1. Governing Texts

1.1. Legislation

The Utah State Governor signed, on 24 March 2022, Senate Bill 227 for the Consumer Privacy Act ('UCPA').

The UCPA will enter into effect on 31 December 2023.

1.2. Regulatory authority guidance

The Utah Attorney General ('AG') has not yet issued any guidance.

1.3. Regulatory authority templates

Not applicable. 

2. Definitions

Data controller: A person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others (§13-61-101(12) of the UCPA).

Data processor: A person who processes personal data on behalf of a controller (§13-61-101(26) of the UCPA).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Yes, in accordance with §13-61-301(2) of the UCPA, a contract between a controller and a processor must be in place to govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

3.2. What content should be included?

According to §13-61-301(2)(a) of the UCPA, before a processor performs processing on behalf of a controller, they must enter into a contract that clearly sets forth: 

• instructions for processing personal data;
• the nature and purpose of the processing; 
• the type of data subject to processing; 
• the duration of the processing; and 
• the parties' rights and obligations.

Furthermore, §13-61-301(2)(b) and (c) of the UCPA also provides that the contract must also:

• require the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and 
• require the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

The UCPA provides for a general obligation for processors to assist controllers in meeting their obligations, and adhere to the instructions of the controller (§13-61-301(1) of the UCPA).

For further information see Utah – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Not applicable.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Under §13-61-301(1) of the UCPA, data processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the CDPA, where such assistance includes helping the controller meet its obligations in relation to the security of processing the personal data.

However, the UCPA does not provide for specific security measures to be implemented by processors.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The UCPA does not provide for data breach notification requirements. Instead, §13-61-301(1)(b) of the UCPA notes that a data processor must assist the controller, which includes meeting the controller's obligations in relation to the notification of a breach of security of the system of the processor pursuant to Utah's Protection of Personal Information Act under §13-44-101 et seq. of Chapter 44 of Title 13 of the Utah Code.

For more information, see OneTrust DataGuidance's Utah – Data Breach Guidance Note.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Under §13-61-301(2)(c) of the UCPA, processors must engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

The UCPA does not expressly provide for data transfer requirements.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The UCPA does not expressly provide for the requirement of processors to assist controllers with regulatory investigations, but the UCPA provides for a general obligation for processors to assist controllers in meeting their obligations (§13-61-301(1) of the UCPA), and provides that the obligations imposed on controllers and processors does not restrict either party's ability to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental entity (§13-61-304(1)(b) of the UCPA).

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The UCPA does not expressly provide for data protection officer appointment requirements.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

Not applicable. 

Authored by OneTrust DataGuidance.

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.