Utah Consumer Privacy Act Taking Effect in 2023
On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law, adding Utah to the list of US states with comprehensive consumer privacy legislation in place. The law is set to go into effect on December 31, 2023.
Scope of the UCPA
The UCPA is designed to apply to any company that meets specific criteria. The company must conduct business in Utah or offer a product or service that is targeted towards Utah residents. Additionally, the company must have an annual revenue of $25 million or more and meet one of the following two thresholds:
- Control or process the personal data of 100,000 or more consumers in a calendar year
- Derive more than 50% of its gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The UCPA differs from Virginia’s Consumer Data Protection Act (CDPA) as it only applies to companies making $25 million or more in annual revenue and that meet at least one of the above-mentioned thresholds. This means that smaller companies are not subject to the UCPA, even if they meet the other criteria, and larger companies will only be subject to the law if they meet the annual revenue threshold and another threshold.
Key Definitions in the Utah Consumer Privacy Act
The UCPA defines a “consumer” as an individual who is a Utah resident and is acting in a personal or household context. However, individuals who are acting in a commercial or employment context are excluded from the definition of “consumer.”
The UCPA considers an exchange of personal data to be a “sale” if the data is exchanged for monetary consideration. However, disclosures to processors and the controller’s affiliates, as well as disclosures for the purpose of providing a requested product or service, are excluded from the definition of “sale.” The UCPA also specifically excludes any disclosure of personal data if it aligns with a consumer’s reasonable expectations.
Like other privacy laws, the UCPA defines “personal data” as information that can be used to identify an individual. However, the UCPA goes further by excluding deidentified data, publicly available information, and aggregated data (data that has been grouped and cannot be linked back to an individual).
Exemptions in the UCPA
The UCPA has a narrower scope compared to other state privacy laws and contains a number of exemptions. For example, institutions of higher education, nonprofits, government entities and contractors, tribes, air carriers, and businesses covered by HIPAA and the Gramm-Leach-Bliley Act (GLBA) are exempt from the UCPA. Data that is processed or maintained in the course of employment, as well as data that is governed by HIPAA, GLBA, and other applicable laws are also exempt from the UCPA.
Consumer Rights under the UCPA
Under the UCPA, consumers have these main rights:
- Right to access: Consumers have the right to confirm whether a controller is processing their personal data and to access their personal data.
- Right to delete: Consumers have the right to delete the personal data that they have provided to the controller. However, this right is limited, and consumers do not have the right to delete all personal data that a controller has about them.
- Right to know: Consumers have the right to know the categories and specific pieces of personal data that a controller has collected about them, the source of the data, and the purpose for which the data will be used.
- Right to access: Consumers have the right to access their personal data upon request.
- Right to a copy: Consumers may obtain a copy of all personal data they’ve previously provided.
- Right to opt-out: Consumers have the right to opt-out of having their personal data processed for targeted advertising or sale.
- Right to avoid discrimination: Consumers are allowed to exercise these rights freely and may not face discrimination when doing so.
Preparing for Compliance with the Utah Consumer Privacy Act
The UCPA may not take full effect until the end of the year, but your company needs to be ready for it. Need some help ensuring your compliance? Get in touch with us today for professional assistance.