In this compliance guide, we will discuss the following things that you need to know about this new law:
- Who needs to comply with the Utah Consumer Privacy Act;
- How the law defines personal data;
- The privacy rights provided by this law;
- Penalties for failure to comply.
Who needs to comply with the Utah Consumer Privacy Act
Privacy laws are created to protect individuals and not businesses and thus can have a very broad application, applying to businesses located outside of the state or country in which the laws were enacted. The Utah Consumer Privacy Act is no exception as it applies to anyone collecting the personal data of Utah residents that does business in Utah or that produce a product or service that is targeted to consumers that are located in Utah and that meet one or more of the following criteria:
- Has annual revenue of $25,000,000 or more; and
- Meets one of the following thresholds:
- During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
- Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.
It is important to note that the Utah Consumer Privacy Act exempts nonprofits, meaning that only for-profit businesses will need to comply with this law.
How does the Utah Consumer Privacy Act define personal data?
Since the Utah Consumer Privacy Act applies only to businesses that collect personal data, it is important to define what personal data means under this law. The law defines “personal data” as any information that is linked or reasonably linkable to an identified individual or an identifiable individual. This means that the information commonly collected by business websites such as names, emails, phone numbers, IP addresses or physical addresses would all be considered personal data under this law. If your website collects personal data as defined by this law and meets the criteria above, you will need to comply with this new privacy law.
The privacy rights provided by this new law
The purpose of the Utah Consumer Privacy Act is to protect the privacy of residents of Utah. The law achieves this purpose by providing the following privacy rights to individuals residing in Utah:
- The right to confirm whether a controller is processing the consumer’s personal data;
- The right to access the personal data that a controller holds about an individual;
- The right to delete the personal data;
- The right to obtain a copy of the personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without impediment (where technically feasible);
- The right to opt out of the processing of personal data for the purpose of targeted advertising;
- The right to opt out of the sale of their personal data.
Upon receipt of a consumer request to exercise their privacy rights, the business must respond to the consumer within 45 days, though this period can be extended by an additional 45 days if needed.
- The categories of personal data that you process;
- The purposes for which you process that personal data;
- How consumers can exercise their privacy rights;
- The categories of personal data that you share with third parties, if any;
- The categories of third parties, if any, with whom you share personal data;
- If you sell personal data or engage in targeted advertising, the manner in which consumers may opt out of such use or sales.
Penalties for failure to comply
The Utah Consumer Privacy Act will go into effect on December 31, 2023 and will be enforced by the Utah Attorney General. Like other privacy laws, this law imposes heavy penalties for non-compliance, up to $7,500 per violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that the penalties can compound to a hefty fine.