Utah has just become the fourth state to pass an omnibus consumer privacy law. The Utah Consumer Privacy Act (“UCPA”) was signed into law on March 24, 2022. 

UCPA is modeled after Virginia’s Consumer Data Protection Act (“VCDPA”), but has key differences. The effective date is December 31, 2023. We will follow up with more information as the effective date draws closer, but here are a few key points: 

Who Is Protected? 

UCPA protects the data of Utah residents in their individual or household capacity. It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data). 

Who Is Regulated? 

UCPA regulates “controllers” or “processors” that conduct business in Utah or produce a product or service that is targeted to Utah residents, have an annual revenue of $25 million or more, and either (i) control or process personal data of 100,000 or more Utah residents in a calendar year; or (ii) derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more Utah residents. 

How Will UCPA Be Enforced? 

Similar to the new Colorado Privacy Act (“CPA”) and VCDPA, UCPA does not include a private right of action. The Attorney General has the exclusive authority to enforce the UCPA. UCPA creates the Division of Consumer Protection that will establish and administer a system to receive complaints regarding violations of the UCPA. The Division will consult and assist the Attorney General in enforcement. The cure period is 30 days and does not sunset, unlike the cure period in the California Consumer Privacy Act (“CCPA”) and the CPA. 

What is a “Sale?” 

Like the VCDPA, UCPA narrows the definition of “sale” and does not include “other monetary consideration.” Additionally, the UCPA exempts a controller’s disclosure of personal data to a third party if the purpose of the disclosure is consistent with a consumer’s reasonable expectations. This exemption is not found in the other state privacy laws. 

What are the Penalties? 

If a controller or processor does not cure within the cure period or continues to violate the UCPA after curing and sending the required written statement that the violation has been cured, the Attorney General may recover actual damages to the consumer and up to $7,500 for each violation.