A Legal Guide to PRIVACY AND DATA SECURITY 2024

Utah The definitions included in the Utah Consumer Privacy Act (UCPA) are similar to those in Colorado and Virginia. The law applies to businesses that are either a “processor” or a “controller” of personal data— borrowing terminology from the European Union’s General Data Protection Regulation (“GDPR”). Unlike either the GDPR or the Colorado and Virginia laws, however, fewer businesses are covered by the UCPA even if they otherwise would qualify as a “controller” and/or “processor.” Only businesses that have an annual revenue of $25 million or more and reach certain data-level thresholds are covered by the UCPA. A business can reach these thresholds either by controlling/processing the personal data of 100,000 or more consumers per year, or by both deriving over 50% of its gross revenue from the sale of personal data and controlling/processing the data of 25,000 or more customers. A business that processes/controls the personal data of between 25,000 and 99,999 consumers per year— covered under the Colorado data privacy law, would be exempt from the UCPA unless it also has revenue of $25 million or more per year, over 50% of which is derived from controlling/ processing personal data. The enforcement mechanism of the UCPA is different than other state privacy statutes. The Division of Consumer Protection (“DCP”) (contained within the Utah Department of Commerce) has the power to investigate any consumer complaints about potential violations of the law. After investigation, if the Division of Consumer Protection deems the claim legitimate then it must refer the matter to the Utah Attorney General. The Attorney General’s office then conducts a second review, and may either concur with the findings of the DCP or dismiss the consumer’s complaint as lacking merit. Although this might lead to a protracted review process, the existence of two levels within the UCPA’s enforcement mechanism might also lead to fewer complaints in which a violation is determined to have occurred. The UCPA does not create a private cause of action. The UCPA became effective December 31, 2023.

122

Made with FlippingBook - Online Brochure Maker