • clearly sets forth: 
    • instructions for processing personal data;
    • the nature and purpose of the processing; 
    • the type of data subject to processing; 
    • the duration of the processing; and 
    • the parties' rights and obligations; 
  • requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and 
  • requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

8. Data Subject Rights

8.1. Right to be informed

Under §13-61-201(1)(a) of the UCPA, consumers have the right to confirm whether a controller is processing the consumer's personal data. Additionally, controllers are required to provide consumers with a reasonably accessible and clear privacy notice and inform them of (§13-61-302(1)(a) of the UCPA):

  • the categories of personal data processed by the controller; 
  • the purposes for which the categories of personal data are processed; 
  • how consumers may exercise a right; 
  • the categories of personal data that the controller shares with third parties, if any; and 
  • the categories of third parties, if any, with whom the controller shares personal data.

8.2. Right to access

Under §13-61-201(1)(b) of the UCPA, consumers have the right to access their personal data.

8.3. Right to rectification

The UCPA does not expressly refer to a right to rectify personal data.

8.4. Right to erasure

Under §13-61-201(2) of the UCPA, consumers have the right to delete their personal data.

8.5. Right to object/opt-out

Under §13-61-201(4) of the UCPA, consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.

8.6. Right to data portability

Under §13-61-201(4) of the UCPA, consumers have the right to obtain a copy of their personal data in a format that:

  • to the extent technically feasible, is portable; 
  • to the extent practicable, is readily usable; and 
  • allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

The UCPA does not expressly provide for a right not to be subject to automated decision-making.

8.8. Other rights

Not applicable.

9. Penalties

The UCPA provides for the possibility of the AG to recover actual damages to the consumer, and for each violation an amount not to exceed $7,500 (§13-61-402(3)(d) of the UCPA).

All money that is received from an action under the UCPA is to be deposited into the Consumer Privacy Account (§13-61-402(4) of the UCPA, in conjunction with §13-61-403 of the UCPA).

9.1 Enforcement decisions

Not applicable.