InfoBytes Blog

Utah becomes fourth state to enact comprehensive privacy legislation

On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.

Privacy/Cyber Risk & Data Security State Issues State Legislation Utah Consumer Protection

Utah legislature passes privacy bill

Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:

• Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
• Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
• Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
• Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
• Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.

If enacted in its current form, the bill would take effect December 31, 2023. 

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Utah

FTC hits investment scheme with $111 million judgment

On February 16, the FTC and the Utah Division of Consumer Protection reached a settlement in an action taken against a Utah-based company and its affiliates (collectively, “defendants”) for allegedly using deceptive marketing to persuade consumers to attend real estate events costing thousands of dollars. As previously covered by InfoBytes, the FTC and the Utah Division of Consumer Protection claimed that the defendants violated the FTC Act, the Consumer Review Fairness Act (CRFA), and Utah state law by marketing real estate events with false claims and using celebrity endorsements. The defendants allegedly promised consumers they would (i) earn thousands of dollars in profits from real estate investment “flips” by using the defendants’ products; (ii) receive 100 percent funding for their real estate investments, regardless of credit history; and (iii) receive a full refund if they do not make “a minimum of three times” the price of the workshop within six months. Additionally, consumers who received refunds were allegedly required to sign agreements preventing them from speaking with the FTC, state attorneys general, and other regulators; submitting complaints to the Better Business Bureau; or posting negative reviews. Under the terms of the settlement, the defendants are, among other things, permanently banned from marketing or selling any real estate or business coaching programs, and are restrained from making misleading earnings claims or misrepresenting any material aspect of the performance or nature of goods or services that are the subject of a sales offer. Additionally, the defendants are permanently banned from using contract terms to suppress customers’ ability to review their products or speak to law enforcement agencies, and may not release customer information in connection with any activity related to the subject matter of the order. The settlement also includes monetary judgments totaling more than $111 million.

Federal Issues FTC Enforcement State Issues Utah Consumer Protection FTC Act Consumer Review Fairness Act

Utah amends mortgage practices and licensing rule provisions

Recently, the Utah Department of Commerce adopted amendments to the Utah Residential Mortgage Practices and Licensing Rules to eliminate unnecessary and redundant licensee expenses for criminal background checks and credit reports. Among other things, the amendments provide that if a licensee submits a fingerprint background report to the Nationwide Multistate Licensing System & Registry (NMLS) “that is current according to the NMLS and is dated within 90-days of the date of the application to renew, the Division shall use that fingerprint background report in satisfaction of the requirement of. . .subsection [R162-2c-204]. If there is no current fingerprint background report in the NMLS, the licensee shall submit a fingerprint background report to the NMLS with the licensee’s application to renew.” The same condition also applies to current credit reports dated within 30-days of the date the renewal application was submitted to the NMLS. The amendments also update certain license qualification provisions related to moral character and felony convictions, and eliminate provisions concerning employee incentive programs related to licensed entities. These provisions took effect October 26.

Licensing Mortgages State Issues Utah NMLS

Utah governor issues temporary moratorium on residential evictions

On April 1, Utah Governor Gary Herbert issued an order instituting a moratorium on residential evictions for individuals out of work or otherwise unable to pay rent as a direct result of Covid-19 provided certain conditions are met. The temporary order went into effect immediately and is effective through May 15. Herbert’s announcement did not institute rent forgiveness during the leniency period.

State Issues Utah Governors Covid-19

Utah Dept. of Financial Institutions approves suspended/reduced hours

On March 12, the Utah Department of Financial Institutions sent an email permitting regulated entities to temporarily reduce or suspend operations or reduce operating hours without Department approval so long as the entity provides adequate notice to customers and sends an email to the Department informing it of the actions taken.

The Utah Department of Commerce, Division of Real Estate announced on their website that due to Covid-19 concerns, real estate and appraisal licensees that have not completed their RAP Back Fingerprinting enrollment in advance of their March or April 2020 license renewal will have their license expirations temporarily postponed until further notice. 

State Issues Covid-19 Utah

Utah Department of Financial Institutions issues guidance to credit unions

On March 16, the Utah Department of Financial Institutions issued a statement encouraging credit unions to take steps to meet the financial services needs of members and communities affected by Covid-19. Credit unions are encouraged to, among other things, waive certain fees (e.g., ATM, overdraft, late payment fees), increase ATM daily cash withdrawal limits, ease restrictions on cashing out-of-state and non-member checks, increase credit card limits for credit worthy borrowers, and offer payment accommodations. Prudent efforts to modify the terms on existing loans for affected members will not be subject to examiner criticism and, generally, the department supports and will not criticize efforts to accommodate members in a safe and sound manner. The guidance also addresses: (i) financial condition review, supervisory response, and regulatory relief; (ii) regulatory reporting requirements; and (iii) alternative service options.

State Issues Covid-19 Utah Credit Union Bank Compliance