In March 2022, Utah became the fourth state to enact a comprehensive consumer data privacy law. Slated to go into effect in December 2023, the Utah Consumer Privacy Act (UCPA) is considered more business friendly than its predecessors in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); Virginia, the Virginia Consumer Data Protection Act (VCDPA); Colorado, the Colorado Privacy Act (CPA); as well as newer U.S. privacy laws, such as Iowa’s Iowa Consumer Data Protection Act (ICDPA).
In this blog, we’ll dive into the UCPA, the protections it provides to Utah residents, and what that means for businesses that serve Utahns.
The Utah Consumer Privacy Act is one of multiple statewide data privacy laws that establishes rights for consumers and responsibilities for companies that process the data of Utah residents.
Like other privacy acts, the Utah privacy law gives consumers a number of rights related to their personal data, including the right to:
It also requires businesses to provide information to consumers about how their data is used and to accept and comply with requests to exercise their rights, including requests to delete or stop selling the consumer’s personal data.
The bill also allows the Division of Consumer Protection to investigate complaints and authorizes the attorney general’s office to enforce the law and impose penalties against businesses that fail to comply.
The UCPA applies to businesses that:
Compared to other data privacy laws, the UCPA is more friendly to businesses in that it has a narrower scope, which excludes many companies from compliance.
For one, the law’s definitions vary from other state laws. The Utah privacy law defines “consumer” as “an individual who is a resident of the state acting in an individual or household context,” but it explicitly excludes “those acting in an employment or commercial context.” So, employee data is not protected under the UCPA. That’s in contrast to other laws, such as California’s CCPA/CPRA.
The definition of “sale” is also limited in scope in that it only applies to the exchange of data for monetary consideration by a controller to a third party. Unlike other U.S. privacy laws, it does not include an “other valuable consideration” clause, as is the case in the California, Colorado, and Virginia laws. These other state laws consider any valuable exchange—even if it isn’t a monetary one—to constitute a sale.
“Data” is defined broadly as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” The UCPA also makes exceptions for aggregated and de-identified data that can’t be linked back to the original data subject, whereas the California, Colorado, and Virginia data laws all stop at making an exception for de-identified data.
Additionally, consumers have fewer options under the UCPA compared to other states. For example, unlike its predecessors, Utah consumers cannot appeal a business’s decision not to provide information in response to data subject access requests (DSARs). They cannot opt out of profiling, and they cannot request the correction of inaccuracies in their data.
Lastly, the UCPA has 30-day cure period with no sunset provision. That means violators of the law will be given 30 days to fix (or “cure”) their violation, and that this cure period won’t go away. Most other state laws have similar cure periods, but these are only meant to serve as temporary solutions to help businesses adjust to the regulation—after a year or two, they typically expire, and businesses are on the hook for any violations.
The UCPA requires data controllers (i.e., the organization that determines the purposes and means of processing personal data) and processors (i.e., the organization that processes personal data on behalf of the controller) to have a contract that governs the processing of data and binds the processor to a “duty of confidentiality with respect to the personal data.”
Controllers must also provide consumers with a privacy notice that includes:
If a controller sells personal data to third parties or engages in targeted advertising, the controller must disclose how consumers can opt out of the sale of data and processing for targeted advertising.
The Utah attorney general is charged with enforcing the UCPA and the Division of Consumer Protection oversees consumer complaints. If a business is found to be in violation of the law, the attorney general will provide written notice and a 30-day cure period, as described above.
If a controller or processor fails to cure the violation, the attorney general can fine the organization for actual damages and up to $7,500 per violation. Since each instance of improper use of personal data counts as a violation, penalties can become very steep, very quick.
Because it is more business friendly than other state data privacy laws, it's relatively easier to become compliant—but that doesn’t mean it’s actually easy.
When a new law that will impact your business operations takes effect, it’s important to review the text of the law and bring in legal counsel to help sort through the specifics.
It’s also imperative you stay up to date on new privacy laws. The Osano newsletter is a great resource for all things data privacy. Or, if you don’t want to worry about data compliance, you may want to try Osano’s Consent Management Platform (CMP).
Listed below are some frequently asked questions about the Utah Consumer Privacy Act.
December 31, 2023.
Sensitive data is personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status. The UCPA doesn’t require consent for processing this data, but controllers must notify consumers and give them an opportunity to opt out of processing sensitive personal data.
The UCPA defines a child as someone younger than 13 years old. To process their information, verifiable consent must be granted by their parent or legal guardian. Data must be processed in compliance with the Children’s Online Privacy Protection Act (COPPA).
In addition to organizations that don’t meet the revenue or volume thresholds, there are other exemptions for higher education institutions, nonprofit organizations, government organizations and contractors, indigenous tribes, air carriers, those covered by the Health Insurance Portability and Accountability Act (HIPAA), and financial institutions governed by the Gramm-Leach-Bliley Act.
In addition, information subject to other laws is exempt, such as HIPAA, the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, or Farm Credit Act.