The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023, and is one of the increasing number of statewide laws in the US that aim to protect the rights of consumers whose data is processed by businesses.<\/p>\n\n\n\n
When it was passed, the UCPA was the fourth piece of legislation of its kind in the US. Lawmakers were able to draw on earlier regulations, like the Colorado Privacy Act (CPA)<\/a> and the Virginia Consumer Data Protection Act (VCDPA)<\/a>, which were both based on the first and most stringent US privacy law: the California Consumer Protection Act (CCPA)<\/a>.<\/p>\n\n\n\n With this foundation, the UCPA strikes a finer balance between consumer rights and business responsibilities. Overall, the narrower scope of its definitions and compliance requirements means that it can be seen as \u201clighter\u201d and more business-friendly than the majority of other state-level data privacy laws<\/a> in place. <\/p>\n\n\n\n The UCPA gives consumers in Utah a degree of control over how businesses are able to collect and use their data. Under the UCPA, individuals have the right to know if a business is processing their personal data, to access and have that data deleted, and to opt out from their data being sold.<\/p>\n\n\n\n Unlike other similar data privacy laws, the UCPA doesn\u2019t place limits on the data that businesses can gather and what they can do with it. The responsibility for minimizing the collection and processing of data rests with the consumer.<\/p>\n\n\n\n The UCPA<\/a> protects the privacy rights of Utah residents and establishes data privacy responsibilities for companies that operate in the state and process the data of the nearly 4 million individuals who live there.<\/p>\n\n\n\n It requires businesses that collect data to protect the confidentiality and integrity of that data to reduce the risk of harm associated with processing it. Organizations must also provide consumers with clear and accessible privacy notices and inform them about how they can opt out of the sale of their data.<\/p>\n\n\n\n Like other US state laws, the UCPA uses an opt-out model for user consent, rather than the opt-in model in place for regulations such as the General Data Protection Regulation (GDPR)<\/a>. <\/p>\n\n\n\n This means that consumers\u2019 personal data can be collected, sold, or used for targeted advertising without first obtaining their explicit and informed consent. The only exception here relates to children\u2019s data. In that case, consent must be obtained from a parent or legal guardian. <\/p>\n\n\n\n Unlike most US data privacy laws, the UCPA does not require prior consent for the processing of data categorized as sensitive. Companies just need to notify consumers about collection and use and provide an opt-out option.<\/p>\n\n\n\n The sale of data is one of the key focuses for the UCPA. The Act defines any \u201cexchange of personal data for monetary consideration by a controller to a third party\u201d as a sale. <\/p>\n\n\n\n This definition doesn\u2019t include non-monetary exchanges, which means that it doesn\u2019t apply to data sharing among businesses, differentiating it from the CCPA and California Privacy Rights Act (CPRA).<\/p>\n\n\n\n However, consumers do have the right \u2014 and must be provided with the option \u2014 to opt out of the sale of their data or its use for targeted advertising. If a consumer exercises this right, their data can no longer be used. <\/p>\n\n\n\n On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The Utah Artificial Intelligence Policy Act (UAIP)<\/a>, which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business. <\/p>\n\n\n\n The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI. <\/p>\n\n\n\n It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it\u2019s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.<\/p>\n\n\n\n The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.<\/p>\n\n\n\n The UCPA applies to controllers or processors of consumer data. It defines these terms as follows. <\/p>\n\n\n\n Controller means <\/strong>\u201ca person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.\u201d <\/em>(Section 101.12 UCPA)<\/p>\n\n\n\n Processor means <\/strong>\u201ca person who processes personal data on behalf of a controller.\u201d <\/em>In relation to controllers and processors, \u201cperson\u201d includes natural persons or commercial or noncommercial entities, including third parties, that process data and meet the applicability criteria. (Section 101.26 UCPA)<\/p>\n\n\n\n Consumer means \u201can individual who is a resident of the state acting in an individual or household context\u201d <\/em>who is not \u201cacting in an employment or commercial context.\u201d <\/em>(Section 101.10 UCPA)<\/p>\n\n\n\n \u201cPersonal data\u201d refers to \u201cinformation that is linked or reasonably linkable to an identified individual or an identifiable individual.\u201d <\/em>(Section 101.24 UCPA)<\/p>\n\n\n\n There are specific forms of personal data that can make an individual directly identifiable (e.g. a name or email address), while others may not qualify on their own (e.g. an IP address). However, it\u2019s important to note that non-identifying data may become identifying when it\u2019s aggregated with other kinds of personal data.<\/p>\n\n\n\n The UPCA sets out a number of exclusions in relation to personal data. This includes information that:<\/p>\n\n\n\n Unlike some other data privacy laws, the UCPA does not require businesses to obtain consent for processing sensitive personal data. <\/p>\n\n\n\n However, controllers do have to clearly notify consumers and provide the opportunity for them to opt out of having their sensitive personal data processed before such data is collected and processed. Like non-sensitive data, consumers can also opt out of processing for sensitive data later, at which point processing must cease.<\/p>\n\n\n\n The Act (Section 101.32 UCPA) defines \u201csensitive data\u201d as personal data that includes or reveals:<\/p>\n\n\n\n Similar to other data privacy laws, the UCPA has provisions that provide rights to consumers and place obligations on businesses, provided that they meet certain criteria. <\/p>\n\n\n\n or<\/p>\n\n\n\n The UCPA differs from some of the other data privacy laws as entities have to meet multiple criteria for it to apply. This narrows its scope. For example, the revenue threshold will exclude smaller SMEs from qualifying. Many of the more recently passed US state-level privacy laws do not include a revenue-centric threshold, though Utah is one of the earlier ones that does.<\/p>\n\n\n\n Unsure if the UCPA applies to your business? Use our <\/strong>UCPA checklist<\/strong><\/a> to understand if the Act applies to your business, and what you need to do to be compliant.<\/strong><\/p>\n\n\n\n In addition to organizations that fall below the revenue or processing volume thresholds, the UCPA exempts a number of other entities, including:<\/p>\n\n\n\n The UCPA does not apply to information that\u2019s already subject to the following regulations:<\/p>\n\n\n\n Data processed or maintained during the course of an individual\u2019s employment is exempt from the UCPA. <\/p>\n\n\n\n This covers instances when an individual is applying for a job, as well as when they are \u201cacting as an employee, agent, or independent contractor of a controller, processor, or third party,\u201d provided that the data is \u201ccollected and used within the context of that role\u201d (Section 102.2(o)(i) UCPA). <\/p>\n\n\n\n Consumers have four primary rights under the UCPA: access, deletion, portability, and opting out.<\/p>\n\n\n\n While these rights are similar to those given to consumers under other data privacy laws, both within the US and globally, UCPA does not create other common rights, such as the right to appeal and the right to correct (to request and have omissions or inaccuracies rectified).<\/p>\n\n\n\n In addition to these exclusions, the UCPA does not provide for a private right of action (the ability for an individual consumer to sue a controller for noncompliance or a data breach). To date California is the only state that allows for this. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.<\/p>\n\n\n\n What\u2019s more, controllers under the Utah privacy law aren\u2019t required to recognize \u201cuniversal opt-out signals\u201d as a method for consumers to opt out of data processing. This excludes global privacy control (GPC)<\/a> measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active, instead of having to specify their choice at every online property they visit. <\/p>\n\n\n\n Under the UCPA, data controllers must outline exactly how consumers can submit a request and exercise their rights related to their data. They must also respond to any requests within 45 days. <\/p>\n\n\n\n Controllers must provide consumers with a privacy notice or policy that is \u201creasonably accessible and clear.\u201d This notice would typically appear on a business\u2019s website and must include:<\/p>\n\n\n\n A consent management platform (CMP) can make this easier for you. With the right tool, you can stay compliant by generating an accurate, comprehensive, and up to date privacy policy and notify consumers about any data collection that\u2019s taking place. <\/p>\n\n\n\n Consumer requests must be fulfilled free of charge to the consumer, unless the request is:<\/p>\n\n\n\n Controllers must take action and notify the consumer of their actions within 45 days of receiving a request. If the controller cannot or will not respond to or fulfill the consumer\u2019s request, e.g. if the consumer\u2019s identity cannot be reasonably verified, they must communicate this during that same 45-day period.<\/p>\n\n\n\n However, there are exceptions. The response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex or the controller is dealing with a high number of requests. <\/p>\n\n\n\n Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.<\/p>\n\n\n\n Unlike some other laws, the UCPA does not have an appeal process for consumers whose requests are denied.<\/p>\n\n\n\n Controllers must \u201cestablish, implement, and maintain reasonable administrative, technical, and physical data security practices\u201d that have been \u201cdesigned to protect the confidentiality and integrity of personal data.\u201d (Section 302.2(a) UCPA) <\/p>\n\n\n\n This applies both to the controller and any third party services they use.<\/p>\n\n\n\n Controller organizations may use third parties to process data on their behalf, so long as there is a contract in place. <\/p>\n\n\n\n The contract must include data processing instructions, as well as some of the same information that must be outlined in the consumer notification, including:<\/p>\n\n\n\n Under the UCPA, controllers don\u2019t have to evaluate the risks of their data processing activities via data protection assessments. What\u2019s more, a contract between a controller and processor does not need to stipulate that the processor must comply with any reasonable data privacy audits<\/a> set in motion by the data controller.<\/p>\n\n\n\n The processing of children\u2019s data is the only activity under the UCPA that requires explicit consent. Under the Act, a child is defined as an individual known to be under the age of 13. <\/p>\n\n\n\nWhat is the Utah Consumer Privacy Act?<\/h2>\n\n\n\n
UPCA summary<\/h3>\n\n\n\n
Updates to the UCPA<\/h3>\n\n\n\n
Definitions under the Utah Consumer Privacy Act<\/h2>\n\n\n\n
Controller under UCPA<\/h3>\n\n\n\n
Processor under UCPA<\/h3>\n\n\n\n
Consumer under UCPA<\/h3>\n\n\n\n
Personal data under UCPA<\/h3>\n\n\n\n
Exclusions to the definition of personal data<\/h4>\n\n\n\n
\n
Sensitive data under UCPA<\/h3>\n\n\n\n
\n
Who must comply with the Utah Consumer Privacy Act?<\/h2>\n\n\n\n
UCPA applies to businesses that: <\/h3>\n\n\n\n
\n
\n
\n
\n
Exemptions to Utah Consumer Privacy Act compliance<\/h3>\n\n\n\n
Organizational exemptions<\/h4>\n\n\n\n
\n
Data exemptions<\/h4>\n\n\n\n
\n
Employment exemptions<\/h4>\n\n\n\n
Consumer rights under the Utah Consumer Privacy Act<\/h2>\n\n\n\n
\n
\n
Key differences with other privacy laws<\/h3>\n\n\n\n
What are controllers obliged to do under the Utah Consumer Privacy Act?<\/h2>\n\n\n\n
Transparency under the UCPA<\/h3>\n\n\n\n
\n
Consumer requests under the UCPA<\/h3>\n\n\n\n
\n
Data security under the UCPA<\/h3>\n\n\n\n
Third-party data processing under the UCPA<\/h3>\n\n\n\n
\n
Processing of children\u2019s personal data under the UCPA<\/h3>\n\n\n\n