Utah has passed a new privacy law, conferring new personal data rights and protections on the state’s citizens.
The Utah Consumer Privacy Act (UCPA) will take effect in under two years’ time, on December 31 2023. The provisions will apply to organizations with annual revenue of $25m or more that conduct business in Utah or produce products or services targeted at Utah residents and process large volumes of personal data.
Utah is the fourth US state to enact a consumer privacy law in recent years, following in the footsteps of California, Virginia and Colorado. These laws broadly follow the model established in the EU’s General Data Protection Regulation (GDPR), which was passed in 2016 and came into force in 2018.
The UCPA will provide Utah consumers with a range of new rights regarding the collection and use of their personal information. These include the right to access, delete and obtain a copy of their personal data in a portable manner. In addition, they can choose to opt out of the sale of their personal data and targeted advertising.
However, unlike California, Virginia and Colorado laws, the UCPA does not give consumers the ability to correct inaccuracies in their personal data. Organizations will also not be required to obtain prior opt-in consent to process sensitive data, such as racial origin, sexual orientation and religious beliefs. However, they will have to provide consumers with clear notice and an opportunity to opt-out of processing their sensitive personal data.
The Act will also require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices and include specific language in contracts with processors.
Unlike the other US state privacy laws, controllers will not be required to conduct data protection assessments before engaging in data processing activities that present a heightened risk of harm to consumers or to conduct cybersecurity audits or risk assessments.
Enforcement of the provisions will be solely at the discretion of Utah’s attorney general, with no private right of action available. This enforcement process will be under a novel, multi-layered system, which will give data controllers and processors a 30-day period to fix the violation. If the issue is not resolved in that timeframe, organizations can face fines of up to $7500 per violation.
In its coverage of the new law, the International Association of Privacy Professionals (IAPP) stated: “Although the UCPA extends VCDPA-like rights and obligations specifically for Utah consumers and businesses, the law is not likely to add special considerations to an entity’s existing privacy compliance obligations. Facially, the law is narrower and more lenient than its counterparts in California, Virginia and Colorado.”
Commenting to Infosecurity about the news, Reece Hirsch, partner and co-head of the Morgan Lewis’ Privacy & Cybersecurity practice, said: "The US privacy landscape is about to change in 2023, and many national companies will be striving to take a streamlined, integrated approach to compliance with new laws in California, Virginia, Colorado and now Utah. Like the Virginia Consumer Data Protection Act, the UCPA provides for rights of access, correction, deletion, portability and the right to opt-out of the sale of personal data, and does not introduce many new elements that are likely to raise unique compliance challenges.
"The UCPA takes a somewhat more measured, business-friendly approach to consumer privacy regulation when compared with other recent state laws. Companies should be able to integrate compliance with the Utah law into their existing privacy compliance strategies for 2023 without major disruption."