Utah recently passed the Utah Consumer Privacy Act, which will go into effect December 31, 2023. Failure to comply could cost businesses up to $7,500 per violation plus the actual damage to the consumer.
Applicability of the law
Utah’s new law applies to any company conducting business or targeting consumers in Utah, so long as the following conditions are met:
- The company’s total annual revenue is at least $25,000,000; and
- The company either (1) collects or processes information for at least 100,000 consumers, or (2) controls or processes the information of 25,000 consumers and also derives over 50% of their annual revenue from the sale of personal data.
The law exempts certain types of businesses from compliance, such as air carriers, governmental entities, tribes, institutions of higher education, nonprofit corporations, or a number of industries that collect information already covered by federal laws, such as the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.
Background
The new law provides new rights for consumers and new obligations for companies who collect or process consumer data. Importantly, the law defines consumers as residents of Utah acting in an individual or household context. The definition of consumers does not include those who are acting in an employment or commercial context. The law defines personal data very broadly and essentially means any information that could reasonably be expected to identify a person.
The new law also contains specific requirements for companies that want to collect sensitive data (such as information about an individual’s race or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical information or treatment information, genetic or biometric data, or specific geolocation data). A company that wants to collect sensitive data must provide consumers with a clear notice that they can opt out of sharing this type of information.
Consumer rights and company obligations
Under the new law, consumers have the following rights:
- The right to confirm whether a company is processing their personal data;
- The right to access the personal data;
- The right to delete their personal data;
- The right to obtain a copy of their personal data in a format that is portable, readily usable, and easily transferable; and
- The right to opt out of targeted advertising or sale of personal data.
To exercise these rights, the consumer must submit a request to the company. A parent, guardian, or conservator may also request the information on a consumer’s behalf. The company generally must respond to a consumer’s request for information within 45 days and let the consumer know what actions have been taken to respond to their request. However, the law also provides for the company to ask for one 45-day extension, so long as they meet certain conditions and comply with certain requirements.
The company may also charge a reasonable fee to process the information in certain situations, such as if it believes the request is unfounded or excessive, it is a second request made within a 12-month period, or the company believes the primary purpose is for something other than exercising their consumer right.
Importantly, a company may not penalize a consumer for exercising a right by denying service, charging different prices, or providing a different level or quality of service. However, the law does not prohibit companies from offering loyalty or club card programs.
Privacy notice
Companies must publicly post a privacy notice that contains the following information:
- The categories of personal data processed;
- The purposes for which the personal data is processed;
- How consumers may exercise a right;
- The categories of personal data shared with third parties (if any); and
- The categories of third parties with whom the controller shares personal data (if any).
Additionally, if the company sells personal data or engages in targeted advertising, it must clearly inform the consumer that they have a right to opt out of either use of their information. The company must then honor that request.
Interactions with processors
If a company uses a third party to help them process consumer data, it must enter into a contract with that third party. That contract must require the third party to keep information confidential and set forth the processor’s obligations and responsibilities for safeguarding the information and the purpose of processing the information.
Safeguards
The company must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect consumer information.
Enforcement
This new law does not allow individuals to directly sue companies for violations. Rather, the state attorney general enforces the law. The attorney general must give companies 30 days to resolve any problems before pursuing any action or issuing any fines.
Next steps
- Review your internal policies and procedures to ensure you have adequate safeguards in place.
- Modify your public privacy policy.
- Ensure you have appropriate agreements in place with those who process information on your behalf.
Do this now, well before lack of compliance becomes an issue.