Utah: Utah Consumer Privacy Act – What you need to know
On 24 March 2022, the Utah State Governor signed Senate Bill ('SB') 227, thereby enacting the Utah Consumer Privacy Act ('UCPA') and making Utah the fourth State in the US to pass a comprehensive privacy law, bringing it more in line with the likes of California, Colorado, and Virginia. Although the UCPA will enter into effect on 31 December 2023, giving businesses some time to consider its provisions and prepare, various considerations need to be made to understand the extent of the UCPA's requirements on businesses. As such, OneTrust DataGuidance highlights some of the key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regards to enforcement.
Scope of application
As with most laws, the UCPA's provisions begin with the outlining of certain key definitions, detailing its scope of application. In this respect, the UCPA protects consumers, and defines 'consumers' as individuals who are residents of the state of Utah and act in an individual or household context. Notably, individuals acting in an employment or commercial context do not qualify as consumers in the eyes of the UCPA.
Moreover, the UCPA applies to:
- any controller or processor who:
- conducts business in the state; or
- produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25 million or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Contrastingly, the UCPA also outlines those bodies or data outside of its scope of application, which include governmental entities or third parties under contract with a governmental entity when the third party is acting on behalf of the governmental entity, institutions of higher education, non-profit corporations, and covered entities and business associates as defined by the UCPA, among several others.
Like many other State privacy laws, the UCPA provides for various new consumer rights with respect to their personal data. More specifically, the UCPA will now grant consumers the right to:
- confirm whether a controller is processing their personal data, and to access that personal data;
- delete their personal data that has been provided to the controller;
- obtain a copy of their personal data in a format that, to the extent technically feasible, is portable, and to the extent practicable, is readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means; and
- opt out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.
In order to ensure that these consumer rights are effectively complied with, the UCPA also requires controllers receiving requests from consumers to exercise their right to take action on the request and inform the consumer of any such action within a 45-day period. This period can be extended once for a further 45 days if it is deemed to be reasonably necessary as a result of the complexity of the request or overall volume of requests received by the controller.
Moreover, the UCPA generally provides that controllers cannot charge a fee for providing information to a consumer upon a request. Nevertheless, a fee can be charged if a second or subsequent request is received during the same 12-month period of the initial request, or if:
- the request is excessive, repetitive, technically infeasible, or manifestly unfounded;
- the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or
- the request, individually or as part of an organised effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business.
Controller and processor obligations
Among many obligations, one key obligation for controllers established by the UCPA is the requirement for a reasonably clear and accessible privacy notice to be provided to consumers. Such a notice must include:
- the categories of personal data processed by the controller;
- the purposes for which the categories of personal data are processed;
- how consumers may exercise a right;
- the categories of personal data that the controller shares with third parties, if any;
- the categories of third parties, if any, with whom the controller shares personal data.
Furthermore, and in cases where a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, the controller is required, under the UCPA, to clearly and conspicuously disclose to the consumer the manner in which they can exercise their right to opt out of such sale or targeted advertising.
Controllers are also required to ensure the confidentiality and integrity of the personal data that they process and hold. As such, the UCPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices, and to reduce reasonably foreseeable risks of harm to consumers relating to the processing of their personal data, although such data security practices may be considered alongside the controller's business size, scope, and type, in order to ensure that they are appropriate for the volume and nature of the personal data at issue.
With respect to data processors, the UCPA also now requires that a contract be in place before a processor performs processing on behalf of a controller, where such a contract also requires processors to ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data, to engage any subcontractor pursuant to a written contract, and which clearly sets forth the following:
- instructions for processing personal data;
- the nature and purpose of the processing;
- the type of data which is subject to processing;
- the duration of the processing; and
- the parties' rights and obligations.
One matter which is often a reason for debate for State privacy laws is the topic of private rights of action for consumers. In this respect, the UCPA does not provide consumers with a private right of action. Instead, the UCPA grants the Utah Attorney General ('AG') with the exclusive authority to enforce its provisions.
If the AG determines that a controller or processors has violated a provision of the UCPA, the AG must, at least 30 days before initiating an enforcement action, provide the controller or processor with a written notice for the alleged violations and an explanation of the basis for each or any violation. Violators also have a 30-day cure period in which violations can be rectified, and if such an action is taken in addition to providing the AG with an express written statement noting that the violation is cured and no other violation will occur, the AG may not initiate an enforcement action.
However, if the AG does initiate an enforcement action, they have the authority to recover actual damages to the consumer, and an amount not to exceed $7,500 for each violation described in Section 13-61-402(3)(c) of the UCPA, namely failing to cure a violation or continuing to violate the UCPA after submitting a written notice to the AG that the violation had been cured.
With the effective date of the UCPA set to 31 December 2023, business still have time in order to consider its provisions and start taking steps to ensure compliance.
Iana Gaytandjieva Lead Privacy Analyst