The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023, and is one of the increasing number of statewide laws in the US that aim to protect the rights of consumers whose data is processed by businesses.
When it was passed, the UCPA was the fourth piece of legislation of its kind in the US. Lawmakers were able to draw on earlier regulations, like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA), which were both based on the first and most stringent US privacy law: the California Consumer Protection Act (CCPA).
With this foundation, the UCPA strikes a finer balance between consumer rights and business responsibilities. Overall, the narrower scope of its definitions and compliance requirements means that it can be seen as “lighter” and more business-friendly than the majority of other state-level data privacy laws in place.
What is the Utah Consumer Privacy Act?
The UCPA gives consumers in Utah a degree of control over how businesses are able to collect and use their data. Under the UCPA, individuals have the right to know if a business is processing their personal data, to access and have that data deleted, and to opt out from their data being sold.
Unlike other similar data privacy laws, the UCPA doesn’t place limits on the data that businesses can gather and what they can do with it. The responsibility for minimizing the collection and processing of data rests with the consumer.
UPCA summary
The UCPA protects the privacy rights of Utah residents and establishes data privacy responsibilities for companies that operate in the state and process the data of the nearly 4 million individuals who live there.
It requires businesses that collect data to protect the confidentiality and integrity of that data to reduce the risk of harm associated with processing it. Organizations must also provide consumers with clear and accessible privacy notices and inform them about how they can opt out of the sale of their data.
Like other US state laws, the UCPA uses an opt-out model for user consent, rather than the opt-in model in place for regulations such as the General Data Protection Regulation (GDPR).
This means that consumers’ personal data can be collected, sold, or used for targeted advertising without first obtaining their explicit and informed consent. The only exception here relates to children’s data. In that case, consent must be obtained from a parent or legal guardian.
Unlike most US data privacy laws, the UCPA does not require prior consent for the processing of data categorized as sensitive. Companies just need to notify consumers about collection and use and provide an opt-out option.
The sale of data is one of the key focuses for the UCPA. The Act defines any “exchange of personal data for monetary consideration by a controller to a third party” as a sale.
This definition doesn’t include non-monetary exchanges, which means that it doesn’t apply to data sharing among businesses, differentiating it from the CCPA and California Privacy Rights Act (CPRA).
However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising. If a consumer exercises this right, their data can no longer be used.
Updates to the UCPA
On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The Utah Artificial Intelligence Policy Act (UAIP), which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business.
The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI.
It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it’s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.
The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.
Definitions under the Utah Consumer Privacy Act
The UCPA applies to controllers or processors of consumer data. It defines these terms as follows.
Controller under UCPA
Controller means“a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” (Section 101.12 UCPA)
Processor under UCPA
Processor means“a person who processes personal data on behalf of a controller.” In relation to controllers and processors, “person” includes natural persons or commercial or noncommercial entities, including third parties, that process data and meet the applicability criteria. (Section 101.26 UCPA)
Consumer under UCPA
Consumer means “an individual who is a resident of the state acting in an individual or household context” who is not “acting in an employment or commercial context.” (Section 101.10 UCPA)
Personal data under UCPA
“Personal data” refers to “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” (Section 101.24 UCPA)
There are specific forms of personal data that can make an individual directly identifiable (e.g. a name or email address), while others may not qualify on their own (e.g. an IP address). However, it’s important to note that non-identifying data may become identifying when it’s aggregated with other kinds of personal data.
Exclusions to the definition of personal data
The UPCA sets out a number of exclusions in relation to personal data. This includes information that:
- is publicly available
- has been deidentified or anonymized
- relates to groups of consumers and has been aggregated to the extent that individuals cannot be identified
Sensitive data under UCPA
Unlike some other data privacy laws, the UCPA does not require businesses to obtain consent for processing sensitive personal data.
However, controllers do have to clearly notify consumers and provide the opportunity for them to opt out of having their sensitive personal data processed before such data is collected and processed. Like non-sensitive data, consumers can also opt out of processing for sensitive data later, at which point processing must cease.
The Act (Section 101.32 UCPA) defines “sensitive data” as personal data that includes or reveals:
- racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
- religious beliefs
- sexual orientation
- citizenship or immigration status
- medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
- genetic or biometric data (if the processing is for the purpose of identifying a specific individual)
- geolocation data (if the processing is for the purpose of identifying a specific individual)
Who must comply with the Utah Consumer Privacy Act?
Similar to other data privacy laws, the UCPA has provisions that provide rights to consumers and place obligations on businesses, provided that they meet certain criteria.
UCPA applies to businesses that:
- Operate in Utah, either by conducting business there or by offering a product or service to consumers who reside in the state.
- Meet the annual earnings and data processing thresholds, meaning they report revenue of USD 25 million and either
- control or process the data of 100,000 consumers
or
- derive more than 50 percent of gross revenue from the sale or control of personal data of 25,000 or more consumers
The UCPA differs from some of the other data privacy laws as entities have to meet multiple criteria for it to apply. This narrows its scope. For example, the revenue threshold will exclude smaller SMEs from qualifying. Many of the more recently passed US state-level privacy laws do not include a revenue-centric threshold, though Utah is one of the earlier ones that does.
Unsure if the UCPA applies to your business? Use our UCPA checklist to understand if the Act applies to your business, and what you need to do to be compliant.
Exemptions to Utah Consumer Privacy Act compliance
Organizational exemptions
In addition to organizations that fall below the revenue or processing volume thresholds, the UCPA exempts a number of other entities, including:
- institutions of higher education
- nonprofit organizations
- government organizations and contractors
- Indigenous groups
- air carriers
- organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
- financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
Data exemptions
The UCPA does not apply to information that’s already subject to the following regulations:
- Driver’s Privacy Protection Act (DPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Employment exemptions
Data processed or maintained during the course of an individual’s employment is exempt from the UCPA.
This covers instances when an individual is applying for a job, as well as when they are “acting as an employee, agent, or independent contractor of a controller, processor, or third party,” provided that the data is “collected and used within the context of that role” (Section 102.2(o)(i) UCPA).
Consumer rights under the Utah Consumer Privacy Act
Consumers have four primary rights under the UCPA: access, deletion, portability, and opting out.
- Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data
- Right to deletion of personal data, if the data subject directly provided the data to the controller
- Right to portability, obtaining a copy of their personal data from the controller, in a format that is:
- portable to a technically reasonable extent
- readily usable to a practical extent
- enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
- Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising
Key differences with other privacy laws
While these rights are similar to those given to consumers under other data privacy laws, both within the US and globally, UCPA does not create other common rights, such as the right to appeal and the right to correct (to request and have omissions or inaccuracies rectified).
In addition to these exclusions, the UCPA does not provide for a private right of action (the ability for an individual consumer to sue a controller for noncompliance or a data breach). To date California is the only state that allows for this. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.
What’s more, controllers under the Utah privacy law aren’t required to recognize “universal opt-out signals” as a method for consumers to opt out of data processing. This excludes global privacy control (GPC) measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active, instead of having to specify their choice at every online property they visit.
What are controllers obliged to do under the Utah Consumer Privacy Act?
Under the UCPA, data controllers must outline exactly how consumers can submit a request and exercise their rights related to their data. They must also respond to any requests within 45 days.
Transparency under the UCPA
Controllers must provide consumers with a privacy notice or policy that is “reasonably accessible and clear.” This notice would typically appear on a business’s website and must include:
- categories of personal data processed by the controller
- categories of personal data the controller shares with third parties
- categories of third parties with whom the controller shares personal data
- a clear explanation of how consumers can exercise their rights, including the right to opt out
- “clear and conspicuous” disclosure if personal data is sold to a third party or used for targeted advertising
A consent management platform (CMP) can make this easier for you. With the right tool, you can stay compliant by generating an accurate, comprehensive, and up to date privacy policy and notify consumers about any data collection that’s taking place.
Consumer requests under the UCPA
Consumer requests must be fulfilled free of charge to the consumer, unless the request is:
- the second or subsequent request within the same 12-month period
- “excessive, repetitive, technically infeasible, or manifestly unfounded” (Section 203.4.(b)(i)(A) UCPA)
- reasonably believed by the controller to have the primary purpose of “something other than exercising a right” (Section 203.4.(b)(i)(B) UCPA)
- intended to harass, disrupt, or impose undue burden on the resources of the controller’s business
Controllers must take action and notify the consumer of their actions within 45 days of receiving a request. If the controller cannot or will not respond to or fulfill the consumer’s request, e.g. if the consumer’s identity cannot be reasonably verified, they must communicate this during that same 45-day period.
However, there are exceptions. The response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex or the controller is dealing with a high number of requests.
Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.
Unlike some other laws, the UCPA does not have an appeal process for consumers whose requests are denied.
Data security under the UCPA
Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that have been “designed to protect the confidentiality and integrity of personal data.” (Section 302.2(a) UCPA)
This applies both to the controller and any third party services they use.
Third-party data processing under the UCPA
Controller organizations may use third parties to process data on their behalf, so long as there is a contract in place.
The contract must include data processing instructions, as well as some of the same information that must be outlined in the consumer notification, including:
- the nature and purpose of the processing
- the type of data to be processed
- the duration of processing
- all parties’ rights and obligations, including a duty of confidentiality
- a provision that requires the processor to have a written contract with any subcontractor engaged to process personal data that mirrors the obligations on the processor
Under the UCPA, controllers don’t have to evaluate the risks of their data processing activities via data protection assessments. What’s more, a contract between a controller and processor does not need to stipulate that the processor must comply with any reasonable data privacy audits set in motion by the data controller.
Processing of children’s personal data under the UCPA
The processing of children’s data is the only activity under the UCPA that requires explicit consent. Under the Act, a child is defined as an individual known to be under the age of 13.
Controllers must obtain verifiable parental or guardian’s consent prior to processing and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA).
Nondiscrimination under the UCPA
Controllers may not discriminate against any consumer who exercises their privacy rights. Examples of potential discrimination include:
- denying goods or services
- charging a different price or rate for goods or services
- providing a different level of quality for goods or services
However, a controller is allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” (Section 302.4(b) UCPA) if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.
Enforcement of the Utah Consumer Privacy Act
Enforcement authority
The Utah attorney general has full enforcement authority of UCPA. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.
Investigations and cure period
Where authorities find reasonable cause or evidence of a violation, it’s referred to the Attorney General. If the Attorney General pursues the investigation, their office must provide the data controller or data processor with a written notice about the violation.
The UCPA provides the offending party with a 30-day “cure” period. This is a grace period during which the controller is given the opportunity to rectify any violation and provide a statement to the Attorney General about what has been done to resolve the violation and ensure it won’t be repeated. Unlike many US data privacy laws, the UCPA’s cure period does not sunset.
Damages and fines
In cases where punitive action is required, for example, if the controller or processor fails to resolve, or repeats the violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action. This includes damages and fines up to USD 7,500 per violation.
Consent management and the Utah Consumer Privacy Act
The UCPA uses an opt-out model to regulate data collection and processing in the state of Utah. As a data controller in Utah, you’re not required to obtain data subjects’ consent before collecting personal data, unless that data belongs to a child.
However, you are required to give consumers a clear notification that their data is being collected, inform them about their rights, and provide them with the means to opt out, either before or at the point of collection and processing.
To achieve and maintain compliance, use a CMP. A robust CMP can automate the process of notifying customers about data processing, tailoring consent messages, and managing their opt-out choices. This makes it easier to achieve and maintain compliance with the UCPA and other US privacy laws like the CCPA/CPRA and VCDPA.
A robust CMP helps your business obtain consent in a transparent manner, enabling you to collect valuable data while building trust with your customers.
Navigating UCPA compliance
While the requirements for UCPA compliance are less demanding than similar laws’, the potential fines and damage to brand reputation that can result from noncompliance mean that businesses must still be diligent.
Usercentrics can help you adhere to regulatory requirements of laws like the UCPA with its all-in-one CMP that enables you to produce content for privacy notices in just a few clicks. What’s more, our platform simplifies consumer consent management and helps you personalize the consent experience for your users.
If you have questions or interest in implementing our CMP to help you achieve compliance with privacy laws in the US and around the world, talk to one of our experts.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
