Highlights

Covered Entities: Persons or businesses who own or license computerized data that includes personal information concerning a Utah resident.

Consumer Notification: Notification must be provided to any Utah resident whose unencrypted or unprotected personal information has been acquired without authorization and is likely that personal information has been or will be misused for identity theft or fraud purposes.

Regulatory Notification: (eff. May 3, 2023) Notification must be provided to the Attorney General and Utah Cyber Center if personal information relating to 500 or more Utah residents was misused and identity theft or fraud occurred or is reasonably likely to occur.

Notification Timeline: Notification must be provided “in the most expedient time possible without unreasonable delay…”

Data Format: Electronic.

Citations: Utah Code §§ 13-44-101-301, 13-44-202, 12-44-301.

More Details

Definitions:

• Breach: Unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
• Personal Information (PI):
  • An individual’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or data element is unencrypted or not protected by another method that renders the data unreasonable or unusable:
    • Social Security number;
    • Driver’s license number or state identification number; or
    • Financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to the person’s account.
• Medical Information: N/A
• Health Insurance Information: N/A

Safe Harbors:

• Encryption: Notification is not required where the potentially impacted PI was encrypted or protected by another method that renders the data unreadable or unusable.
• Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, unless the PI is used for an unlawful purpose or disclosed in an unauthorized manner.
• Risk of Harm: Notification is not required if after a reasonable and prompt investigation, the entity determines that it is unlikely that PI has been or will be misused for identity theft or fraud purposes.
• Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Direct Notice:

• Timing: Notification must be provided in the most expedient time possible without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
• Format: N/A
• Content: N/A
• Method: Notification may be required in the following ways: (1) in writing by first-class mail to the most recent address the personal has for the resident; (2) electronically, if the person’s primary method of communication with the resident is by electronic means, or if provided in accordance with the consumer disclosure provisions of 15 U.S.C. Section 7001; or (3) by telephone, including through the use of automatic dialing technology not prohibited by other law.

Substitute Notice:

An entity may provide substitute notice if the above notification methods are not feasible for residents of the state. Substitute notice may be provided in a newspaper of general circulation and as required in Section 45-1-101.

Remediation Services:

N/A

Regulatory Notice:

(eff. May 3, 2023) Notification must be provided to the Attorney General and Utah Cyber Center if personal information relating to 500 or more Utah residents was misused and identity theft or fraud occurred or is reasonably likely to occur.

Credit Reporting Agencies Notice:

(eff. May 3, 2023) Notification is required if personal information relating to 1000 or more Utah residents was misused and identity theft or fraud occurred or is reasonably likely to occur.

Third-Party Notice:

A person or entity that maintains computerized data that include PI that the person or entity does not own or license must notify and cooperate with the owner or licensee of the PI of any breach of system security immediately following the person or entity’s discovery of the breach if misuse of the PI occurs or is reasonably likely to occur.

HIPAA:

N/A

Private Action:

The Utah Attorney General may enforce violations. Violators are subject to a civil penalty of:

• No greater than $2,500 for a violation or series of violations concerning a specific consumer; and
• No greater than $100,000 in the aggregate for related violations concerning more than one consumer unless the violation concern:
• 10,000 or more consumers who are residents of the state; and
• 10,000 or more consumers who are residents of other states; or
• The person or entity agrees to settle for a greater amount.

Associated Regulations:

N/A

Utah Consumer Privacy Act (UCPA)

Utah Code Annotated, § 13-2-1 and 13-61-101 – 13-61-404

Highlights

Applicability:

Controllers or Processors that conduct business in Utah or produce or deliver commercial products or services intentionally targeted to Utah residents and that:

• Exceed twenty-five million dollars ($25,000,000) in annual revenue; and
• During a calendar year, control or process personal data of one hundred thousand (100,000) consumers or more; or
• Control or process personal data of twenty-five thousand (25,000) or more consumers and derive more than fifty percent (50%) of gross revenue from personal data sales.

UCPA excludes from its scope certain entities, such as governmental entities or third parties contracted by and acting on behalf of the governmental entity, tribes, financial institutions subject to Title V of the GLBA, covered entities and business associates as defined under HIPAA, non-profits, and institutions of higher education.  In addition, the Act excludes from its scope certain types of information such as information protected by HIPAA, patient identifying information, personal data processed for purpose of certain types of research, information regulated by Health Care Quality Improvement Act of 1986, by Safety and Quality Improvement Act, by the Fair Credit Reporting Act, Drivers Privacy Protection Act, Family Educational Rights and Privacy Act, Farm Credit Act, as well as employment-related data.

Controller and Processor Obligations

Controllers. UCPA Controller duties include obligations to:

• Provide consumers with a reasonably accessible and clear privacy notice that describes among others the categories of Personal Data processed, the purpose for the processing, and whether such data is sold or shared and to whom, how consumers may exercise their individual rights.
• If the Controller sells consumer’s personal data or engages in targeted advertising, it shall provide consumers with secure and reliable means for them to submit a request to exercise their right to opt out of sale of consumer’s data or processing for targeted advertising purposes.
• Establish, implement and maintain reasonable administrative, technical and physical data security procedures and practices commensurate with the nature of the personal data so as to protect the confidentiality, integrity and accessibility of Personal Data and reduce reasonably foreseeable risks of harm to consumers related to the processing of personal data.
• Refrain from processing Sensitive Personal Data without presenting the consumer with a clear notice and an opportunity to opt out of the processing, or if processing data of a known child processing the data in accordance with the federal Child Online Privacy Protection Act (COPPA).
• Not discriminate against a consumer for exercising consumer rights. However, controllers may offer incentives for voluntary participation in promotions.  
• Comply with data consumer requests in a timely and efficient manner and not discriminate against consumers who exercise such rights.
• Establish contractual arrangements with processors and third parties clearly outlining their roles and responsibilities, including: instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties' rights and obligations.

Processors. UCPA Processor duties include obligations to:

1. Adhere to the Controller’s instructions.
2. Assist the Controller in meeting their obligations related to security of processing of personal data and breach notification.
3. Before processing any personal data enter a contractual agreement that clearly outlines the obligations of the processor, duties of confidentiality, instructions for the processing of data, and requirements for sub-processing of data.

Consumer Rights:

A Controller must respond without undue delay and within forty-five (45) days (with a 45-day extension if reasonably necessary) to verified consumer requests regarding the processing of Personal Data and Sensitive Personal Data, including consumers’:

• Right to know and access Personal Data;
• Right to request deletion of Personal Data that the consumer provided to the controller;
• Right to obtain Personal Data that the consumer provided to the controller in a format that is generally portable, readily usable, and transmittable;
• Right to opt out of Personal Data sales and targeting advertising.
• Right to non-discrimination for exercising their consumer rights.

If a Controller chooses not to take action on consumer's request, the controller shall within 45 days after the day on which the controller receives the request, inform the consumer of the reasons for not taking action.

More Details

Definitions:

• Consumer: An individual who is a Utah resident acting only in a personal or household context; this definition does not include individuals acting as a job applicant or beneficiary of someone in an employment context.
• Controller: A person doing business in Utah, who alone or jointly with others, determines the purposes and means for processing Personal Data.
• Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Data excludes de-identified or aggregate data and publicly available information (defined as information lawfully made available through governmental records, information that a Controller has a reasonable basis to believe the consumer has lawfully made available to the general public, and data the Controller obtains from a person to who, he consumer has disclosed the data without restricting it a specific audience.
• Processor: A person who processes Personal Data on behalf of a Controller.
• Sale of Personal Data: The exchange of Personal Data for monetary consideration by the Controller to a third party.  The sale excludes the following disclosures from this definition: (i) disclosure to a processor for processing on behalf of the Controller; (ii) disclosures to an affiliate of the Controller;  (iii) disclosures to a third party if the purpose is consistent with the consumer’s reasonable expectation; (iv) disclosures made by the Controller upon consumers direction or when they interact with third parties; (v) a consumer’s disclosure of personal data to a third party for purposes of providing a product or service requested; (vi) disclosures that the consumer makes to the general public or does not restrict to specific audience; (vii) a  disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets.
• Sensitive Personal Data: Personal Data revealing:  racial or ethnic origin, religious beliefs, medical history, mental/physical health condition or diagnosis, sexual orientation, or citizenship/immigration status; genetic and biometric data; and specific geolocation data. Sensitive data excludes personal data that reveals racial or ethnic origin if the data is processed by video communications and if the data regarding a person’s medical history, mental or physical health condition is processed by a healthcare professional licensed under the State Health Care Facility Licensing and Inspection Act.
• Targeted Advertising: Displaying to a consumer advertisement based on Personal Data obtained from consumer’s activities over time and across nonaffiliated websites and applications to predict their interests or preferences.  Excludes:  (i) advertisement based on activities within the Controllers websites/applications or any affiliated websites/applications; (ii) advertisement based on the context of consumers current search query or visit to a website/application; (iii) advertisement directed to the consumer in response to their request; or (iv) Personal Data processed solely for measuring or reporting advertisement performance, reach, or frequency.

Penalties:

The Attorney General has the authority to enforce this Act, and provided that the Controller or Processor has failed to cure a violation within 30 days, the Attorney General may initiate action to recover actual damages to the consumer or seek penalty not exceeding $7,500 per violation.

Private Action:  

No

Associated Regulations:

The Utah Cybersecurity Affirmative Defense Act; Utah Code § 78B-4-701-06. 

Effective Date:

December 31, 2023

Highlights

Covered Entities: Any entity who conducts business in the state of Utah and maintains personal information.

First-Party Security Standard: Any entity who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to:

• Prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business; and
• Destroy, or arrange for the destruction of, records containing personal information that are not to be retained by the person.

Third-Party Security Standard: N/A

Disposal/Destruction Standard: The destruction of records shall be by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable.

Data Format: Electronic and Paper.

Citations: Utah Code §§ 13-44-101–301

More Details

Definitions:

Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:

• Social Security number;
• Driver’s license number or state identification card number; or
• Financial account number, or credit or debit card number, and any required security code, access code, or password that would permit access to the person's account.

PI does not include information regardless of its source, contained in federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.

Methods of Compliance:

The statute does not define what constitutes “reasonable security procedures and practices …”

Exclusions:

• Health Care: N/A
• Financial: These requirements do not apply to a financial institution or an affiliate, as defined in 15 U.S.C. Sec. 6809, of a financial institution.
• Other: N/A

Enforcement/Penalties:

The Attorney General may enforce this chapter's provisions. A person who violates this chapter's provisions is subject to a civil penalty of:

• No greater than $2,500 for a violation or series of violations concerning a specific consumer; and
• No greater than $100,000 in the aggregate for related violations concerning more than one consumer, unless
  • The violations concern:
    • 10,000 or more consumers who are residents of the state; and
    • 10,000 or more consumers who are residents of other states; or
  • The person agrees to settle for a greater amount.

An administrative action filed under this chapter shall be commenced no later than 10 years after the day on which the alleged breach of system security last occurred. A civil action under this chapter shall be commenced no later than 5 years after the day on which the alleged breach of system security last occurred.

Associated Regulations:

N/A