- Utah has become the fourth state in the nation to pass broad consumer data privacy legislation, following California, Virginia, and Colorado. The Utah Consumer Privacy Act will become effective December 31, 2023, and apply to businesses that (1) conduct business in Utah or otherwise target Utah consumers; (2) have $25 million or more in annual revenue; and (3) (a) control or process the personal data of 100,000 or more consumers, or (b) derive over 50% of their gross revenue from the sale of personal data and process personal data of more than 25,000 consumers.
- The UCPA applies only to consumer data, exempting certain types of data and entities such as governmental entities and tribes, universities, and nonprofits. The UCPA allows consumers to access and review their personal data, as well as request that it be deleted or opt out of its sale. Consumers may exercise these rights by submitting a request to the “controller” of their personal data, with which the controller must comply within 45 days. Controllers are required to post a privacy notice with information about how consumers can exercise their rights.
- Because there is no private right of action, only the AG can enforce the UCPA. However, prior to the AG bringing an enforcement action, businesses are entitled to 30 days’ written notice and opportunity to cure. Uncured violations can result in legal action to recover actual damages, as well as civil penalties of $7,500 per violation.