As was widely predicted in the wake of the California Consumer Privacy Act, comprehensive privacy legislation continues to ripple out across the various states in 2022. Utah has become the fourth state, joining California, Colorado and Virginia, to enact sweeping consumer privacy legislation.
On March 24, 2022, the Utah Consumer Privacy Act (the “UCPA”) was signed into law by Governor Spencer Cox. Businesses subject to the UCPA will have until December 31, 2023 to achieve compliance. Fortunately for businesses subject to the consumer privacy laws in California, Colorado and/or Virginia, the UCPA has many similarities.
Who is Subject to the UCPA?
Similar to the consumer privacy laws in Colorado and Virginia, the UCPA will apply to both data controllers and processors. Under the UCPA, a controller is “a person doing business in the state who determines the purposes for which and means by which the personal data is processed, regardless of whether the person makes the determination alone or with others.” Also similar to the Colorado and Virginia statutes, a processor is “a person who processes personal data on behalf of a controller.”
The UCPA will apply to data controllers that generate over $25 million in annual revenue and that either (i) control or process personal data for over 100,000 consumers yearly, or (ii) control and process personal data for over 25,000 consumers and generate over half of their revenue from selling personal data. Here, the UCPA again mimics the Colorado and Virginia statutes in broadly defining personal data to include information that is linked or reasonably linkable to an identified individual or an identifiable individual.
Also similar to the Colorado and Virginia statutes, the UCPA sets forth important exemptions. First, the UCPA provides important exemptions for personal data collected from and about personnel and business to business (“B2B”) contacts, as persons acting in a “commercial or employment context” are explicitly excluded from the UCPA’s definition of consumers.
The UCPA also provides several entity-based exclusions, including for entities regulated by the Gramm-Leach-Bliley Act (“GLBA”), and for covered entities and business associates as defined the Health Insurance Portability and Accountability Act (“HIPAA”).
The UCPA also provides information-level exclusions, including (i) protected health information as defined under HIPAA, (ii) activity by a consumer reporting agency that is subject to regulation by the Fair Credit Reporting Act (“FCRA”), and (iii) personal data regulated the Family Education Rights and Privacy Act (“FERPA”).
The UCPA provides a slate of consumer rights similar to those in Colorado and Virginia, and in California once the pending amendments take effect at January 1, 2023. Consumers will have the rights to (i) know when a controller is processing and/or accessing their data, (ii) delete personal data, (iii) obtain and review their data, and (iv) opt out of the processing of their personal data to the extent it relates to targeted advertising and the sale of personal data. Unlike the other states, however, Utah does not provide consumers a right to correct inaccuracies in their personal data. Unlike the California, Colorado and Virginia statutes, which specify the means for submitting consumer requests, under the UCPA, the controller will be able to establish the requirements for submitting consumer rights requests.
Controllers must respond to consumer requests within 45 days, or extend the initial response period by an additional 45 days. Consumer requests believed to be fraudulent, excessive, unfounded, or unduly burdensome can be rejected, but the controller will bear the burden of demonstrating that it is not required to comply with the request.
The UCPA imposes several requirements on controllers. Controllers are required to provide consumers with reasonably accessible and clear privacy notices that disclose the categories of personal data being processed, the purposes of data processing, consumer rights pursuant to the UCPA, and information on sharing with third-parties.
The UCPA also requires controllers to protect personal data with reasonable security appropriate to the volume and nature of the personal data, and considering the controller’s size and type.
Controllers are prohibited from processing sensitive data without providing the consumer with a right to opt-out. Under the UCPA, sensitive data includes any personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status, as well as certain health care-related data, biometric data, and specific geolocation data. Similarly, consumers cannot be discriminated against, in the form of denial of service, different pricing, or diminished quality of service, for exercising any of their rights under the UCPA.
The UCPA requires processors and controllers to enter into data processing agreements (“DPAs”) that specify the instructions, nature, types of data, length, and rights and obligations subject to processing. Processors are subject to confidentiality requirements for their personnel who handle the data. Further, processors are required to push down the controllers data processing expectations to any subcontractor involved in the processing of the data.
Although the UCPA does not provide a private right of action, the UCPA has included a dual means of enforcement whereby either the Division of Consumer Protection or the Attorney General (if referred) may enforce the law. If the Attorney General decides to take action, the controller or processor will have 30 days from the time of notice to cure the violation and provide written confirmation that (i) the violation has been cured and (ii) there will be no future violation of the cured violation. For uncured violations or where a past violation reoccurs, the Attorney General can initiate an action for actual damages to the consumer and fines up to $7,500 per violation.
With a compliance date of December 31, 2023, the UCPA requires businesses to take action now.
 S.B. 227, § 13-61-101(12).
 Id. § 13-61-101(26)
 § 13-61-102
 § 13-61-101(10)(a), (b).
 Id. at § 13-61-201; see also C.R.S. §6-1-1301, et seq.; Va. Code Ann. § 59.1-571, et seq.;Cal. Civ. Code § 1798.100, et seq.
 § 13-61-202.
 § 13-61-203.
 § 13-61-302.
 § 13-61-301.
 § 13-61-305.
 §§ 13-61-401, 402.
Sign up for our newsletter and get the latest to your inbox.