Utah: UCPA - FAQs
The Utah Senate passed, on 3 March 2022, Senate Bill ('SB') 227 for a Consumer Privacy Act ('UCPA') which was later signed by the Governor on 24 March 2022, making Utah the fourth State to enact comprehensive privacy legislation. The UCPA will enter into effect on 31 December 2023.
Notably, the UCPA establishes various controller and processor obligations, privacy notice requirements, and introduces several data subject rights.
Scope, applicability, and key definitions
Who does the UCPA apply to?
The UCPA applies to persons that conduct business in Utah or produce products or services that are targeted to residents of the state and that:
- has annual revenue of $25 million or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Are certain entities exempted from the application of the UCPA?
The UCPA does not apply to a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity. Moreover, the UCPA does not apply to non-profit organisations or institution of higher education.
The UCPA also does not apply to:
- financial institutions or data subjects subject to Title V of the Gramm-Leach-Bliley Act of 1999; and
- covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act.
Is certain data exempted from the application of the UCPA?
The UCPA excludes certain data from its application, such as protected health information under the Health Insurance Portability and Accountability Act of 1996, certain health records, certain patient identifying information, as well as certain other data pertaining to a health context, financial context, or federal regulation, among others.
How does the UCPA define 'consumers'?
The UCPA defines a 'consumer' as an individual who is a resident of the state acting in an individual or household context.
How is employee data treated?
The UCPA does not apply to individuals acting in a commercial or employment context.
How does the UCPA define 'consent'?
The UCPA defines 'consent' as an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer.
How does the UCPA define the 'sale of personal data'?
Sale of personal data is defined by the UCPA as 'the exchange of personal data for monetary consideration by a controller to a third party' However, the concept of 'sale of personal data' does not include the following:
disclosure of personal data to a processor that processes personal data on behalf of the controller;
- disclosure or transfer of personal data to an affiliate of the controller;
- disclosure of information that the consumer:
- intentionally made available to the general public via a channel of mass media; and
- did not restrict to a specific audience; or
- disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
How does the UCPA define the 'sensitive data'?
Sensitive data are defined in the UCPA as a category of personal data that includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- Genetic or biometric data processed for the purpose of uniquely identifying a natural person; or
- Precise geolocation data.
Controllers must not process sensitive data without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA').
Key provisions and requirements
Does the UCPA provide for consumer rights?
Consumers, and a known child's parent or legal guardian, may invoke consumer rights which include:
- confirm whether a controller is processing their personal data, and to access that personal data;
- delete their personal data that has been provided to the controller;
- obtain a copy of their personal data in a format that, to the extent technically feasible, is portable, and to the extent practicable, is readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means; and
- opt out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.
What are the transparency responsibilities of data controllers?
Data controllers must comply with, among other things, requirements of proportionality, necessity, and establishing security safeguards and practices.
Notably, the UCPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. Such a notice must include:
- the categories of personal data processed by the controller;
- the purposes for which the categories of personal data are processed;
- how consumers may exercise a right;
- the categories of personal data that the controller shares with third parties, if any; and
- the categories of third parties, if any, with whom the controller shares personal data.
What are the data security responsibilities of data controllers?
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices, and to reduce reasonably foreseeable risks of harm to consumers relating to the processing of their personal data, although such data security practices may be considered alongside the controller's business size, scope, and type, in order to ensure that they are appropriate for the volume and nature of the personal data at issue.
What are the main obligations for data processors?
Data processor must follow the instructions of the controller, as well as assist the controller in meeting its obligations under the UCPA.
In particular, the processor, in order to assist the controller, will:
- fulfil the controller's obligation to respond to consumer rights requests, taking into account the nature of the processing and the information available to the processor, by appropriate technical and organisational measures, insofar as this is reasonably practicable; and
- assist the controller in meeting his obligations in relation to the security of the processing of personal data and to the notification of a breach of security of the system of the processor, taking into account the nature of processing and the information available to the processor.
Is the vendor privacy relationship regulated under the UCPA?
The UCPA provides that a contract between the controller and a processor must govern the processor's data processing procedures in relation to the processing carried out on behalf of the controller. The contract must be binding and clearly establish:
- instructions for processing data;
- the nature and purpose of the processing;
- the type of data subject to processing;
- the duration of processing; and
- the rights and obligations of both parties.
The contract must also prescribe that the processor will have to:
- ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and
- engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.
Are Data Protection Impact Assessments regulated?
The UCPA does not expressly provide for data protection or privacy impact assessment requirements.
Who is empowered to enforce violations of the UCPA?
The Utah Attorney General has exclusive authority to enforce the provisions of UCPA, and prior to initiating any action must provide a controller or processor 30 days' written notice identifying the specific provisions alleged have been or are being violated.
What penalties are controllers and processors facing under the UCPA?
If a data controller or processor continues to violate the UCPA following the prescribed 30-day cure period, or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.
Will the UCPA impact federal privacy regulation?
The UCPA does not directly impact federal legislation.
Marcello Ferraresi Privacy Analyst