Utah has joined a growing list of US states that have passed a data privacy law to protect consumers’ data and give them greater control over data privacy.
The Utah Consumer Privacy Act (UCPA), passed by the Utah Legislature in March 2022, is similar to its predecessors, but it includes some parts that are more business-friendly than the earlier laws.
Unlike the similar laws passed in other states, Utah’s data privacy law applies only to businesses that bring in at least $25 million in revenue each year and use consumer data in certain ways.
The UCPA strikes a middle ground between protecting consumers and overloading businesses with compliance.
So what does the UCPA mean for your business? And when do you have to start thinking about meeting its demands?
If you’ve already started taking steps to comply with the recent consumer data privacy laws in other states, you’re already on your way to complying with Utah’s new data privacy law as well.
For more specifics on the Utah data protection law, read on.
- What Is the Utah Consumer Privacy Act?
- What Does the UCPA Cover?
- What Are the Requirements of the UCPA?
- UCPA vs. CCPA vs. CDPA vs. CPA: Similarities and Differences
- How Are Consumers Impacted by the UCPA?
- How Are Businesses Impacted by the UCPA?
- Who Must Comply With the UCPA?
- How Can Businesses Comply With the UCPA?
- How Will the UCPA Be Enforced?
- Fines and Penalties Under the UCPA
- UCPA Checklist
- Summary
What Is the Utah Consumer Privacy Act?
The UCPA is one of the newest US privacy laws passed unanimously by the Utah State Legislature as Senate Bill 227, Consumer Privacy Act. The law will take effect on Dec. 31, 2023, giving businesses time to prepare for compliance.
The UCPA aims to protect the data privacy of Utah consumers by giving them tools to control the use of their data in some situations. Under the new legislation, consumers have the right to:
- Find out if their data is being processed
- Opt out of having their data processed
- Request copies of their data
- Instruct a company to stop using their data
However, these rights are far from unlimited, and the Utah Legislature carved out several exemptions for broad classes of data, data processors, and data collectors.
What Does the UCPA Cover?
The Utah Consumer Privacy Act covers a consumer’s personal data, and it applies to businesses that are either controllers or processors of personal data.
The act defines a processor as “a person who processes personal data on behalf of a controller.” A controller is “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” (S.B. 227, 2022 Gen. Sess. Utah 2022)
Who Is a Consumer Under the UCPA?
Not everyone is a consumer in all circumstances under the Utah data privacy law. The UCPA defines a consumer as a Utah resident who is “acting in an individual or household context.” The legislation excludes individuals who are acting in a different context — for example, if a person is acting in an employment or commercial context, they’re not a consumer under the law.
How the UCPA Defines Personal Data
The UCPA defines personal data as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” However, the law carves out exceptions to this broad definition. For example, it doesn’t include data that has been separated from the consumer’s identity — called “de-identified data” or “aggregated data” — or publicly available information.
Which Processors and Controllers Are Covered by the UCPA?
Not every business that processes or controls personal data is covered by the Utah consumer protection legislation. For example, many businesses process data incidentally or do so on a smaller scale without the impact of more prolific data processors and controllers.
The UCPA sets several criteria that a business must meet to be covered. These are meant to ensure that smaller businesses that don’t have the same impact on Utah consumers’ personal data aren’t required to jump through the same hoops as companies that do process data.
To be covered as a processor or controller under the Utah data privacy law, your business must meet the following criteria:
- You must conduct business in Utah or target your products or services to Utah residents.
- You must have annual revenue of at least $25 million.
- You must process or control personal data for at least 100,000 consumers — or at least 25,000 consumers if the business gets more than 50% of its revenue from selling personal data.
Even if you meet the above criteria, however, you’re not considered a processor or controller under the UCPA if you’re a higher education institution, you’re a nonprofit, or you process data as part of government contract work.
What Are the Requirements of the UCPA?
The new Utah data privacy law focuses on protecting personal data and the consumer’s ability to control who uses that data and how.
The UCPA:
- Requires controllers to establish security practices to protect consumer data
- Allows consumers to make requests to controllers and processors to find out who has their data and get copies of it
- Mandates that controllers give consumers information about how their personal data is processed and offer them the choice to opt out
Security Practices
Under the Utah Consumer Privacy Act, controllers must use security practices to protect consumers’ personal data. These practices aren’t limited to one form but include administrative, technical, and physical measures.
However, the UCPA doesn’t require that you always use the most expensive and most protective security measures. When determining what sorts of security measures are reasonable in your circumstances, the law permits you to consider the size of your business, what kind of personal data will be involved, and how much personal data will be processed.
Contracts Between Controllers and Processors
Contracts between the controllers and processors are also subject to the UCPA. The act requires a contract to be in place and mandates that the contracts include certain provisions.
For example, the contract establishing your relationship must clearly provide information about processing the personal data, including instructions on how to process the data, what type of data will be processed, and for how long. The contract should also state the purpose for processing the data.
Finally, the contract should include instructions on security measures and provide that every person who processes data must keep the data confidential.
Consumer Requests
In addition to requiring controllers and processors to take certain proactive steps to protect consumers, the Utah Consumer Privacy Act gives consumers a number of rights.
One of the most basic of these rights is that the consumer may contact a controller to make several requests:
- Confirmation: The consumer may ask whether the controller processes the consumer’s data.
- Access: The consumer may request access to the data and may even obtain a portable copy of the data if it’s possible. The copy must also be readily usable if possible, and the consumer should be able to send the copy of the data to another controller easily.
- Deletion: The consumer may request that the controller delete a copy of their personal data.
- Opt-out: The consumer has an opt-out right to stop their personal data from being sold or processed for targeted advertising.
A consumer has to make the request using the method the controller chooses. The request can’t be made in order to harass, disrupt, or overwhelm the controller. When making a request, the consumer must explicitly say what they’re seeking.
After receiving the request, the controller must do one of three things:
- Take action: You must meet or deny the consumer’s request within 45 days, unless you extend the response period or you believe the consumer’s request is fraudulent and you need time to authenticate it. If you take action, you must give the consumer notice of what action you’ve taken.
- Extend the response period: You have the right to a one-time extension of the time to respond to the request. If you choose this option, you’ll have 45 more days to prepare your response. You must also inform the consumer if you take an extension.
- Pause the response period to authenticate the request: If you reasonably suspect the request is fraudulent, you don’t have to take action within the 45-day response period if you need more time to complete your authentication of the request.
The UCPA allows a controller to charge a fee for providing information to a consumer only in certain circumstances:
- If the consumer has already made at least one other request in the previous 12 months
- To cover administrative costs if you reasonably believe the request wasn’t made for a proper purpose, it disrupts or harasses your business, or the request is excessive, repetitive, or difficult to respond to
Notice to Consumers and Right to Opt Out
Your business is responsible for posting privacy notices giving consumers specific information about their personal data and how it’s processed, as well as explaining consumers’ rights under the Utah data privacy law.
Your privacy notice must include the following information:
- The type of personal data you process
- Your purpose for processing the data
- How a consumer can assert their rights under the law
- What types of personal data are shared with other parties
- The types of third parties the data is shared with
You must also notify consumers of their right to opt out of having their data processed in certain circumstances.
First, if you sell personal data to a third party, or the data will be used for targeted advertising, you have to give notice to the consumer on how to opt out of having their personal data sold or processed for targeted advertising.
Second, the UCPA requires that if you collect “sensitive data,” you must give the consumer clear notice of that as well as the ability to opt out of having that information processed. Examples of what the UCPA defines as sensitive data include:
- Race
- National origin
- Religion
- Sexual orientation
- Citizenship status
- Medical information
Lastly, if a customer chooses to opt out, you may not charge more or otherwise discriminate against the customer for doing so.
One exception would be if you offer a lower price to certain customers as part of a loyalty program or membership program and a higher price to the remaining customers. In that case, you can charge a higher price if the consumer opts out.
Children’s Data
If the consumer is known to be a child under the age of 13, you must get permission from their parent or legal guardian before processing the child’s information. The parental consent must be verifiable.
Furthermore, even with parental consent, you may only process data from a known child in a way that complies with the Children’s Online Privacy Protection Act.
UCPA vs. CCPA vs. CDPA vs. CPA: Similarities and Differences
Utah is the fourth state to pass a consumer data privacy act. California, Colorado, and Virginia all passed their own consumer data privacy laws before Utah.
Utah’s consumer protection legislation is modeled on these earlier statutes, but it has some key differences. Overall, Utah’s version will likely be slightly easier for businesses to comply with than the others.
| Utah Consumer Privacy Act | California Consumer Privacy Act | Colorado Privacy Act | Virginia Consumer Data Protection Act | |
| Revenue requirements for covered businesses | Businesses must have at least $25 million in revenue and meet additional criteria | Having at least $25 million in revenue is just one possible way that a business may be covered | None | None |
| Excludes aggregated or deidentified data | Both | Only deidentified data | Only deidentified data | Only deidentified data |
| Definition of a “sale” of data | Requires money to be exchanged | Requires an exchange, but it doesn’t have to be money. For example, if data is exchanged, that is a sale. | Requires an exchange, but it doesn’t have to be money. For example, if data is exchanged, that is a sale. | Requires an exchange, but it doesn’t have to be money. For example, if data is exchanged, that is a sale. |
| Contracts between controllers and processors | Has the least number of requirements | Requires everything the Utah law requires plus additional conditions. For example, the contract must give the controller the right to perform audits on the processor. | Requires everything the Utah law requires plus additional conditions | Requires everything the Utah law requires plus additional conditions |
| Opt-in vs. opt-out rights for sensitive data | Consumers may opt out of having their sensitive data processed, but controllers don’t have to get their consent before processing data. | Controllers must get a consumer’s consent before processing sensitive data. | Consumers may opt out of having their sensitive data processed, but controllers don’t have to get their consent before processing data. | Controllers must get a consumer’s consent before processing sensitive data. |
| Consumers can appeal a business’s decision not to provide information | No | Yes | Yes | Yes |
| Consumers have the right to opt out of profiling | No | Yes | Some profiling | Yes |
| Consumers can request that inaccuracies in their data are corrected | No | Yes | Yes | Yes |
| Requirements for the controller’s process for consumer requests | None — a controller may set their own method for how a consumer can make requests. | The law has certain requirements for methods for consumer requests. | Imposes some requirements | The law has certain requirements for methods for consumer requests. |
| Private right of action | No — the state attorney general is the only party who can file suit if a business violates the law. | Yes — a consumer can sue a business directly for violations. | No — the state attorney general is the only party who can file suit if a business violates the law. | No — the state attorney general is the only party who can file suit if a business violates the law. |
| Consumer has the right to request that personal data be deleted | Yes | Yes | Yes | Yes |
How Are Consumers Impacted by the UCPA?
Utah consumers are impacted by the Utah Consumer Privacy Act. They’ll have access to more details than ever about their personal data, including:
- How their personal data is processed
- Who has access to their personal data
- How their personal data is used
- Why their personal data is processed
- The specific data that has been collected
This access alone will be significant, as most people have never had such access before. A survey conducted by the Pew Research Center in 2019 found that over half of Americans understand very little about what companies do with the consumer data they collect.
The ability to opt out of having personal data processed and sold is also significant. The same Pew survey found that over 80% of Americans don’t feel comfortable with the lack of control over their personal data. Giving them the right to opt out of having data processed is a great way to address some of that discomfort.
How Are Businesses Impacted by the UCPA?
If the UCPA covers your business, you’ll be highly impacted. Here are some of the significant steps you’ll need to take:
- Ensure you have security practices to protect consumer data
- Review your contracts involving consumer data processing to ensure they meet the requirements in the statute
- Create a privacy notice to consumers
- Set up a way for consumers to opt out of having their personal data processed in certain circumstances
- Set up a process for consumers to request information about how their data is used as well as a process to authenticate and respond to these requests
Because the law doesn’t take effect until December 2023, you have time to prepare. Many businesses may already be in compliance. Two nearby states — California and Colorado — have already passed data privacy laws, so if your business is adhering to those laws, you may already be in compliance with some of the new Utah regulations.
Even businesses that the UCPA doesn’t cover may feel some pressure to implement some of the measures required by the law as consumers begin to expect more control over how their personal data is processed.
Who Must Comply With the UCPA?
Businesses defined as controllers or processors under the UCPA must comply with the law. Your business is a controller or processor if it meets these criteria:
- You conduct business in Utah or target your products or services to Utah residents.
- Your annual revenue is at least $25 million.
- You process or control personal data for at least 100,000 consumers — or at least 25,000 consumers if the business gets more than 50% of its revenue from selling personal data.
Are There Any Exemptions?
Yes. You don’t need to comply with the UCPA if you process data as a government contractor or your organization is a nonprofit or an institution of higher education.
How Can Businesses Comply With the UCPA?
If your business qualifies as a controller or processor under Utah data privacy law, you have until Dec. 31, 2023, to comply. Many businesses will be covered by the data privacy laws passed in California and Colorado. In most cases, if you comply with these other state laws, then you’ll also be in compliance with the UCPA.
Key things that you should prepare now:
- Review any contracts you have with your processor or controller to make sure they meet the UCPA requirements.
- Begin writing your privacy notices and your opt-in/opt-out buttons.
- Begin writing your policies for how you’ll handle consumer requests. Things to consider: How will consumers submit requests? How will you authenticate them? Who will manage the requests, and who will determine what action to take in response? How will you give consumers a copy of their data?
- Review your security practices for consumer data to ensure that they comply with the UCPA.
How Will the UCPA Be Enforced?
The Utah Consumer Privacy Act may be enforced only by the state attorney general. There’s no private right of action like the CCPA has, so consumers themselves may not file suit for violations.
The UCPA does authorize the Utah Division of Consumer Protection (DCP) to establish a system to receive complaints from consumers, and the DCP may also investigate those complaints. If the DCP concludes that a violation has occurred, it may refer the matter to the attorney general for enforcement.
However, before bringing an enforcement action against a business for failing to comply with the UCPA, the attorney general must give the business written notice of the provision that the business has violated and give that business at least 30 days to rectify its violation.
If the business responds within the time limit with a written notice explaining how the violation has been addressed, the attorney general may not initiate an enforcement action unless the business continues to violate the law.
Fines and Penalties Under the UCPA
Violators of the Utah Consumer Privacy Act may be subject to two forms of fines or penalties:
- The consumer’s actual damages caused by the business’s violation of the law
- A maximum fine of $7,500 per violation
Before levying any fines or penalties, the attorney general must first file an enforcement action against the business in court — and they must win.
UCPA Checklist
Click on the image below to view our Utah Consumer Privacy Act checklist:
Summary
Like its predecessors in California, Colorado, and Virginia, Utah’s Consumer Privacy Act takes significant steps to begin protecting consumers’ personal data. But it does so in a way to protect businesses as well.
Senator Kirk Cullimore, Utah’s Consumer Privacy Act’s sponsor, announced that the current state of the law is intended as a starting point. Depending on how the law performs, there might be future amendments, mainly because the Utah attorney general and the Division of Consumer Protection must submit a report evaluating its effectiveness by July 1, 2025.
Try Termly for Free!
Termly is a an easy-to-use solution for data privacy compliance and consent management.
We know that keeping up with complex data privacy laws can be confusing and time-consuming; that’s why we do the hard work for you!
Try our legal policy generators and cookie consent management solutions for FREE!
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
