A Guide to Utah’s Data Privacy Act
On March 3, 2022, the Utah House of Representatives unanimously approved Senate Bill 227, known as the Utah Consumer Privacy Act (UCPA or S.B. 227), after a 28-0 vote by the Utah Senate. The provisions of the UCPA are intended to create consumer data protection rights, and set obligations on those who collect or process data belonging to Utah residents.
The approval of S.B. 227 comes after the Utah Senate failed to receive approval on Senate Bill 200, known as the Consumer Privacy Act, in March of 2021. Though S.B. 200 passed each of its first two readings, it failed to get a third Senate floor reading. After the failure of S.B. 200, a substitute bill was distributed in an unsuccessful attempt to get a third read.
The UCPA applies to organizations conducting business in Utah or targeting Utah citizens in the sale of their products or services, and:
- have an annual revenue of $25 million or more; and
- control or process the personal information of 100,000 consumers or more in a calendar year; or
- derive more than 50 percent of their gross revenue from the sale of consumers’ personal information and control or process the personal data of 25,000 or more consumers.
Personal information is defined under S.B. 227 as information that is linked, or reasonably linkable, to an individual. The UCPA explicitly states that information that cannot be linked to its owners is not considered protected personal information. This means de-identified and anonymized data is not covered under the UCPA.
Under the UCPA, consumers are granted certain rights and protections including:
- The right to receive reasonably accessible and clear privacy notices outlining the ways their personal data is being processed, the purpose for that processing, and how that data is distributed to third parties;
- The right to opt-out of the sale of a consumer’s personal data or the processing of that data for targeted advertising; and
- The right to receive notice from a business when their “sensitive data” is being processed or collected and to opt-out of said use. The UCPA defines “sensitive data” as data which reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or medical history, including mental or physical health conditions, medical treatment or professional diagnosis. Genetic information, biometric information, and geolocation is also considered sensitive data.
Under the UCPA, if a consumer submits a request to a controller pursuant to any of these rights, the request must be honored within 45 days of its receipt. However, if the business receives a complex request or is currently in the process of complying with a large volume of requests, this 45-day deadline may be extended by an additional 45 days so long as the controller gives the consumer written notice of the length and the reason for the extension. If a controller decides not to comply with a consumer’s request, they must provide the consumer with written notice of the denial and provide a valid reason for doing so.
A controller who is responding to a consumer request may not charge consumers a fee for the information being requested, unless the consumer has issued two requests during the same 12-month period, or the request is “excessive, repetitive, technically infeasible, or manifestly unfounded,” or being submitted for a reason outside of exercising the consumer’s rights.
In addition, the UCPA requires data controllers to comply with the common privacy principles of:
- Purpose specification;
- Data minimization;
- Nondiscrimination; and
The following actions by a covered business are specifically excluded from protection:
- Actions done for the purposes of complying with any legal or regulatory requirement;
- Actions vital to providing a product or service;
- Actions taken to “detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity,” or investigate, report, or prosecute those involved in these acts; or
- Actions to preserve the integrity or security of the business’s systems or to investigate and prosecute a person who threatened said systems.
The UCPA grants the Utah Division of Consumer Protection Enforcement (UDCPE) the authority to accept and investigate consumer complaints regarding a covered business’s processing of their personal data. If the UDCPE determines that a violation has been made, the UCPA grants the Utah Attorney General (AG) the power to take enforcement action and impose penalties upon a violating covered business.
If the AG determines that a violating action has been conducted by a covered business, the AG must provide the business with written notice of an opportunity to cure the violation within 30 days of the business’s receipt of notice. If the covered business fails to comply with this opportunity to cure and the violation remains, the AG may file suit and seek civil penalties, including actual damages as well as levy fines of up to $7,5000 per violation of the act.
After approval was received from the House of Representatives, the UCPA was returned to the Senate to address amendments that were made while the bill was in front of the house. The bill is now in front of Utah’s Governor, who must now sign the bill into law by March 24 or veto it. The veto can only be overridden by the legislature.
If enacted, the UCPA will take effect on December 31, 2023. As such, covered businesses have sufficient time to review and amend their policies and procedures to implement data security practices necessary to safeguard Utah consumers’ personal data under the bill. Covered businesses should also review their data processing controls with any third-party vendors or service providers to ensure that their agreements provide these consumer safeguards.