As Big Data has grown, so too have the data privacy concerns of regulators around the globe, from Europe to California. In 2016, the European Union kicked off the global data privacy movement with its General Data Protection Regulation, or GDPR. GDPR went into effect in May of 2018, and has an exceptionally broad regulatory scope, applying to every company that collects data on European citizens—even companies that don’t do business in the EU but have a website that’s accessed by EU citizens and uses marketing analytics software—and including such basic functions as a web server collecting an IP address to deliver a webpage.
California followed the EU’s lead, passing the California Consumer Privacy Act, or CCPA, in June of 2018. After a hefty amount of amendment and regulatory implementation, CCPA went into effect on January 1, 2020. While not as broad as GDPR in its regulatory scope, it applies to any business that does business in California and thus brought many more American businesses into its scope. It also includes a private right of action for California citizens whose data is not managed as required by CCPA.
Since the passage of CCPA, three other states have followed suit—Virginia, Colorado, and now Utah. Although it didn’t generate much press in the Utah legislature’s 2022 session, the legislature passed the Utah Consumer Privacy Act, or UCPA. The UCPA applies to businesses that (1) do business in the State of Utah (including targeting products or services at Utah citizens), (2) have annual revenues of $25 million or more, and (3) either (a) annually process the data of 100,000 or more consumers (not limited to Utah), or (b) derive 50% or more of their gross revenues from the sale of personal data, and control or process the personal data of 25,000 or more consumers. Like with GDPR and CCPA, “process” is defined broadly, and includes the collection, use, storage, disclosure, analysis, deletion, or modification of personal data—in other words, doing pretty much anything with it.
Like GDPR and CCPA, the Utah Consumer Privacy Act spells out the rights consumers have with respect to their data, including the right to opt out of targeted advertising and the sale of their data. The UCPA also includes obligations for controllers to provide privacy notices to consumers, and for processors to obey the instructions of controllers on behalf of whom they process data.
The Utah Consumer Privacy Act, however, is more business-friendly than GDPR or CCPA. It has no private right of action, but is enforced by the Utah Attorney General in conjunction with the Utah Division of Consumer Protection. Businesses that fail to comply with the UCPA will risk penalties of up to $7,500 per violation, or actual damages to the consumer.
If you think your business will be subject to the Utah Consumer Privacy Act, or if you’d like to bring your business into compliance with GDPR, CCPA, and other privacy regulations springing up across the United States, Strong & Hanni would love to help. Our experienced business and data privacy attorneys in Utah will work with you to examine every facet of your business’s data collection practices and bring them into compliance with a blooming landscape of data privacy regulations. Give us a call today.