Utah passed the Utah Consumer Privacy Act in March 2022, making it one of the first states in the U.S. to enact a comprehensive consumer privacy law.
Below, I summarize the requirements of the UCPA, including how it impacts businesses, the rights it grants to consumers, how to achieve compliance, and the penalties for violating the law.
What Is the Utah Consumer Privacy Act (UCPA)?
The Utah Consumer Privacy Act (UCPA) is a U.S. state-level data privacy law that protects the personal information of residents of Utah.
Considered a more business-friendly law, the UCPA provides rights to consumers, outlines obligations for businesses, and describes penalties for noncompliance.
UCPA Key Terms and Definitions
To help you better understand the UCPA, I’ve included a list of some key terms with their definitions exactly as they appear in the text of the law below.
Utah is one of the only states that doesn’t consider revealing racial or ethnic origin as a category of sensitive personal information.
When Did the Utah Consumer Privacy Act Take Effect?
The UCPA took effect on December 31, 2023, and is entirely in force.
Who Does the UCPA Protect?
The UCPA protects the personal data of residents of the state of Utah acting in an individual or household context only.
It does not apply to anyone in the state for commercial or employment reasons.
Who Must Comply With the UCPA?
Your business needs to comply with the UCPA if you do business in Utah or your goods and services are available to Utah residents, you have an annual revenue of at least $25 million, and you meet one of the following thresholds:
- You process or control personal data for at least 100,000 consumers or
- You process or control the personal data of at least 25,000 consumers and earn more than 50% of your revenue from selling personal data.
You’re exempt from the UCPA if you process data as a government contractor or if your organization is a nonprofit or an institution of higher education.
Consumer Privacy Rights
Utah’s data privacy law gives consumers the following rights over their personal information:
- Confirm if a controller processes their information
- Access data collected about them
- Request to delete their personal information
- Obtain a portable copy of their data
- Opt out of targeted advertising
- Opt out of the sale of personal data
- Non0discrimination for following through on their rights
Unlike most other U.S. state privacy laws, Utah consumers do not have a right to correct their information or opt out of profiling.
UCPA Business Requirements
Below, I summarize the primary business requirements outlined by the UCPA.
Privacy Policy Guidelines
Under the UCPA, businesses must present users with a privacy policy that includes the following information:
- The categories of personal data processes
- The purpose of the processing
- How consumers can exercise their rights
- The categories of data shared with third parties, if any
- The categories of the third parties’ data is shared with, if any
- A conspicuous disclosure of the consumers’ right to opt out of the sale of their data and targeted advertising
Consent Management
Businesses subject to following the UCPA need to manage consumer consent preferences in accordance with the law for certain types of data processing.
For example, you must implement a way for your consumers to easily opt out of the sale of their data and targeted advertising.
Similarly, while consent is not required to process sensitive information, you must give consumers the chance to opt-out.
This is achievable by adding a consent banner to your website with a link to your cookie policy and a preference center where consumers can change their minds anytime.
Contractual Obligations
The UCPA requires data controllers and processors to enter contracts that:
- Set forth the instructions for the processing, its nature, purpose, and the type of data subject to being processed,
- Include information about the duration of processing and the rights of both parties,
- Require all persons processing the data to ensure a duty of confidentiality,
- Require processors to engage subcontractors in a contract outlining the same stipulations.
These are less comprehensive requirements than other U.S. state-level privacy laws.
Responding to Requests for Consumers
Businesses under the UCPA are responsible for verifying the identities of consumers who submit requests to follow through on their privacy rights.
Controllers have 45 days to send a response, which may be extended by an additional 45 days when reasonably necessary, depending on the complexity of the request.
You cannot charge a fee for these requests unless it is the second request from a consumer during a 12-month period.
Data Security Guidelines
Under the Utah Consumer Privacy Act, controllers must use security practices to protect consumers’ personal data.
These practices include administrative, technical, and physical measures.
When determining what sorts of security measures are reasonable in your circumstances, the law permits you to consider the size of your business, what kind of personal data will be involved, and how much you process.
Penalties for Violating the UCPA
Violators of the Utah Consumer Privacy Act may be subject to two forms of fines or penalties:
- The consumer’s actual damages caused by the business’s violation of the law
- A maximum fine of $7,500 per violation
The Attorney General enforces the law, and consumers do not have a private right of action.
Using Termly for UCPA-Compliance
Businesses can use Termly’s full suite of compliance solutions to help simplify meeting the requirements of the UCPA.
Our Privacy Policy Generator includes all necessary features and clauses to meet the transparency and disclosure guidelines outlined by Utah’s privacy law.
It asks easy questions about your business and how you process data, then makes a comprehensive policy based on your answers.
We also offer a Consent Management Platform (CMP) that is configurable to meet the opt-out requirements described by the law.
It includes a free data subject access request form, which you can link to your website to allow Utah consumers to easily follow through on their privacy rights.
Summary
If your business is subject to following the UCPA, you should take a few essential steps to achieve compliance.
Ensure you have an updated privacy policy that meets all notification requirements outlined by Utah’s privacy law. Add a consent banner to your website with a preference center so consumers can follow through on their opt-out rights.
Remember to implement adequate security measures to keep all personal data you collect safe from unauthorized access, breaches, and other risks.
Take the complexity out of compliance by using Termly’s suite of solutions to meet the requirements of the UCPA and several other privacy laws from around the world.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
