The Utah Consumer Privacy Act (UCPA) is legislation unanimously passed in the Utah Legislature. The final version of this Utah privacy law now awaits the signature of Governor Spencer Cox. If, as expected, the Governor signs the legislation by March 24, 2022, Utah will become the fourth state in the nation with a comprehensive consumer privacy law. The details of the Utah Consumer Privacy Act are discussed below.
Utah Consumer Privacy Act: Who is Regulated?
The Utah Consumer Privacy Act protects Utah residents’ personal information privacy. The Utah Privacy Law defines “personal information” as information “linked or reasonably linkable” to an identified individual or an identifiable individual. This definition is similar to the HIPAA definition of protected health information; however, the Utah Consumer Privacy Act is broader, covering non-health-related information as well as health-related information.
The Utah Consumer Privacy Act applies to data controllers and data processors. Under the Utah privacy law, a data controller is a person or entity doing business in Utah who plays a part in determining the purposes and means by which personal data is processed. In contrast, a data processor is a person or entity who processes personal data on behalf of a controller. The data controller and data processor relationship is akin to the HIPAA relationship between a covered entity and a business associate. In each case, the latter entity processes information on behalf of the former.
The Utah Consumer Privacy Act applies to controllers and processors that conduct business in the state of Utah or produce a product or service that is targeted to Utah residents, have annual revenue amounts of $25,000,000 or more, and:
- Control or process personal data of more than 100,000 consumers per calendar year; or
- Derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Utah Consumer Privacy Act: What’s In It for Me?
Under the new Utah privacy law, consumers have the right to:
- Confirm whether a controller is processing their personal data
- Obtain a copy of their personal data in a format that is portable and readily usable
- Delete data that the consumer has previously provided to the controller
- Opt-out of the “sale” of personal data (“sale” is defined by the UPCA as disclosure by a controller to a third party for money), or processing of personal data for targeted advertising
The UCPA also requires covered businesses to publish privacy notices that provide the following:
- The categories of personal data processed
- The purpose for the processing of the personal data
- How consumers may exercise their rights under the UPCA (controllers have 45 days to respond to a request by a consumer to exercise their rights)
The Utah privacy law’s consumer protections, while significant, are less robust than those afforded by other recently enacted state data privacy laws, including the California Consumer Protection Act (CCPA) and the Virginia Consumer Data Privacy Act (VCDPA). For example, the VCDPA affords consumers the right to appeal denials of requests to exercise their rights; the UCPA contains no equivalent provision. In addition, the VCDPA requires controllers to conduct data protection assessments of certain processing activities, while the UCPA does not. Further still, the VCPA gives consumers the right to opt out of data profiling. The UCPA does not contain an opt out provision.
Significantly, the UCPA and VCDPA have one commonality. Neither law gives consumers the right to bring a private lawsuit against a business alleged to have violated that law.
Utah Consumer Privacy Act: Sensitive Data
The UCPA gives heightened protection to what the law classifies as “sensitive data.”
Under the UCPA, sensitive data includes an individual’s:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation;
- Citizenship or immigration status
The Utah Consumer Privacy Act has special requirements for processing “sensitive data.” Before a controller may process such data, the controller must give a consumer clear notice and an opportunity to opt out of the processing.
Utah Consumer Privacy Act: Are HIPAA Compliant Entities Exempt?
Notably, the Utah Consumer Privacy Act does not apply to HIPAA covered entities or HIPAA business associates. If HIPAA already regulates an entity, it will not be additionally regulated by the Utah privacy law. In addition, information that is protected health information under HIPAA is not subject to the provisions of the UCPA.
The UCPA contains an effective date of December 31, 2023. This means that if the bill becomes law, regulated entities will have until the end of December of 2023 to bring themselves into compliance with the law’s provisions.
