Utah was the fourth US state to pass a privacy law, after California (CCPA), Colorado (CPA), and Virginia (VCDPA). Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. The Utah privacy law is considered one of the most business-friendly data privacy laws so far.
What is the Utah Consumer Privacy Act?
The Utah Consumer Privacy Act (UCPA) protects the data privacy rights of residents of Utah and establishes data privacy obligations for entities processing the data of Utah residents.
Like some other US state laws, the UCPA uses an opt-out consent model, meaning that personal data can be collected, processed, sold, or used for targeted advertising by default, without asking for consumers’ consent, with the exception of a child. However, if consumers do not want their data to be processed, they have the right and must be provided with the option to opt out of the sale of their data or use it for targeted advertising.
Controller, processor, and consumer
The UCPA applies to controllers or processors of personal data. The controller is defined in the law as: “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.”
The processor is defined as: “a person who processes personal data on behalf of a controller.” In the case of a controller and a consumer, the term “person” also covers company entities that are processing data, not just individuals.
The consumer is defined as: “an individual who is a resident of the state acting in an individual or household context.” This definition defines people in private life and excludes those “acting in an employment or commercial context” for business purposes.
Sale of personal data
The UCPA applies to the sale of personal data and targeted advertising. The law defines a sale in the following way: “the exchange of personal data for monetary consideration by a controller to a third party.”
This means, that, unlike the CCPA and CPRA, Utah privacy law does not include non-monetary options for data transfer as a sale. Also, UCPA allows the sharing of data and does not consider it as a sale. However, targeted advertising is covered by the law if it has monetary considerations.
Personal data under the UCPA
Personal data under the UCPA is defined as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Some forms of personal data, like a name or email address, can make a consumer a directly identifiable individual. While other forms, like IP address, could make a consumer an identifiable individual when aggregated with additional personal data.
Note that information that is publicly available or that is deidentified or anonymized, is not considered personal data. Aggregated data of groups of consumers are not considered personal data as well.
Sensitive personal data under the UCPA
Under the UCPA, sensitive personal data is defined as personal data that includes the following details:
- racial or ethnic origin;
- religious beliefs;
- sexual orientation;
- citizenship or immigration status;
- medical history, mental or physical health condition, medical treatment or diagnosis;
- genetic data;
- biometric data;
- geo-location data.
Unlike the majority of other data privacy laws, the UCPA does not require consent for processing sensitive personal data. However, controllers must clearly notify consumers about the processing and must provide the means to opt out of having their sensitive personal data processed before the data is collected and processed.
The following entities are excluded from the UCPA:
- institutions of higher education;
- nonprofit organizations;
- government organizations and contractors;
- indigenous tribes;
- air carriers;
- organizations covered by the Health Insurance Portability and Accountability Act (HIPAA);
- financial institutions governed by the Gramm-Leach-Bliley Act.
The UCPA does not apply to information that is already subject to the following regulations:
- Health Insurance Portability and Accountability Act (HIPAA);
- Gramm-Leach-Bliley Act;
- Fair Credit Reporting Act;
- Driver’s Privacy Protection Act;
- Family Educational Rights and Privacy Act;
- Farm Credit Act.
Data processed or maintained in the course of employment, including job applicant data, is also exempt from the law.
Who does the Utah Consumer Privacy Act Apply to?
The Utah Consumer Privacy Act applies to any entity that:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more;
- and satisfies one or more of the following criteria:
- during a calendar year, controls or processes the personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
This differs from other data privacy laws in that companies must meet multiple criteria for applicability. For example, entities have to have US $25 million in revenue and process data from 100,000 consumers. Either of these conditions alone is not enough for the UCPA applicability.
The annual revenue threshold will also automatically exclude smaller companies from UCPA compliance. Similarly, larger entities that meet the revenue threshold will not be subject to the law unless they also meet additional criteria.
Under the UCPA, a consumer is defined as “an individual who is a resident of the state acting in an individual or household context.” So, like the VCDPA and CPA, the UCPA excludes individuals, acting in an employment or commercial context. Thus, entities do not count the personal data of such individuals when counting the number of consumers.
Businesses’ Obligations Under the Utah Consumer Privacy Act
- categories of personal data processed by the controller;
- categories of personal data the controller shares with third parties, if any;
- the purpose of processing the data;
- categories of third parties with whom the controller shares personal data, if any;
- the means for consumers to exercise their rights.
- If personal data is sold to a third party or used for targeted advertising, the controller must “clearly and conspicuously disclose” the methods for consumers how to opt out of selling or using their data for targeted advertising.
Data controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.” This also applies to third parties used by the controller for data processing and must be included in contracts between controllers and third-party processors.
Processing of children’s personal data
Under the UCPA, a child is defined as an individual known to be under 13 years old. Controllers must obtain verifiable parental consent prior to processing the data and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA). The processing of children’s data is the only activity under the UCPA that requires explicit consent.
Controllers are prohibited from “discriminating against a consumer for exercising a right by:
- denying a good or service to the consumer;
- charging the consumer a different price or rate for a good or service; or
- providing the consumer a different level of quality of a good or service.”
However, a controller is allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” if the customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.
Data processing contracts
Dara processing activities performed by a processor on behalf of a controller must be governed by contract. The contract needs to include data processing instructions and some other information, including:
- nature and purpose of the processing;
- type of data to be processed;
- duration of the processing;
- all parties’ rights and obligations, including a duty of confidentiality;
- the requirement that the processor has a written contract with any subcontractor engaged to process personal data, meeting the same obligations as the processor.
Unlike the VCDPA and CPA, the UCPA does not require controllers to conduct data protection assessments to evaluate the risks associated with data processing activities.
Controllers are obligated to respond to a consumer’s request within 45 days. When reasonably necessary, a controller may extend the response period by an additional 45 days, provided they “inform the consumer of the extension, including the length of the extension (and reasons for it),” within the initial 45-day response period.
The UCPA does not allow controllers to charge a fee for responding to a request. A controller may, however, charge a reasonable fee if:
- the request is a consumer’s second or subsequent request during the same 12-month period;
- the request is “excessive, repetitive, technically infeasible, or manifestly unfounded.”;
- the controller “reasonably believes the primary purpose in submitting the request was something other than exercising a right.”;
- the request “harasses, disrupts, or imposes an undue burden on the resources of the controller’s business.”
Unlike some other privacy laws, the UCPA does not have an appeal process for consumers whose requests were denied.
Consumers are provided with four main rights under the UCPA:
- Right to access. Consumers have the right to confirm whether a controller is processing their data, and the ability to request and receive that data.
- Right to delete. Consumers have “the right to delete the consumer’s personal data that the consumer provided to the controller.” Importantly, the UCPA does not give consumers the right to delete all personal data that a controller has about them, only the personal data they provided to the controller.
- Right to data portability. Consumers have the right to obtain a copy of their personal data that they provided to the controller, in a format that is: portable to a technically reasonable extent; readily usable to a practical extent; enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means.
- Right to opt out of certain processing, specifically for the sale of personal data or the purposes of targeted advertising. Unlike the VCDPA and CPA, the UCPA does not provide the right to opt out of profiling.
Unlike the CCPA, CPA, or VCDPA, the Utah privacy law does not grant Utah consumers the right to correct inaccuracies in their personal data.
The UCPA does not provide for a private right of action. As with the VCDPA, the attorney general has exclusive enforcement authority. If the attorney general decides to act on a referred matter, the office must first inform the controller or processor. Controllers and processors then have 30 days to cure the violation and provide the attorney general with an “express written statement that the violation has been cured and no further violation of the cured violation will occur.”
If the data controller or processor failed to cure the violation or continues violating the law after providing a written statement to the contrary — the attorney general can initiate an enforcement action and impose penalties. Actual damages and fines could be up to US $7,500 per violation.
The UCPA and Consent Management
Under the UCPA, an opt out consent model is used, meaning that data controllers are not required to obtain consumers’ consent before personal data collection or processing, even for sensitive personal data, with the exception of the processing of children’s data.
However, data controllers must clearly notify consumers and provide an option to opt out of having their personal data processed before or at the time of collection and processing.
For entities that do business globally, geo-targeting functionality is recommended. With CookieScript geo-targeting, different privacy notices will be delivered to consumers based on their geographic locations, and website visitors will be presented with the right banners.
Frequently Asked Questions
What is the Utah Consumer Privacy Act (UCPA)?
Who does Utah Consumer Privacy Act apply to?
The Utah Consumer Privacy Act applies to any entity that conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 or more, and satisfies at least one of the following criteria: during a calendar year, controls or processes personal data of 100,000 or more consumers, or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Does Utah have privacy laws?
On 3 March 2022, the Utah Senate passed Senate Bill 227 for Utah Consumer Privacy Act (UCPA) which was signed by the Governor on 24 March 2022, making Utah the fourth US State to legislate comprehensive privacy legislation. The UCPA will go into effect on 31 December 2023. Read CookieScript privacy laws to stay updated.
Does the Utah Consumer Privacy Act (UCPA) allow to sell my data?
The UCPA defines a sale in the following way: “the exchange of personal data for monetary consideration by a controller to a third party.” This means, that Utah privacy law does not include non-monetary options for data transfer as a sale. Also, UCPA allows the sharing of data and does not consider it as a sale.
What are consumers’ rights under the Utah Consumer Privacy Act (UCPA)?
What is personal data under the Utah Consumer Privacy Act (UCPA)?