Utah Comsumer Privacy Act (UCPA)
The CPA protects the personal data of Utah residents when they act in an individual or household context, for example when browsing the internet or signing up for a retail rewards program.
Is Complying with UCPA Mandatory?
The law applies to entities, including nonprofits, that conduct business in Utah or deliver commercial products or services targeted to residents of Utah; AND either:
Have an annual revenue of $25 million or more, and
Control or process the personal data of 100,000 or more Utah consumers each year; or
Fifty percent of their gross revenue is generated through the sale of personal data, and they control or process data of 25,000 or more residents in the state.
The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies.
What are the penalties for not complying with CPA?
The Utah attorney general is charged with enforcing the UCPA and the Division of Consumer Protection oversees consumer complaints. If a business is found to be in violation of the law, the attorney general will provide written notice and a 30-day cure period, as described above.
If a controller or processor fails to cure the violation, the attorney general can fine the organization for actual damages and up to $7,500 per violation. Since each instance of improper use of personal data counts as a violation, penalties can become very steep, very quick.