On March 25, 2022 Utah became the sixth state to enact a comprehensive privacy law, the Utah Consumer Privacy Act. This law provides new consumer privacy rights to residents of Utah and imposes various privacy obligations upon certain businesses, such as the requirement to have a comprehensive Privacy Policy. This law goes into effect on December 31, 2023 and businesses that need to comply with this law should start preparations now to ensure that they are ready before the effective date.
In this compliance guide, we will discuss the following things that you need to know about this new law:
- Who needs to comply with the Utah Consumer Privacy Act;
- How the law defines personal data;
- The privacy rights provided by this law;
- The Privacy Policy requirements of the Utah Consumer Privacy Act; and
- Penalties for failure to comply.
Who needs to comply with the Utah Consumer Privacy Act
Privacy laws are created to protect individuals and not businesses and thus can have a very broad application, applying to businesses located outside of the state or country in which the laws were enacted. The Utah Consumer Privacy Act is no exception as it applies to anyone collecting the personal data of Utah residents that does business in Utah or that produce a product or service that is targeted to consumers that are located in Utah and that meet one or more of the following criteria:
- Has annual revenue of $25,000,000 or more; and
- Meets one of the following thresholds:
- During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
- Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.
It is important to note that the Utah Consumer Privacy Act exempts nonprofits, meaning that only for-profit businesses will need to comply with this law.
How does the Utah Consumer Privacy Act define personal data?
Since the Utah Consumer Privacy Act applies only to businesses that collect personal data, it is important to define what personal data means under this law. The law defines “personal data” as any information that is linked or reasonably linkable to an identified individual or an identifiable individual. This means that the information commonly collected by business websites such as names, emails, phone numbers, IP addresses or physical addresses would all be considered personal data under this law. If your website collects personal data as defined by this law and meets the criteria above, you will need to comply with this new privacy law.
The privacy rights provided by this new law
The purpose of the Utah Consumer Privacy Act is to protect the privacy of residents of Utah. The law achieves this purpose by providing the following privacy rights to individuals residing in Utah:
- The right to confirm whether a controller is processing the consumer’s personal data;
- The right to access the personal data that a controller holds about an individual;
- The right to delete the personal data;
- The right to obtain a copy of the personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without impediment (where technically feasible);
- The right to opt out of the processing of personal data for the purpose of targeted advertising;
- The right to opt out of the sale of their personal data.
Upon receipt of a consumer request to exercise their privacy rights, the business must respond to the consumer within 45 days, though this period can be extended by an additional 45 days if needed.
Privacy Policy requirements of the Utah Consumer Privacy Act
If this law applies to you, you will be required to post a Privacy Policy that includes the following disclosures:
- The categories of personal data that you process;
- The purposes for which you process that personal data;
- How consumers can exercise their privacy rights;
- The categories of personal data that you share with third parties, if any;
- The categories of third parties, if any, with whom you share personal data;
- If you sell personal data or engage in targeted advertising, the manner in which consumers may opt out of such use or sales.
If the Utah Consumer Privacy Act applies to you, consider using Termageddon’s Privacy Policy generator, which will automatically update your Privacy Policy with newly required disclosures under this law.
Penalties for failure to comply
The Utah Consumer Privacy Act will go into effect on December 31, 2023 and will be enforced by the Utah Attorney General. Like other privacy laws, this law imposes heavy penalties for non-compliance, up to $7,500 per violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that the penalties can compound to a hefty fine.
Termageddon is currently tracking this new privacy law and will track any developments, including amendments to the law and Attorney General guidelines as to how to comply with this law. Prior to the law taking effect, if you have a Termageddon account, your policies will be updated with the newly required disclosures under this law if the law applies to you. If you do not currently have a Privacy Policy or do not have a strategy to keep it up to date with changes such as this one, make sure to check out Termageddon’s Privacy Policy generator.
If you have questions or need assistance setting up your page, reach out! You can also check out part one of our series on privacy policies here.