Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law

Utah is one of the few US states with a consumer privacy law. It is the fourth state to enact legislation to protect consumers’ personal information.

The UCPA follows the trend set by the states of California, Virginia, and Colorado, which also have passed privacy laws in recent years. Connecticut followed soon after Utah.

If you operate a business from Utah or online and target Utah customers, you need to learn about this law because it will affect your business. It sets simple requirements similar to other state privacy laws.

This article is a brief overview of these requirements. It will give you an idea of what you need to do to comply with it and stay safe from penalties.

What is the Utah Consumer Privacy Act (UCPA)?

The Utah Consumer Privacy Act (UCPA) is one of the few US state data privacy laws. State laws protect consumers against excessive data processing practices without a federal data protection law.

Governor Spencer Cox signed the UCPA in March 2022. Its effective date is 31 December 2023.

It grants consumers rights and imposes some duties on businesses. All are described further in this article.

How are businesses impacted by the UCPA?

Here are some of the key ways in which the UCPA impacts businesses:

• It gives consumers more control over their personal data. Consumers have the right to access, delete, and opt out of the sale of their personal data. They also have the right to be notified of data breaches and data misuse.
• It requires businesses to be more transparent about their data practices. Businesses must provide consumers with a privacy policy that describes how their personal data is collected, used, and shared. They must also provide consumers with a clear and conspicuous way to opt out of the sale of their personal data.
• It imposes stricter data security requirements on businesses. Businesses must take reasonable measures to protect the personal data they collect from unauthorized access, use, disclosure, alteration, or destruction.

In addition to these general requirements, the UCPA also imposes specific requirements on certain types of businesses, such as:

• Businesses that process the personal data of children. These businesses must obtain verifiable parental consent before collecting or processing the personal data of children under the age of 13.
• Businesses that engage in targeted advertising. These businesses must provide consumers with a clear and conspicuous way to opt out of targeted advertising

Does UCPA apply to my business?

UCPA applies to any business that:

• Conducts business in the state of Utah or produces a product or service that is targeted to consumers who are Utah residents of the state, and
• Has annual revenue of $25,000,000 or more, and
• Satisfies one or more of the following thresholds: 
  undefinedundefinedundefined

Some entities are exempt from the UCPA. The exemptions include:

• Government bodies
• Tribes
• Business associates
• Nonprofits
• Institutions of higher education
• Protected health information according to the Health Insurance Portability and Accountability Act (HIPAA)
• Personal data collected as part of human subjects research
• Data protected by the Gramm-Leach-Bliley Act (GLBA)
• Financial institutions process data according to the Fair Credit Reporting Act (FCRA) and others.

How can businesses comply with the UCPA?

Here are some of the key ways in which businesses comply with the UCPA:

• Designate a data privacy officer: This individual will be responsible for overseeing the company's compliance with the UCPA.
• Conduct a data privacy audit: This will identify all of the personal data that the company collects, processes, and shares.
• Develop a data privacy policy: This policy should explain how the company collects, uses, and shares personal data. It should also include information about consumer rights under the UCPA.
• Train employees on data privacy: Employees should be trained on the company's data privacy policy and procedures.
• Implement data security measures: This includes measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction.
• Respond to consumer requests: Consumers have the right to access, delete, and opt out of the sale of their personal data. Businesses must respond to these requests within a reasonable timeframe.

What is personal data under UCPA?

UCPA defines personal data as any information that is linked or reasonably linkable to an identified individual or an identifiable individual. Simply put, any information that could directly or indirectly identify a person are personal data.

This includes personal names, Social Security Numbers, Driver’s License Numbers, email addresses, phone numbers, IP addresses, browsing behavior, or any other information that could lead to a person acting in an individual or household context.

Deidentified data, aggregated data, or publicly available information are not under the UCPA scope. They are excluded.

What is UCPA sensitive personal data?

Sensitive data means personal data that reveals:

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation;
• Citizenship or immigration status
• Health data
• The processing of genetic personal data or biometric data, if the processing is to identify a specific individual, or
• Specific geolocation data.

What are data controllers and data processors?

The data controller is the person that makes decisions on the data processing. The data processor processes the data on behalf of a controller. In CCPA and CPRA, data processors are called service providers.

You have a business and decide to install website analytics software. You install Google Analytics. In your relationship with Google, you are the controller because you decide how you want to process the data and what to include in the processing. Google is your processor because they process data on your behalf.

What are processing agreements?

Processing agreements are the contracts between controllers and processors for the processing of personal data. They must be in written form.

The processing agreement serves the controller, among other things, to instruct the processor on the data processing, such as what categories of personal data to process, for what purpose, to establish data security standards, and so on.

The controller must have a processing agreement with every data processor they engage with. This includes every third-party tool, even the small plugins installed on the website. In many cases, the Terms and Conditions will serve as a processing agreement as long as they contain provisions on the data processing.

What is a UCPA privacy notice?

You have transparency duties to your consumers, which obliges you to give them a privacy notice on data collection. It must contain a clear notice of:

• The categories of personal data processed by the controller
• The purposes for which the categories of personal data are processed
• How consumers may exercise a right
• The categories of personal data that the controller shares with third parties, if any
• The categories of third parties, if any, with whom the controller shares personal data
• How to opt out of the sale of personal data and targeted advertising.

Do I need to collect users’ consent to process personal data?

No, UCPA does not require businesses to collect users’ consent to process personal information, nor any other form of opt-in. This law, as well as all other US state privacy laws, relies on the opt-out principle. It allows businesses to collect and process personal data until the consumer object to that and opts out of the processing.

You have to request consent, however, in two cases:

• If you knowingly collect children’s data, you need parental consent, and
• For secondary use of data, which means processing data for purposes that have not been listed in the privacy notice at the time of collection.

What is the sale of personal data under the UCPA?

Unlike other privacy legislation of the US states, the Utah CPA limits the definition of the sale of personal data strictly to the exchange of consumer data for monetary compensation. It does not include “other valuable consideration,” as CPRA does.

You sell consumers’ personal data only if you receive money for it. If you do so, you need to let them opt out of the sale if they want to.

How to allow consumers to opt out of the sale of personal data or targeted advertising?

The UCPA does not specify the methods for opting out. Unlike the CCPA/CPRA, which explicitly requires an opt-out link, UCPA allows you to determine your methods to allow consumers to opt out of the sales of their data or targeted advertising.

What are UCPA consumer rights?

Like other data privacy laws, UCPA grants consumers rights as follows:

• Right to know whether their personal data is being processed by the business
• Right to access consumer’s personal data
• Right to deletion of their personal data
• Right to data portability
• Right to opt-out of the sale of personal information
• Right to opt-out of targeted advertising

How to comply with UCPA consumer requests?

You have no choice but to honor consumer requests unless:

• You believe that the request is fraudulent,
• The requests are repetitive and excessive and impose burdens on your business, or
• You cannot identify the requester.

In all other cases, you must comply with the requests and respond to them free of charge. The deadline for response is 45 days, which can be extended to 45 more days for complex requests.

Before responding, you must identify the person who exercises their rights to ensure that you do not allow access to personal information to an unauthorized person.

What are the UCPA data security requirements?

UCPA, like many other privacy laws, prescribes only a general duty to implement adequate data security measures. It doesn’t explicitly state what measures are necessary. Still, it allows the business to determine the technical, organizational, and physical measures that are the most adequate for the specifics of their processing.

Unlike California and Virginia privacy laws, the Utah Consumer Privacy Act does not require data protection assessment as a data security measure. However, implementing one is a good data security practice that could benefit your business.

Who enforces the UCPA?

The Utah Attorney General enforces the UCPA. They can investigate the cases related to UCPA violations and impose penalties on businesses if they determine any breaches.

Before imposing any fines, the Attorney General will allow the business in breach a 30-day cure period. If the business remedies the violation within this period, it will avoid the fine. If the violation is still in place, penalties are unavoidable.

The Division of Consumer Protection can also investigate consumer complaints but is not competent to take any enforcement action.

The UCPA does not grant consumers a private right of action, unlike the California Privacy Rights Act. Consequently, they can rely only on the Attorney General to protect consumer privacy rights. They cannot do it themselves.

What are the UCPA penalties for non-compliance?

The Attorney General can:

• Impose a fine of up to $7,500 per violation, where the same violation against 100 consumers equals 100 violations and means a fine of up to $750,000, and
• Recover the actual damages the consumer suffered due to the UCPA violation.

Is the UCPA similar to other US state privacy laws?

UCPA shares many similarities with the Colorado Privacy Act, California Consumer Privacy Act, and the Virginia Consumer Data Protection Act (VCDPA). You can assume that its requirements are still not as comprehensive as those of the GDPR of the EU. It is not the most comprehensive data protection law to date, but it makes Utah one of the few states with a state privacy law.