Utah Consumer Privacy Act (UCPA)

Regulation Summary

Timeline

March 24, 2022: UCPA signed into law by Governor Spencer Cox.
December 31, 2023: UCPA becomes effective.

What Businesses Are Affected

Businesses that conduct operations in Utah or target Utah residents and meet the following criteria:
- Generate $25 million or more in annual revenue; and
- Either:
  - Process data of 100,000 or more consumers annually, or
  - Derive 50% or more of gross revenue from selling data of at least 25,000 consumers.

Exemptions

Government entities and nonprofits.
Entities governed by HIPAA, GLBA, or other federal regulations.
Personal data used for employment or publicly available purposes.

Responsibilities for Businesses

Transparency: Provide a clear privacy notice detailing data collection and sharing practices.
Consumer Rights: Allow consumers to access, delete, or obtain copies of their data and opt out of targeted advertising and data sales.
Data Security: Implement safeguards to protect personal data.
Sensitive Data: Obtain explicit consent before processing sensitive personal data.

Specific Responsibilities for Website Owners

Establish a designated request address for consumer inquiries.
Respond to consumer requests within 45 days, extendable by an additional 45 days if necessary.
Clearly disclose opt-out options and data practices.

Additional Requirements

Controllers and processors must:
- Maintain contracts specifying data processing terms.
- Ensure data protection for shared or processed information.

Data Subject Rights

Access: Request a copy of personal data.
Deletion: Request deletion of data provided by the consumer.
Portability: Receive data in a portable format.
Opt-Out: Refuse data sales or targeted advertising.

Enforcement

Enforced by the Utah Attorney General.
Cure Period: 30 days to address violations.
Penalties: Up to $7,500 per violation, including actual damages.
No private right of action.