Reed Smith In-depth

On March 24, 2022, Utah governor Spencer J. Cox signed into law the Utah Consumer Privacy Act (UCPA), the fourth state-level comprehensive data privacy law in the United States. The law takes effect on December 31, 2023, and generally mirrors the Virginia Consumer Data Privacy Act (VCDPA), including covering for-profit businesses that meet certain revenue and data processing thresholds, providing consumer rights of data access and deletion and the right to opt out of targeted advertising or the sale of personal data, and providing a 30-day period for curing violations following notification from the state attorney general. For more information on the VCDPA, see our previous client alert.

Scope and Applicability

The UCPA will apply to any “controller” or “processor” that conducts business in Utah or produces products or services that are targeted to Utah residents, that has an annual revenue of $25 million or more, and meets one of the following thresholds: (i) controls or processes the personal data of at least 100,000 Utah residents in a year; or (ii) derives over 50 percent of its gross revenue from the “sale” of personal data and controls or processes the personal data of at least 25,000 Utah residents.

Like the VCDPA and the Colorado Privacy Act (CPA), the UCPA covers “controllers” and “processors” where a “controller” is defined as a “natural or legal person that … determines the purpose and means of processing personal data” and a “processor” is defined as a “natural or legal entity that processes personal data on behalf of a controller.” The UCPA defines the entities’ obligations using these terms accordingly.

Notably, like the VCDPA, the UCPA also exempts a large list of entities – including nonprofits, governmental entities, higher education institutions, HIPAA covered entities and business associates, and financial institutions governed by Title V of the GLBA – and it also does not apply to various types of personal data – such as protected health information under HIPAA, personal data processed or disclosed in accordance with Title V of the GLBA, and personal data regulated by FERPA. Additionally, the UCPA does not cover data that is processed or maintained in the employment context – the definition of “consumer” specifically excludes “an individual acting in an employment or commercial context.”