On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”) into law, making it the fourth state to pass a comprehensive data privacy law – joining California, Virginia, and Colorado. The UCPA becomes effective on December 31, 2023. Here are the high-level takeaways to know:
Who does the UCPA protect?
The UCPA protects the personal data of “consumers,” which is defined as a Utah resident acting in an individual or household context and does not include a person acting in an employment or commercial context. “Personal data” is defined as information linked or reasonably linkable to an identified individual or an identifiable individual; however, personal information does not include de-identified data, aggregated data, or publicly available information.
UCPA separately defines “sensitive information” and provides consumers the right to opt-out of the processing of their sensitive data, which differs from the other state privacy laws that require consumers to opt-in to such processing.
Are there entity or data level exemptions?
The UCPA provides full exemptions for certain types of entities, such as non-profits, covered entities and air carriers, and certain data types, such as data regulated by GLBA, HIPAA, and FERPA. Please reach out to the Parker Poe team or review the statute for a complete list of exempt types of entities and data types.
What is a sale?
A “sale” is defined as the transfer of data for monetary consideration, differing from other privacy laws which include “other valuable consideration.”
What rights are provided to consumers?
The UCPA provides consumers six rights: (i) confirmation an entity processing their personal data, (ii) access to their personal data, (iii) deletion of their personal data, (iv) portability of their personal data, (v) opt-out of targeted advertising and sale of their personal data, and (vi) the not to be discriminated against for exercising their rights. These rights are not as robust as other state privacy laws; given the right to data portability, deletion, and not to be discriminated have certain limitations in comparison.
Enforcement and Cure.
The UCPA does not provide a private right of action. The Attorney General is responsible for enforcing the UCPA, and before bringing an action, the Attorney General must provide a covered business with 30 days to cure any alleged or ongoing violation. Damages for any action brought by an Attorney General are limited to actual harm to consumers and a maximum penalty of $7,500 per violation.
The Parker Poe Data Privacy and Cybersecurity team will continue to provide insights and updates on the rapidly changing privacy landscape. If you have any questions about the UCPA’s application to your business, please reach out to Sarah Hutchins or Robert Botkin.