Scope and Applicability
The UCPA will apply to any “controller” or “processor” that conducts business in Utah or produces products or services that are targeted to Utah residents, that has an annual revenue of $25 million or more, and meets one of the following thresholds: (i) controls or processes the personal data of at least 100,000 Utah residents in a year; or (ii) derives over 50 percent of its gross revenue from the “sale” of personal data and controls or processes the personal data of at least 25,000 Utah residents.
Like the VCDPA and the Colorado Privacy Act (CPA), the UCPA covers “controllers” and “processors” where a “controller” is defined as a “natural or legal person that … determines the purpose and means of processing personal data” and a “processor” is defined as a “natural or legal entity that processes personal data on behalf of a controller.” The UCPA defines the entities’ obligations using these terms accordingly.
Notably, like the VCDPA, the UCPA also exempts a large list of entities – including nonprofits, governmental entities, higher education institutions, HIPAA covered entities and business associates, and financial institutions governed by Title V of the GLBA – and it also does not apply to various types of personal data – such as protected health information under HIPAA, personal data processed or disclosed in accordance with Title V of the GLBA, and personal data regulated by FERPA. Additionally, the UCPA does not cover data that is processed or maintained in the employment context – the definition of “consumer” specifically excludes “an individual acting in an employment or commercial context.”