Utah Consumer Privacy Act (UCPA): An Overview

Utah was the fourth US state to pass a privacy law, which has an effective date of December 31st, 2023. Previously passed state laws served as a source of information and influence, and the UCPA shares a number of components with Colorado’s CPA, as well as drawing heavily from Virginia’s CDPA. Interestingly, those laws already show evolution in thought and approach to legislation since the passing of the first privacy law in California (CCPA), which went into effect in 2020.

Overall, the Utah privacy law can be seen as “lighter” and more business-friendly than the other state-level laws to date. Progress on a federal US privacy law remains slow moving.

In summary, the Utah Consumer Privacy Act (UCPA) was signed into law on March 24th, 2022. It protects the privacy rights of residents of Utah and establishes data privacy responsibilities for companies doing business in the state (i.e. processing the data of Utah residents).

The UCPA applies to the sale of personal data and targeted advertising, and defines what does and does not include a sale: “the exchange of personal data for monetary consideration by a controller to a third party.”

Unlike the CCPA and CPRA, Utah does not include non-monetary “other valuable consideration” options as a sale. Additionally, unlike California’s Privacy Rights Act (CPRA), Utah’s law does not apply to the sharing of data. However, since targeted advertising is included, while that has monetary considerations, it is not a direct transaction with the consumer.

Like the other US state laws, the UCPA uses an opt-out model, which means that personal data can be collected, sold, or used for targeted advertising without requiring consumers’ consent, unless the data belongs to a child. In that consent must be obtained from a parent or legal guardian. However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising, and if they do so, it can no longer be used for the previously stated purposes.

The UCPA applies to controllers or processors of data. It defines a controller as: “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” “Person” in this case can refer to a natural person or commercial or noncommercial entity, if it processes data and meets the applicability criteria.

A processor is defined as: “a person who processes personal data on behalf of a controller.” Again, while these definitions list “a person” they also cover company entities like third-party vendors that might process data, not just individuals.

A consumer is defined as: “an individual who is a resident of the state acting in an individual or household context.” This definition refers to people in private life, and explicitly excludes those “acting in an employment or commercial context” so for business purposes.

Personal data means “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Note that some forms of personal data can make an individual directly identifiable, like a name or email address. Other types of data may not qualify on their own, e.g. an IP address, but when aggregated with additional forms of personal data, they can become identifying.

Exclusions to the definition of personal data

There are a number of exclusions in the UCPA regarding what does not constitute personal data, for example, information that is publicly available or that has been deidentified or anonymized, and aggregated data of groups of consumers, where identifying individuals is not possible.

Definition of sensitive personal data

Under the UCPA, sensitive data is defined as personal data that includes/reveals:

• racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
• religious beliefs
• sexual orientation
• citizenship or immigration status
• medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
• genetic or biometric data, if the processing is for the purpose of identifying a specific individual
• geolocation data, if the processing is for the purpose of identifying a specific individual

Unlike some other data privacy laws, the Utah privacy law does not require consent for processing sensitive personal data. However, controllers do have to clearly notify consumers and provide the opportunity to opt out of having their sensitive personal data processed before such data is collected and processed.

The UCPA has three primary criteria for applicability to businesses:

• conducting business in the state or produces a product or service that is targeted to consumers who are residents of the state;
• annual revenue of $25,000,000 or more;

and

• satisfies one or more of the following thresholds:
  • during a calendar year, controls or processes personal data of 100,000 or more consumers;

  or

  • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

This differs from some of the other data privacy laws in that entities have to meet multiple criteria for applicability, and not, for example, US $25 million revenue or processing data from 100,000 consumers. Meeting multiple criteria narrows the scope of which entities will qualify for compliance. The revenue threshold will also exclude smaller SMEs from qualifying.

Organizational exemptions

In addition to organizations that fall below the revenue or processing volume thresholds for inclusion, the UCPA has exemptions a number of other entities, including:

• institutions of higher education
• nonprofit organizations
• government organizations and contractors
• Indigenous tribes
• air carriers
• organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
• financial institutions governed by the Gramm-Leach-Bliley Act

Data exemptions

The UCPA has data-level exemptions as well, and does not apply to information that is already subject to the following regulations:

• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act
• Driver’s Privacy Protection Act
• Family Educational Rights and Privacy Act
• Farm Credit Act

Employment exemptions

Data processed or maintained in the course of employment is exempt from the UCPA, including: “in the course of an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role.”

Consumers have four primary rights under the UCPA, and it is notable that the Act specifies consumers’ rights specific to data they provided to the controller. So a person does not have the right to exercise their rights regarding personal data about them obtained indirectly.

The primary rights are:

• Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data
• Right to deletion of personal data, if the data subject directly provided the data to the controller
• Right to portability, obtaining a copy of their personal data that they provided to the controller, in a format that is:
  • portable to a technically reasonable extent
  • readily usable to a practical extent
  • enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
• Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising

Some rights that are present in other US state-level laws, but absent from the UCPA, include the right to opt out of profiling and the right to correct (to request and have omissions or inaccuracies in one’s personal data corrected).

Controllers under the Utah privacy law are not required to recognize “universal opt-out signals” as a method for consumers to opt out of data processing. This is another term for global privacy control (GPC), whereby users can set consent preferences once, like on a website, and have them respected across all other sites and properties on which they are active, rather than having to specify preferences at every online property they visit. (Learn more about the GPC.)

The UCPA does not provide for private right of action, the ability for a consumer to sue a controller for noncompliance or a data breach. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.

Under the UCPA, data controllers must enable consumers to exercise their rights. Controllers have to specify the means by which consumers can submit a request, and they have to respond within a reasonable period of time, specified as within 45 days.

Controllers have to provide consumers with a privacy notice/policy that is “reasonably accessible and clear”, typically on the website. A privacy notice must include:

• categories of personal data processed by the controller
• categories of personal data the controller shares with third parties, if any
• categories of third parties with whom the controller shares personal data, if any
• purposes of the data processing
• how consumers can exercise their rights
• “clear and conspicuous” disclosure if personal data is sold to a third party or used for targeted advertising and the means to exercise the right to opt out

A consent management solution can help generate an accurate and comprehensive notification and privacy policy and enable controllers to keep it up to date without a lot of manual work.

Consumer requests must be fulfilled free of charge to the consumer, unless the request is:

• the second or subsequent one within the same 12-month period
• “excessive, repetitive, technically infeasible, or manifestly unfounded”
• reasonably believed by the controller that the primary purpose of the submission of the request was “something other than exercising a right”
• “harasses, disrupts, or imposes undue burden on the resources of the controller’s business”

Controllers must respond to a consumer request within 45 days by taking action and notifying the consumer of the action taken. If the controller cannot or will not respond to/fulfill the consumer’s request, e.g. if the consumer’s identity cannot be reasonably verified for security, that must be communicated during that 45-day period.

There are exceptions to this, and the response period can be extended by another 45 days if reasonably necessary, e.g. if the request is very complex or the controller is dealing with a high number of requests. The consumer must be informed of the extension, including reasons for it and length of the extension within the initial 45-day response window.

Unlike some other laws, the UCPA does not have an appeal process for consumers whose requests are denied.

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.” This applies to third parties used by the controller for data processing as well, and must be included in contracts between controllers and third-party processors.

Under the UCPA, a child is defined as someone known to be under 13 years old. Controllers must obtain verifiable parental (or guardian) consent prior to processing, and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA). The processing of children’s data is the only activity under the UCPA that requires explicit affirmative consent.

Controllers are prohibited from discriminating against any consumer who exercises their privacy rights. Examples of potential discrimination include:

• denying goods or services
• charging a different price or rate for goods or services
• providing a different level of quality for goods or services

However, a controller is allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.

Controller organizations can use third parties to process data on their behalf, though these arrangements need to be governed by a contract. This is the case under other state-level laws like the CCPA and VCDPA as well. The contract needs to include data processing instructions, as well as some of the same information that the consumer notification does, including:

• nature and purpose of the processing
• type of data to be processed
• duration of processing
• all parties’ rights and obligations, including a duty of confidentiality
• requirement that the processor has a written contract with any subcontractor engaged to process personal data, meeting the same obligations as the processor.

Interestingly, under the UCPA, a contract between a controller and processor does not require a provision for the processor to comply with reasonable audits undertaken by the controller.

The Utah attorney general has full enforcement authority over UCPA compliance and penalties. Under the Act, however, the Division of Consumer Protection is tasked with the administration of consumer complaints, and has investigative powers regarding the merit of alleged violations.

Under the UCPA, controllers do not have to evaluate the risks of their data processing activities via data protection (risk) assessments, unlike with the CPA or VCDPA.

If reasonable cause or evidence of a violation is found, the issue is referred to the attorney general, who can then decide whether or not to take action. If they do, the attorney general’s office must provide the controller or processor with a written notice about the violation, after which the offending party has a 30-day “cure” period where they can fix any violation and provide a statement to the attorney general regarding what has been done to cure the violation and ensure prevention of its recurrence.

In cases where punitive action is required — the controller or processor failed to cure the violation or continues to violate the law after providing a written statement to the contrary — the attorney general can initiate an enforcement action. This includes actual damages and fines up to US $7,500 per violation.

As with other US state-level laws that are “opt out”, under the Utah privacy law controllers are not required to obtain data subjects’ consent before personal data can be collected or processed, even data categorized as sensitive, with the exception that explicit consent is required for the processing of children’s data.

However, in all instances when personal data will be collected and processed, controllers do have to clearly notify consumers and provide an option to opt out of having their personal data processed before or at the time of collection and processing.

Both notification and consent can be done with a consent management solution, which can provide the required information about data processing as well as about consumers’ rights. For example, a CMP can present accept/decline consent options for personal data processing, and populate a compliant Privacy Policy that clearly presents all the necessary information to consumers about the data processing and their rights.

For organizations that do business around the United States, or globally, geolocation functionality can enable presentation of different CMP banners with customized notification information and consent options, depending on where the user is located. In this way, organizations can become data compliant with the CCPA/CPRA, VCDPA, CPA and/or UCPA, and even the GDPR.

The Utah Consumer Privacy Act is in its “version one” form, per its sponsor in the state Senate. Legislators plan to see how the law works in practice, which will influence future amendments. Under the UCPA, the Utah attorney general and Division of Consumer Protection, which will investigate alleged violations, are required to submit a report evaluating the law’s effectiveness by July 1st, 2025. It is likely that amendments to the UCPA would take place after that date, and that evolving privacy legislation and amendments to laws already in force will influence the future direction of the law. Because of a lack of inclusion of private right of action, unlike in California, consumer class-action lawsuits will not be a potential influence on future amendments to the UCPA.

The Utah privacy law has somewhat less stringent compliance requirements than other US state-level laws given its “business friendliness”, but it is still recommended to consult qualified legal counsel to determine your organization’s potential responsibilities and actions needed to ensure privacy compliance when the law comes into effect. Proactive efforts to protect user privacy are also always a good idea to help build user trust and secure high-quality data for marketing operations.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.