March 2024

1. Governing Texts

The Utah State Governor signed, on 24 March 2022, Senate Bill 227 for the Consumer Privacy Act ('UCPA'), making Utah the fourth US State to enact comprehensive privacy legislation. The UCPA establishes consumers' rights around access, deletion, portability, and provides for the right to opt-out of targeted advertising and sale of personal data, while also establishing various controller and processor obligations, privacy notice requirements, and granting the Utah Attorney General ('AG') exclusive authority to enforce its provisions.

The UCPA entered into effect on 31 December 2023.

1.1. Key acts, regulations, directives, bills

The UCPA regulates privacy and data protection matters in Utah. In addition, the following legislation provides further requirements for data protection:

• Senate Bill 127 for the Cybersecurity Amendments ('the Cybersecurity Amendments') (signed into law on 23 March 2023);
• Senate Bill 152 for the Social Media Regulation Amendments (enters into effect 31 December 2023) ('the Social Media Regulations');
• Senate Bill 226 for the Electronic Information or Data Privacy Act Amendments (signed into law on 23 March 2023);
• Senate Bill 215 for Motor Vehicle Consumer Data Protection (signed into law on 13 March 2024) ('Motor Vehicle Consumer Data Protection Amendments');
• Senate Bill 194 for the Social Media Regulation Amendments (signed into law on 13 March 2024) ('Utah Minor Protection in Social Media Act');
• House Bill 427 on Access to Protected Health Information (signed into law on 14 March 2024);
• Senate Bill 131 for the Information Technology Act Amendments (signed into law on 13 March 2024);
• Senate Bill 149 for the Artificial Intelligence Policy Act (signed into law on 13 March 2024);
• House Bill 491 for the Government Data Privacy Act (signed into law on 19 March 2024); and
• Senate Bill 98 on Online Data Security and Privacy Amendments (signed into law on 19 March 2024) ('the Data Security Amendments').

1.2. Guidelines

The AG has not yet issued any guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The UCPA applies to (§13-61-102(1) of the UCPA):

• any controller or processor who:
  • conducts business in the state; or 
  • produces a product or service that is targeted to consumers who are residents of the state; 
• any controller or processor who: 
  • has annual revenue of $25,000,000 or more; and 
  • satisfies one or more of the following thresholds:
    • during a calendar year, controls, or processes personal data of 100,000 or more consumers; or 
    • derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

However, the UCPA does not apply to, among others (§13-61-102(2) of the UCPA):

• a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity; 
• a tribe; 
• an institution of higher education; 
• a nonprofit corporation; 
• a covered entity; or
• a business associate.

2.2. Territorial scope

The UCPA applies to controllers or processors who conduct business in the State of Utah, or produce a product or service that is targeted to consumers who are residents of Utah (§13-61-102(1) of the UCPA).

2.3. Material scope

The UCPA applies to the personal data of individuals, which is defined as information that is linked or reasonably linkable to an identified individual or an identifiable individual (§13-61-101(24)(a) of the UCPA).

The UCPA does not apply to, among other things, protected health information, patient identifying information, identifiable private information, deidentified information, or identifiable private information or personal data collected as part of human subjects research pursuant to federal and international laws and requirements (§13-61-102).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AG is the regulator of the UCPA in Utah.

In addition, the UCPA provides the Division of Consumer Protection within the Utah Department of Commerce with certain assistance powers to the AG.

3.2. Main powers, duties and responsibilities

The AG has the exclusive authority to enforce the UCPA (§13-61-402(1) of the UCPA). In addition, and upon referral from the Division of Consumer Protection, the AG may initiate an enforcement action against a controller or processor for a violation of the UCPA (§13-61-402(2) of the UCPA). However, the UCPA provides that at least 30 days before the day on which the AG initiates an enforcement action, the AG must provide written notice identifying the violations alleged, and an explanation of the basis for each allegation, and may then initiate an action where a violation is not cured within this 30-day cure period (§13-61-402(3) of the UCPA).

The UCPA grants the Division of Consumer Protection with investigative powers, and requires it to establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of the UCPA (§13-61-401(1) of the UCPA). Additionally, the Division of Consumer Protection may investigate a consumer complaint to determine whether the controller or processor violated or is violating the UCPA, and if it determines that there is reasonable cause to believe that substantial evidence exists for a violation of the UCPA, the matter should be referred to the AG (§13-61-401(2)(a) and (b) of the UCPA). The Division of Consumer Protection is also authorised to, upon request, provide consultation and assistance to the AG in enforcing the UCPA (§13-61-401(2)(c) of the UCPA).

Moreover, the UCPA provides that the AG and the Division of Consumer Protection must compile a report which: 

• evaluates the liability and enforcement provisions of the UCPA, including the AG's and the Division of Consumer Protection's enforcement effectiveness; and 
• summarises the data protected and not protected by the UCPA including, with reasonable detail, a list of the types of information that are publicly available from local, state, and federal government sources.

4. Key Definitions

Data controller: A person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others (§13-61-101(12) of the UCPA).

Data processor: A person who processes personal data on behalf of a controller (§13-61-101(26) of the UCPA).

In addition, the UCPA provides, in relation to the concepts of 'data controller' and 'data processor', that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed (§13-61-301(3)(a) of the UCPA).

Personal data: Information that is linked or reasonably linkable to an identified individual or an identifiable individual (§13-61-101(24)(a) of the UCPA). 'Personal data' does not include de-identified data, aggregated data, or publicly available information (§13-61-101(24)(b) of the UCPA).

Sensitive data: 'Sensitive data' is defined as (§13-61-101(32)(a) of the UCPA):

• personal data that reveals: 
  • racial or ethnic origin; 
  • religious beliefs; 
  • sexual orientation; 
  • citizenship or immigration status; or 
  • information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; 
• the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or 
• specific geolocation data. 

'Sensitive data' does not include personal data that reveals an individual's (§13-61-101(32)(b) of the UCPA): 

• racial or ethnic origin, if the personal data are processed by a video communication service; or 
• if the personal data are processed by a person licensed to provide health care under applicable laws with respect to information regarding medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional.

Health data: The UCPA does not expressly define 'health data', but instead refers to 'protected health information' as defined under §160.103 of the General Administrative Requirements of Subpart A, Part 160, Subchapter C, Subtitle A of Title 45 of the Code of Federal Regulations. As such, 'protected health information' is defined as individually identifiable health information that is:

• transmitted by electronic media; 
• maintained in electronic media; or
• transmitted or maintained in any other form or medium. 

'Individually identifiable health information' is defined as information that is a subset of health information, including demographic information collected from an individual, and: 

• is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 
• relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and 
  • that identifies the individual; or 
  • with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Biometric data: Data that is generated by automatic measurements of an individual's unique biological characteristics (§13-61-101(6)(a) of the UCPA), specifically, data that are generated by automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual (§13-61-101(6)(b) of the UCPA). 

'Biometric data' does not however include (§13-61-101(6)(c) of the UCPA):

• a physical or digital photograph; 
• a video or audio recording; 
• data generated from a physical or digital photograph or a video or audio recording;
• information captured from a patient in a health care setting; or 
• information collected, used, or stored for treatment, payment, or health care operations as defined under applicable federal law.

Pseudonymisation: The UCPA does not define 'pseudonymization' but instead defines 'pseudonymous data' as personal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is (§13-61-101(28) of the UCPA): 

• kept separate from the consumer's personal data; and 
• subject to appropriate technical and organizational measures to ensure that the personal data are not attributable to an identified individual or an identifiable individual.

Data Subject: The UCPA does not expressly define 'data subject', but instead refers to 'consumers' which is defined as an individual who is a resident of Utah and is acting in an individual or household context (§13-61-101(10)(a) of the UCPA). However, 'consumer' does not include an individual acting in an employment or commercial context (§13-61-101(10)(b) of the UCPA).

5. Legal Bases

5.1. Consent

The UCPA defines 'consent' as an affirmative act by a consumer that unambiguously indicates their voluntary and informed agreement to allow a person to process personal data related to them (§13-61-101(9) of the UCPA).

The UCPA also notes that controllers are deemed to be in compliance with any obligation to obtain parental consent under the UCPA if they comply with the verifiable parental consent mechanisms under the Children's Online Privacy Protection Act of 1998 ('COPPA') and its implementing regulations and exemptions (§13-61-102(3) of the UCPA).

5.2. Contract with the data subject

The UCPA provides that its requirements do not restrict a controller or processor's ability to perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer, parent, or legal guardian before entering into the contract with the consumer (§13-61-304(1)(f) of the UCPA).

Moreover, the UCPA's requirements do not restrict a controller or processor's ability to process personal data to perform an internal operation that is reasonably aligned with the consumer's expectations based on their existing relationship with the controller, or otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer, parent, or legal guardian of a child or the performance of a contract to which they are a party (§13-61-304(1)(m) of the UCPA).

5.3. Legal obligations

The UCPA provides that its requirements do not restrict a controller or processor's ability to (§13-61-304(1)(a) to (d) of the UCPA):

• comply with a federal, state, or local law, rule, or regulation; 
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity; 
• cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; or
• investigate, establish, exercise, prepare for, or defend a legal claim.

5.4. Interests of the data subject

The UCPA states that it does not apply if a controller's or processor's compliance with the UCPA adversely affects the privacy or other rights of any person (§13-61-304(2)(c) of the UCPA).

Moreover, any provision of a contract that purports to waive or limit a consumer's right under the UCPA is void (§13-61-302(6) of the UCPA). Additionally, the UCPA provides that its requirements do not restrict a controller or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual (§13-61-304(1)(g) of the UCPA).

5.5. Public interest

The UCPA provides that its requirements do not restrict a controller or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual (§13-61-304(1)(g) of the UCPA).

5.6. Legitimate interests of the data controller

The UCPA provides that its requirements do not restrict a controller or processor's ability to detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity, or to investigate, report, or prosecute a person responsible for any of the aforementioned actions (§13-61-304(1)(h) of the UCPA).

5.7. Legal bases in other instances

The UCPA states that it does not apply if a controller's or processor's compliance with the UCPA violates an evidentiary privilege under Utah law, or as part of a privileged communication, prevents a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Utah law (§13-61-304(2)(a) and (b) of the UCPA).

6. Principles

The UCPA provides for various data protection principles through their incorporation into legal provisions and requirements for controllers.

In this respect, §13-61-302(1)(a) of the UCPA relates to the principle of transparency and requires controllers to provide consumers with a reasonably accessible and clear privacy notice.

Additionally, §13-61-302(5)(a) of the UCPA relates to the principle of purpose limitation and data minimization, providing that a controller is not required to provide a product, service, or functionality to a consumer if, among other things, the consumer's personal data are or the processing of the consumer's personal data is reasonably necessary for the controller to provide the consumer the product, service, or functionality.

The UCPA also refers to the principle of confidentiality, by requiring that a controller establishes, implements, and maintains reasonable administrative, technical, and physical data security practices designed to, among others, protect the confidentiality and integrity of personal data (§13-61-302(2)(a)(i) of the UCPA).

7. Controller and Processor Obligations

7.1. Data processing notification

The UCPA does not expressly provide for data processing notification requirements.

7.2. Data transfers

The UCPA does not specifically address data transfers but defines the sale, sell, or sold as the exchange of personal data for monetary consideration by a controller to a third party. Importantly, the bill confirms that sale, sell, or sold does not include:

• a controller's disclosure of personal data to a processor who processes the personal data on behalf of the controller;
• a controller's disclosure of personal data to an affiliate of the controller;
• considering the context in which the consumer provided the personal data to the controller, a controller's disclosure of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations;
• the disclosure or transfer of personal data when a consumer directs a controller to:
  • disclose the personal data; or
  • interact with one or more third parties;
• a consumer's disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child;
• the disclosure of information that the consumer:
  • intentionally makes available to the general public via a channel of mass media;
  • does not restrict to a specific audience; or
• a controller's transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller's assets.

7.3. Data processing records

The UCPA does not expressly provide for record-keeping requirements.

7.4. Data protection impact assessment

The UCPA does not expressly provide for data protection or privacy impact assessment requirements.

7.5. Data protection officer appointment

The UCPA does not expressly provide for data protection officer appointment requirements.

7.6. Data breach notification

The UCPA itself does not provide for breach notification requirements. Under, §13-61-301(1)(b) of the UCPA, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act, under §13-44-101 et seq. of Chapter 44 of Title 13 of the Utah Code.

The Data Security Amendments define a 'data breach' under §63A-16-1101 of the Utah Code as 'the unauthorized access, acquisition, disclosure, loss of access, or destruction of:

• personal data; or
• data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity.'

Notably, the Cybersecurity Amendments have added additional breach notification requirements to the AG and the Utah Cyber Center, the latter of which was created under the Cybersecurity Amendments.

The Data Security Amendments provide that persons providing notification under §13-44-202(1)(c) of the Utah Code must include the following information in the notification to the Utah Cyber Center Office of the AG or, to the extent the information is known or available at the time the person provides the notification:

• the date of the breach of system security affected;
• the date the breach of system security was discovered;
• the total number of people affected by the breach of system security, including the total number of Utah residents affected;
• the type of personal information involved in the breach of system security; and
• a short description of the breach of system security that occurred.

7.7. Data retention

Not applicable.

7.8. Children's data

Under §13-61-102(3) of the UCPA, a controller is in compliance with any obligation to obtain parental consent under the UCPA if they comply with the verifiable parental consent mechanisms under the COPPA.

In the case of processing personal data concerning a known child, the parent or legal guardian of the known child will have the authority to exercise a right on the child's behalf (§13-61-202(2) of the UCPA).

In addition, the Social Media Regulations provide obligations on social media companies requiring them to (§13-63-102(1) of the Social Media Regulations):

• verify the age of an existing or new Utah account holder;
• obtain the consent of a parent or guardian before a Utah resident under the age of 18 may maintain or open an account; and
• prohibit a person to open an account if that person does not meet age requirements under state or federal law.

The Utah Minor Protection in Social Media Act defines an 'age verification system ' as 'measures reasonably calculated to enable a social media company to identify whether a user is a minor with an accuracy rate of at least 95%.'

While 'verifiable parental consent' is defined under the Utah Minor Protection Act as 'authorization from a parent for a social media service to collect, use, and disclose personal information of a Utah minor account holder, that complies with the following verifiability requirements:

(a) the social media service shall provide advance notice to the parent describing information practices related to the minor account holder's personal information;

(b) the social media service shall receive confirmation that the parent received the notice described in Subsection (17)(a).'

Social media companies must, pursuant to the Utah Minor Protection in Social Media Act, for Utah minor account holders:

• set default privacy settings to prioritize maximum privacy, including settings that:
  • restrict the visibility of a minor's account to only connected accounts;
  • limit the account holder's ability to share content to only connected accounts;
  • restrict any data collection and sale of data from a minor's account that is not required for core functioning of the social media service;
  • disable search engine indexing;
  • restrict a minor account's direct messaging capabilities to only direct messaging to connected accounts; and
  • allow a minor account to download a file with all information associated with the minor's account;
• implement and maintain reasonable security measures, including data encryption, to protect the confidentiality, security, and integrity of personal information collected from a minor's account;
• provide an easily accessible and understandable notice that:
  • describes any information the social media company collects from a minor's account; and
  • explains how the information may be used or disclosed;
• upon request of a minor:
  • delete the personal information of the minor's account, unless the information is required to be retained; and
  • remove any information or material the minor made publicly available through the social media service; and
• disable the following features that prolong user engagement:
  • autoplay functions;
  • scroll or pagination; and
  • except for direct messages from connected accounts, push notifications prompting repeated user engagement.

In addition, social media companies may not allow Utah minor account holders to change their default privacy settings without obtaining verifiable parental consent. The terms of service of social media companies must be presumed to include an assurance of confidentiality for the Utah minor account holder's personal information.

7.9. Special categories of personal data

Under §13-61-302(3) of the UCPA, and except as otherwise provided in the UCPA, a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing, or in the case of the processing of personal data concerning a known child, processing the data in accordance with the COPPA and its implementing regulations and exemptions.

7.10. Controller and processor contracts

The UCPA requires a contract to be in place between controllers and processors as well as subcontractors. Specifically, §13-61-301(2) of the UCPA provides that before a processor performs processing on behalf of a controller, they must enter into a contract that: 

• clearly sets forth: 
  • instructions for processing personal data;
  • the nature and purpose of the processing; 
  • the type of data subject to processing; 
  • the duration of the processing; and 
  • the parties' rights and obligations; 
• requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and 
• requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to personal data.

The Motor Vehicle Consumer Data Protection Amendments outline specific requirements for vendor management for the automotive sector.

8. Data Subject Rights

A controller may not discriminate against a consumer for exercising a right by §13-61-302(4)(a):

• denying a good or service to the consumer;
• charging the consumer a different price or rate for a good or service; or
• providing the consumer with a different level of quality of a good or service.

However, this does not prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee or at a discount, if §13-61-302(4)(b):

• the consumer has opted out of targeted advertising; or
• the offer is related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

8.1. Right to be informed

Under §13-61-201(1)(a) of the UCPA, consumers have the right to confirm whether a controller is processing the consumer's personal data. Additionally, controllers are required to provide consumers with a reasonably accessible and clear privacy notice and inform them of (§13-61-302(1)(a) of the UCPA):

• the categories of personal data processed by the controller; 
• the purposes for which the categories of personal data are processed; 
• how consumers may exercise a right; 
• the categories of personal data that the controller shares with third parties, if any; and 
• the categories of third parties, if any, with whom the controller shares personal data.

8.2. Right to access

Under §13-61-201(1)(b) of the UCPA, consumers have the right to access their personal data.

8.3. Right to rectification

The UCPA does not expressly refer to a right to rectify personal data.

8.4. Right to erasure

Under §13-61-201(2) of the UCPA, consumers have the right to delete their personal data.

8.5. Right to object/opt-out

Under §13-61-201(4) of the UCPA, consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.

8.6. Right to data portability

Under §13-61-201(3) of the UCPA, consumers have the right to obtain a copy of their personal data in a format that:

• to the extent technically feasible, is portable; 
• to the extent practicable, is readily usable; and 
• allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

The UCPA does not expressly provide for a right not to be subject to automated decision-making.

8.8. Other rights

Not applicable.

9. Penalties

The UCPA provides for the possibility of the AG to recover actual damages to the consumer, and for each violation an amount not to exceed $7,500 (§13-61-402(3)(d) of the UCPA).

All money that is received from an action under the UCPA is to be deposited into the Consumer Privacy Account (§13-61-402(4) of the UCPA, in conjunction with §13-61-403 of the UCPA).

9.1 Enforcement decisions

Not applicable.