On February 25, the Utah Senate passed the Utah Consumer Privacy Act (the UCPA), which closely resembles both the Virginia Consumer Data Protection Act (the VCDPA) and the Colorado Privacy Act (the CPA). The House unanimously passed the bill on March 2. The bill now goes to Governor Spencer Cox, who has 20 days to sign or veto it. If signed, Utah would be the fourth state to pass a comprehensive privacy bill after California, Virginia, and Colorado.

Who Would This Bill Affect?

A for-profit business that (a) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25 million or more; and (c) satisfies one or more of certain enumerated thresholds: (i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or (ii) derives over 50% of the entity’s gross revenue from the sale of personal data, and controls or processes personal data of 25,000 or more consumers. The UCPA follows the GDRP framework and categorizes a business based on its activities as either a “controller” or “processor,” and provides specific requirements as to both categories (similar to the VDCPA and the CPA). Under the UCPA, “processor” is defined as a person who processes personal data on behalf of a controller. There are also a number of exemptions for entities, such as the government, nonprofits, and entities covered under other federal laws, such as FERPA, HIPAA, and GLBA. Under the UCPA, a “consumer” is defined as an individual who is a resident of the state acting in an individual or household context. It does not include an individual acting in an employment or commercial context.

Unique Provisions Under the UCPA:

While the Utah bill is like the VCDPA and the CPA, there are a few differences.

  • There is no consumer right to request the correction of personal data.
  • Data controllers are not required to implement an appeal process when consumer requests are denied.
  • Consumer consent is not required prior to processing sensitive data of adults. The bill states a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing.
  • There is no data protection risk assessment requirement.

Enforcement and Remedies

Like the three current comprehensive privacy bills, the UCPA does not provide a private right of action. However, the act creates a split system where the Department of Commerce’s Consumer Protection Office will consider and investigate a claim, without having enforcement power. If there is substantial evidence of a violation, the claim will go to the attorney general’s office. Then, the attorney general may choose to initiate an action. In comparison, California’s Privacy Rights Act delegates administrative enforcement authority to the California Privacy Protection Agency and civil enforcement authority to the attorney general.

Thirty days prior to any commencement of action, the attorney general will provide the controller or processor with a notice, which allows the entity to cure the alleged violation. For each violation, the attorney general may recover: (i) actual damages to the consumer; and (2) penalties not exceeding $7,500 per violation.

Up Next

The bill is headed to Governor Spencer Cox. He will have 20 days to sign or veto the bill. If signed, the bill will have an effective date of December 31, 2023.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashley L. Taylor, Jr. Ashley L. Taylor, Jr.

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations…

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.

Photo of Stephen C. Piepgrass Stephen C. Piepgrass

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies,

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries. He also has experience advising clients on data and privacy issues, including handling complex investigations into data incidents by state attorneys general other state and federal regulators. Additionally, Stephen provides strategic counsel to Troutman Pepper’s Strategies clients who need assistance with public policy, advocacy, and government relations strategies.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Photo of Daniel Waltz Daniel Waltz

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.

Photo of Robyn Lin Robyn Lin

Robyn is a privacy and data security attorney who focuses on helping clients understand and maintain data compliance.