Utah became the fourth state to pass a comprehensive consumer privacy law when Gov. Spencer Cox, a Republican from Utah, signed the Utah Data Privacy Law, The Utah Consumer Privacy Act into Law on March 24, 2022.
The Law becomes effective on December 31, 2023.
California, Virginia, and Colorado’s consumer privacy laws differ from the UCPA but are also not significantly different.
In particular, it takes a lot of influence from the Virginia Consumer Data Protection Act, and the Colorado Privacy Act also incorporates some of the VCDPA’s similar provisions.
At first look, the bill appears similar to the California Consumer Privacy Act.
In actuality, though, the UCPA’s key provisions approach consumer privacy more relaxed and business-friendly than any of its three predecessors.
In this article, we will guide you about the Utah Consumer Privacy Act, definitions unique to the Law, its applicability, exemptions, consumer rights, Obligations for businesses under UCPA, and penalties for noncompliance.
What is the Utah Data Privacy Law?
On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was passed.
It establishes data privacy requirements for businesses operating in the state (i.e., processing Utah residents’ data) and protects the privacy rights of Utah residents.
The UCPA regulates targeted advertising and the sale of personal data.
It specifies what constitutes a sale and what does not, defining it as “the exchange of personal data for monetary consideration by a controller to a third party.”
Utah does not classify non-monetary “other valuable consideration” options as a sale, as the CCPA and CPRA did.
Utah’s Law does not apply to data exchange, unlike California’s Privacy Rights Act (CPRA).
But because targeted advertising is included, even though that has monetary considerations, it is not a direct transaction with the consumers.
The UCPA, like other state laws in the US, functions under an opt-out framework, which allows personal information to be collected, sold, or used for targeted advertising without needing customer approval—unless the information relates to a minor.
In that case, parental or guardian consent is required.
Consumers can and should be given a choice to opt out of their data being sold or used for targeted advertising; in such a case, the data will no longer be available for the previously listed uses.
Definitions listed in Utah Data Privacy Law
Data controllers and processors are subject to the UCPA.
It lists the following as the different parties engaged in the data processing process:
Controller- “A person doing business in the state who determines the means and purposes for which personal data are processed, whether the person makes the determination alone or with others” is what is meant to be understood as a controller.
In this context, “person” can refer to a natural person, a commercial entity, or any other entity that processes data and fulfills the applicable requirements.
Processor- “A person who processes personal data on behalf of a controller is said to be a processor.” Yet again, even if “a person” is included in these definitions, they have businesses like third-party suppliers who may process data.
Consumer- “An individual who is a resident of the state acting in an individual or household context” is the definition of a consumer. For business reasons, this definition excludes explicitly individuals “acting in an employment or commercial context” and instead refers to those engaged in private life.
Personal Data- “Information linked or reasonably linkable to an identified or identifiable individual” is personal data. Remember that certain types of personal information, such as a name or email address, can be used to identify a person directly. While some data kinds—like an IP address—might not be considered qualifying, they can become identifiable when combined with other types of personal information.
Sensitive Personal Data- The UCPA defines sensitive data as personal information that comprises or discloses:
- Origin of race or ethnicity (unless handled by a registered healthcare provider or a video communication service)
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Medical history, physical or mental health issues, or a diagnosis or course of treatment by a healthcare provider
- Geolocation data, if the processing is intended to identify a specific individual, Genetic or biometric data
Unlike specific data privacy laws, Utah privacy laws do not require consent for processing sensitive personal data.
Controllers must, however, give customers clear notice before collecting and processing sensitive personal data and the option to opt out of such processing.
Applicability of Utah Data Privacy Law
The UCPA’s application is similar to that of the VCDPA. It covers “any controller or processor who:
- Carries on business within the state or produces a product or service aimed at state residents.
- Generates at least $25,000,000 in revenue annually.
- Generates more than 50% of the business’s gross income from the sale of personal data.
- Controls or processes the personal data of 25,000 or more consumers.
- Controls or processes the personal data of 100,000 or more consumers within a calendar year.
In contrast to the VCDPA, which does not have an annual revenue threshold, the UCPA will only apply to businesses that meet at least one of the additional thresholds mentioned above and have a yearly revenue of $25 million or more.
Compared to other state privacy laws now in effect, the UCPA’s scope is more limited due to its various threshold requirements.
Smaller organizations will not be subject to the UCPA even if they meet the other requirements because of the yearly revenue threshold requirement.
Similarly, larger businesses meeting the annual income criterion will not be subject to the regulation unless they satisfy an extra threshold.
The most important thing to remember is that the UCPA covers a smaller range of companies, and more data types are exempt from the Law’s scope than the CCPA, VCDPA, and CPA.
Exemptions under Utah Data Privacy Law
Apart from its comparatively narrower scope, the UCPA has broad exemptions. The UCPA exemptions lists consist of organizational, data, and employment exemptions.
1. Organizational Exemptions
The UCPA exempts a variety of organizations in addition to those that do not meet the income thresholds or processing volume thresholds for inclusion, such as:
- Higher education institutions
- Non-profit organizations
- Contractors and government organizations
- Indigenous tribes
- Airline companies
- Businesses covered under the Health Insurance Portability and Accountability Act (HIPAA).
- Financial institutions subject to the Gramm-Leach-Bliley Act.
2. Data Exemptions
Additionally, there are data-level exemptions from the UCPA, meaning that data currently covered by the following regulations is not covered by it:
- Health Insurance Portability and Accountability Act (HIPPA).
- Family Educational Rights and Privacy Act
- Driver’s Privacy Protection Act
- Fair Credit Reporting Act
- Gramm-Leach-Bliley Act
- Farm Credit Act
3. Employment Exemptions
“In the course of an individual applying to, or acting as an employee, agent, or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role,” among the other situations, are exempt from the UCPA from processing or maintaining data.
Consumer Rights under Utah Data Privacy Law
Under the UCPA, consumers have four primary rights.
It’s important to note that the Act gives consumers specific rights for the data they provide the controller.
Therefore, a person’s right to exercise that right does not apply to personal information about them that was obtained indirectly.
1. Right to Access
Customers “have the right to access their data and confirm whether a controller is processing it.”
2. Right to Delete
“The right to delete the consumer’s data that the consumer provided to the controller” is provided to customers.
Furthermore, customers are not allowed to have all the data a controller holds deleted under the UCPA.
A consumer’s only right under the UCPA is to have the personal data they gave the controller deleted.
3. Right to Data Portability
Customers have the right to get a copy of their personal information, which they have previously provided to the organization, in a format that meets the following requirements:
- Is portable to the extent that it is technically possible,
- Easily useable to the extent that it is practical and
- Permits the customer to transfer the data quickly to another controller where automated processing is used.
4. Right to opt out of specific processing
Customers have “the right to choose not to have their data processed for targeted advertising purposes or to have their data sold.”
The UCPA does not include the option to opt out of profiling, compared to the VCDPA and CPA.
Furthermore, controllers subject to the UCPA are exempt from the CPA’s requirement to recognize universal opt-out signals to enable customers to exercise their right to opt-out.
The UCPA also lacks the right to correct.
In contrast to laws in California, Virginia, and Colorado, Utah does not offer customers the ability to have inaccurate personal data updated.
Like the VCDPA and CPA, the UCPA mandates that controllers provide a method for customers to file a request to exercise the abovementioned rights.
However, unlike the VCDPA and CPA, when prescribing these techniques, the Law does not impose additional standards on controllers, such as reliability or consideration of the controller’s typical customer interactions.
Obligations for Businesses under Utah Data Privacy Law
Data controllers must allow customers to exercise their rights under the UCPA. Controllers must specify how customers can submit requests and reply promptly to these requests—45 days is the minimum required time.
1. Transparency
A privacy notice or policy that is “reasonably accessible and clear” must be given to customers by controllers; this is usually the case with websites. A privacy notice should include the following information:
- Categories of personal data that the controller processes;
- Categories of personal data that the controller shares with third parties; if any Categories of third parties that the controller shares personal data with; if any
- Purposes for which the data is processed;
- A “clear and conspicuous” disclosure of any circumstances in which the controller sells personal data to a third party or uses it for targeted advertising and
- How can consumers exercise their right to opt-out.
An accurate and comprehensive notification and privacy policy can be created using a consent management system, allowing controllers to maintain and update it with minimal manual effort.
2. Consumer Requests
Requests from customers must be answered without charging them unless they are:
- The second or later one in the same one-year period.
- “Excessive, repetitive, not technically feasible, or unfounded.”
- Reasonably suspected by the controller that the request’s main goal was something else rather than exercising a right.
- “Harass, disrupt, or impose an undue burden on the resources of the controller’s business.”
Controllers must act upon a customer’s request and notify them of their actions within 45 days.
During those 45 days, the controller must notify the consumer if it cannot or will not reply to or fulfill the consumer’s request, for example, if the consumer’s identity cannot be adequately verified for security.
3. Data Security
To protect the integrity and confidentiality of personal data, controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices.”
Contracts between controllers and third-party processors must contain this clause, which also applies to the controller’s third parties to process data.
4. Consent to process children’s data
A person who is known to be under 13 years old is considered a child under the UCPA.
Before processing data, controllers must get verified consent from parents or guardians and process the data in compliance with the Children’s Online Privacy Protection Act (COPPA).
Processing of children’s data is the only case where UCPA asks for affirmative consent.
5. Third party processing
Controller organizations can contract with third parties to process data on their behalf; however, such agreements must be in writing. This also applies to state-level laws, such as the VCDPA and CCPA.
The contract must also include instructions for data processing and some of the same information in the consumer notification. These details include:
- Type of data to be processed,
- Purpose of processing the data
- Nature of data processing
- The duration of the processing,
- All parties’ rights and responsibilities, including the duty of confidentiality.
A written contract between the processor and any subcontractor involved in processing personal data must be signed by both parties, and the subcontractor must fulfill all of the processor’s obligations.
6. Non-Discrimination
It is against the Law for controllers to discriminate against any customer who exercises their right to privacy.
- Potentially discriminatory examples include:
- Refusing products or services
- Imposing an additional fee on products or services
- Offering products or services at a different quality level
A controller may, however, provide “a different price, rate, level, quality, or selection of a good or service to a consumer” if the customer has opted out of targeted advertising or in connection with the client willingly joining the controller’s loyalty program.
Penalties for Noncompliance under Utah Data Privacy Law
Enforcement Authority
Regarding UCPA compliance and penalties, the attorney general of Utah has complete enforcement authority.
However, the Division of Consumer Protection is charged under the Act with handling consumer complaints and has the authority to look into the legitimacy of allegations of violations.
Unlike the CPA or VCDPA, the UCPA does not require controllers to examine the risks associated with their data processing operations through data protection (risk) assessments.
Investigations and cure period
The attorney general is approached when there is reasonable cause or evidence of a violation, and they determine whether or not to pursue legal action.
If they do, the controller or processor receives a written notice from the attorney general’s office about the violation.
After that, the offending party has 30 days to “cure” the violation and state the attorney general outlining the steps to ensure it won’t happen again.
Damages and fines
The attorney general may file an enforcement action where punitive action is necessary, such as when the controller or processor fails to cure the violation or continues violating the Law even after receiving a written statement.
This covers actual damages fines of up to US $7,500 for each violation.
Consent Management under Utah Data Privacy Law
Like other “opt-out” state-level laws in the US, the Utah privacy law does not require controllers to consent from data subjects before collecting or processing personal data, including sensitive data.
The only exception is that processing children’s data requires explicit consent.
Controllers must, however, expressly inform customers in every situation where personal data will be collected and processed and give them the option of opting out of processing their data either in advance or at the time of collection and processing.
A consent management solution that includes the necessary details about data processing and consumer rights can be used for both notification and consent.
For instance, a CMP can offer choices for accepting or declining consent for the processing of personal data, and it may establish a compliant privacy policy that gives customers all the information they need to understand about the processing of their data and their rights.
The geolocation feature can facilitate the presentation of different CMP banners with personalized notification details and consent choices for businesses around the United States and internationally, depending on the user’s location.
By doing this, businesses can comply with the GDPR, the CCPA/CPRA, the VCDPA, the CPA, and the UCPA.
Conclusion
According to the state Senate sponsor, the Utah Consumer Privacy Act is currently in its “version one” form.
Legislators intend to observe how the Law is applied in real-world situations, which will shape upcoming changes.
By July 1, 2025, the Utah attorney general and the Division of Consumer Protection—which will look into complaints of violations—must submit a report assessing the effectiveness of the UCPA.
Changes to the UCPA will likely occur beyond that date, and the future course of the Law will be influenced by newly emerging privacy legislation and changes to laws that are now in effect.
Unlike in California, the UCPA does not include a private right of action.
Therefore, consumer class-action lawsuits will not have the capacity to influence future amendments.
Due to its “business friendliness,” the Utah privacy law has somewhat lenient compliance requirements than other state-level US laws.
Nevertheless, it is still advised to speak with competent legal counsel to determine your organization’s potential obligations and the steps required to ensure privacy compliance once the Law takes effect.
It’s also always a good idea to proactively protect user privacy, foster user confidence, and preserve high-quality data for marketing purposes.
Contact one of our experts at PrivacyPillar if you have any concerns or want to learn more about putting a consent management platform in place to ensure compliance with privacy laws in the US and other countries.
