The Utah Consumer Privacy Act is one of five new privacy laws taking effect in 2023. Does your business need to be compliant?
Recently signed into law by Governor Spencer Cox, the Utah Consumer Privacy Act (UCPA) is now the nation’s fourth data privacy law to go on the books. While it does not go into effect until December 31, 2023, it’s never too early to learn about the new law and how it compares to privacy legislation in other states.
The new law is closely modeled on Virginia’s Consumer Data Privacy Act (VCDPA), as opposed to the California Consumer Privacy Act (CCPA). It grants similar privacy rights to consumers as the VCDPA, permanently exempts employment and B2B data, and creates no private right of action. Considering all the similarities, it’s worth taking a look at how the UCPA is different from its Virginia counterpart.
The UCPA’s most striking feature in comparison to other data privacy laws is its narrower focus on larger businesses. Specifically, the Utah Consumer Privacy Act only applies to businesses that have at least $25 million in annual revenue. This minimum-revenue threshold is unique to the UCPA, and will result in far fewer small and medium-sized businesses being required to comply.
For those businesses that do have at least $25 million in annual revenue, the UCPA applies to them if they conduct business in Utah and meet one of these two thresholds:
The UCPA also contains a long list of categories of organizations that are exempt, so that it is largely restricted to for-profit entities. The exemptions include:
Regarding enforcement, though Utah’s Division of Consumer Protection may investigate claims of noncompliance, the attorney general has exclusive authority to pursue an enforcement action. Businesses will generally have 30 days to cure any violations, but after that they can be fined up to $7500 per violation.
The UCPA creates four rights for consumers with regard to their personal data. These rights are:
These might seem standard—they are quite similar to data privacy rights in Virginia, Colorado and California—but there are a few notable differences. First, Utah lawmakers have curiously left out the right to correct inaccurate personal data, which exists in those other three states. There is also a subtle difference in the UCPA’s right to delete: It only applies to personal data provided by the consumer, as opposed to applying to all personal data provided by and obtained about the consumer (as is the case with the Virginia law). At the least, this appears to exempt personal data received from data brokers from deletion, and potentially data from other sources as well.
Once received, consumer requests must be resolved within 45 days, with the option to extend for another 45 days when reasonably necessary.
As with Virginia’s privacy law, the UCPA has special rules about the processing of “sensitive data,” though it handles the issue a bit differently. Sensitive data is defined as:
This sticks pretty closely to Virginia’s definition of sensitive data, but while Virginia requires a consumer’s consent before processing such data, the UCPA only requires that consumers be informed and have the opportunity to opt out of the processing.
On a related note, while the VCDPA requires businesses to complete a data protection assessment before processing sensitive data—or using targeted advertising, selling personal data, profiling consumers, and any other processing that presents a heightened risk to consumers—the Utah privacy law has no such requirement.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.