The Utah Consumer Privacy Act (UCPA) will become effective on December 31, 2023. This article discusses UCPA application and definitions, consumer rights, privacy notice requirements, controller and processor responsibilities, and controller-processor contracts.
The Utah attorney general will have exclusive authority to enforce the UCPA. Upon request, the Division of Consumer Protection in the Utah Department of Commerce, which is to administer and enforce the UCPA, is to provide consultation and assistance to the Utah attorney general in enforcing the UCPA.
Application and Definitions
The UCPA applies to any controller or processor that does the following.
Conducts business in Utah; or
Produces a product or service that is targeted to consumers who are Utah residents and that;
Has annual revenue of $25,000,000 or more and that;
During a calendar year, controls or processes personal data of 100,000 or more consumers; or
Derives over 50 percent of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The UCPA supersedes and preempts any ordinance, resolution, rule, or other regulation adopted by a local political subdivision regarding the processing of personal data by a controller or processor.
"Controller" means a person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.
"Processor" means a person who processes personal data on behalf of a controller.
"Process" means an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
"Consumer" means an individual who is a resident of Utah acting in an individual or household context and does not include an individual acting in an employment or commercial context.
"Personal data" means information that is linked or reasonably linkable to an identified individual or an identifiable individual and does not include deidentified data, aggregated data, or publicly available information.
"Identifiable individual" means an individual who can be readily identified, directly or indirectly.
"Aggregated data" means information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to any consumer.
"Sensitive data" means a category of personal data that includes the following.
Personal data that reveals an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional; or
The processing of genetic personal data or biometric data for the purpose of identifying a specific individual; or
Specific geolocation data.
"Sensitive data" does not include personal data that reveals the following about an individual.
Racial or ethnic origin if the personal data are processed by a video communication service; or
If the personal data are processed by a person licensed to provide health care under Utah Code, Title 26, Chapter 21, Health Care Facility Licensing and Inspection Act, or Utah Code, Title 58, Occupations and Professions, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional.
"Child" means an individual younger than 13 years old.
"Deidentified data" means data that does the following.
Cannot reasonably be linked to an identified individual or identifiable individual; and
Are possessed by a controller who does the following.
Takes reasonable measures to ensure that a person cannot associate the data with an individual; and
Publicly commits to maintain and use the data only in deidentified form and not attempt to reidentify the data; and
Contractually obligates any recipients of the data to comply with the foregoing requirements.
"Pseudonymous data" means personal data that cannot be attributed to a specific individual without the use of additional information if the additional information is kept separate from the consumer's personal data and subject to appropriate technical and organizational measures to ensure that the personal data are not attributable to an identified individual or identifiable individual.
"Sale," "sell," or "sold" means the exchange of personal data for monetary consideration by a controller to a third party and does not include the following.
A controller's disclosure of personal data to a processor who processes the personal data on behalf of the controller; or
A controller's disclosure of personal data to an affiliate of the controller; or
Considering the context in which the consumer provided the personal data to the controller, a controller's disclosure of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations; or
The disclosure or transfer of personal data when a consumer directs a controller to disclose the personal data or interact with one or more third parties; or
A consumer's disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child; or
The disclosure of information that the consumer intentionally makes available to the general public via a channel of mass media and does not restrict to a specific audience; or
A controller's transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller's assets.
"Third party" means a person other than the consumer, controller, or processor, or an affiliate or contractor of the controller or the processor.
"Targeted advertising" means displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests and does not include the following.
Advertising based on a consumer's activities within a controller's own website or online application or any affiliated website or online application; or
Advertising based on the context of a consumer's current search query or visit to a website or online application; or
Advertising directed to a consumer in response to the consumer's request for information, product, a service, or feedback; or
Processing personal data solely to measure or report advertising performance, reach, or frequency.
"Trade secret" means information, including a formula, pattern, compilation, program, device, method, technique, or process, that does the following.
Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from the information's disclosure or use; and
Is the subject of efforts that are reasonable under the circumstances to maintain the information's secrecy.
A consumer may exercise a consumer right by submitting a request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise.
Subject to the UCPA, a controller must comply with a consumer's request to exercise a right.
A consumer has the right to the following.
To confirm whether a controller is processing the consumer's personal data and to access such personal data
To delete the consumer's personal data that the consumer provided to the controller
To obtain a copy of the consumer's personal data, that the consumer previously provided to the controller in a format, to the extent technically feasible, is portable, to the extent practicable, is readily usable, and that allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means
To opt out of the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data
Privacy Notice Requirements
A controller must provide consumers with a reasonably accessible and clear privacy notice that includes all of the following.
The categories of personal data processed by the controller
The purposes for which the categories of personal data are processed
How consumers may exercise a consumer right
The categories of personal data that the controller shares with third parties, if any
The categories of third parties, if any, with which the controller shares personal data
If a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer's personal data or processing for targeted advertising.
A controller must do the following.
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.
Considering the controller's business size, scope, and type, use data security practices that are appropriate for the volume and nature of the personal data at issue.
Except as otherwise provided in the UCPA, not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing, or in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act and its implementing regulations and exemptions.
Not discriminate against a consumer for exercising a right by denying a good or service to the consumer, charging the consumer a different price or rate for a good or service, or providing the consumer a different level of quality of a good or service; however, Utah Code § 13–61–302(4) does not prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if the consumer has opted out of targeted advertising, or the offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; provided further, that a controller is not required to provide a product, service, or functionality to a consumer if the consumer's personal data are or the processing of the consumer's personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality, and the consumer does not provide the consumer's personal data to the controller, or allow the controller to process the consumer's personal data.
A processor must adhere to the controller's instructions, and taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably practicable, assist the controller in meeting the controller's obligations, including obligations related to the security of processing personal data and notification of a breach of security system described in Utah Code § 13–44–202.
Before a processor performs processing on behalf of a controller, the processor and controller must enter into a contract that does the following.
Clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations; and
Requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and
Requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.