Update Applicable to:
All businesses in possession of consumer information in the state of Utah.
On March 24, 2022, Utah Governor Spencer Cox signed Senate Bill 0227, the Utah Consumer Privacy Act (UCPA), into law which will go into effect on December 31, 2023.
What are the details?
In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:
- Do business in the state or targeting residents with products/services;
- Have annual revenue of $25 million or more; and
- Data collection, processing, or sale/revenue thresholds.
Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.
In comparison, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information). The Virginia’s Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA) do not have revenue thresholds.
The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA. Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA. The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.
Controllers or processors receiving a notice of violations have a 30-day cure period. After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing. The AG may seek up to $7,500 for each violation.
The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025, that evaluates liability and enforcement provisions and details a summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.
For more information, please see the links below:
What do employers need to do?
Employers should review the links provided above, revise their privacy policies, and implement any policies that would protect sensitive consumer information.
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Utah PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.