Guide to Utah Consumer Privacy Act (UCPA)

Utah is the fourth US state to enact comprehensive consumer privacy legislation, known as the “Utah Consumer Privacy Act (UCPA)”.  

Official text: Utah Senate Bill 277

Effective date: December 31, 2023

What is the Utah Consumer Privacy Act (UCPA)? 

In March 2022, Utah enacted the Consumer Privacy Act (UCPA) to empower state residents with more control over their personal data held by organizations. It will take effect on December 31, 2023.

While the UCPA shares some basic similarities with privacy laws in other US states, Utah aimed to adopt a more business-friendly approach. For instance, consumer rights requirements are less stringent than in other states.

The law also mandates transparency from organizations about the sharing of personal data. However, it includes essential exceptions and provides flexibility for businesses. Overall, the UCPA strikes a balance between resident privacy rights and business interests.

The Utah Attorney General’s office and the Division of Consumer Protection are tasked with enforcing compliance with the Act.

UCPA applies to any controller or processor conducting business in Utah or offering products or services targeting Utah residents that:

• Has an annual revenue of $25,000,000 or more and
• Satisfies one or more of the following thresholds:
  • Processes the personal data of 100,000 or more consumers in a calendar year.
  • Derives 50% of gross revenue from personal data sales and controls or processes the personal data of at least 25,000 consumers.

Exemptions include government entities or a third party acting on behalf of the government entity, tribes, higher education institutes, and nonprofit corporations. 

The UCPA defines “personal data” as any information linked or reasonably linkable to an identified or identifiable individual.

The act further categorizes certain types of sensitive information as “sensitive data,” a subset of personal data that receive enhanced protections. Sensitive data encompasses personal details on race, religion, sexual orientation, citizenship, health conditions, medical treatment, genetic or biometric identifiers, and geolocation data.

However, certain types of data are excluded from the definition of personal data:

• Deidentified data from which identifying information has been removed
• Aggregated statistical data about groups of individuals
• Information that is already publicly available through lawful means.

• Privacy notices: Provide consumers with accessible, clear privacy notices that disclose:
  • Categories of personal data processed
  • Purposes each data category is processed for
  • How consumers can exercise their UCPA rights
  • Categories of personal data shared with third parties, if any
  • Categories of third-party personal data are shared with, if any
  • Clear opt-out process for the sale of personal data or targeted advertising

 

• Data security practices: Establish, implement, and maintain reasonable administrative, technical, and physical security practices considering business size and data volume/sensitivity.

• Consumer consent: Obtain consumer consent and provide an opportunity to opt out before processing personal data for targeted advertising or selling them to third parties.
• Non-discrimination: Do not discriminate against consumers exercising their rights by:
  • Denying goods or services
  • Charging different pricing or rates
  • Providing different levels of quality

Differential pricing unrelated to rights exercise is permitted.

• Disclosure of reliance on data: Disclose where consumer’s personal data or processing of such data is reasonably necessary for the provision of goods, services, or functionality.
• No waiver of rights: Any contract provisions that waive or limit consumer UCPA rights are void.

UCPA defines ‘consent’ as an affirmative act by a consumer that indicates their voluntary and informed agreement to allow a person or organization to process personal data related to them.

In regards to parental consent for minors under the age of 13, the UCPA states that organizations are considered compliant with any UCPA obligation to obtain parental consent if they comply with the verifiable parental consent mechanisms outlined under the Children’s Online Privacy Protection Act (COPPA) and its implementing regulations and exemptions. 

You also need consent if you are using personal data for a secondary purpose, which is different from the original purpose for which the data was collected.

UCPA grants Utah residents certain rights over personal data:

• Right to be informed: Controllers must provide notice of categories of personal data processed, purposes of processing, how to exercise rights, data sharing practices, and categories of third parties data is shared with.
• Right to access: The right to access copies of personal data held by controllers.
• Right to delete: Right to delete certain personal data held by controllers.
• Right to data portability: The right to obtain personal data in a readily usable, portable format that allows transmission to another controller without any hindrance.
• Right to opt-out: Right to opt out of processing personal data for targeted advertising or sale purposes.

If an organization violates the personal data protection requirements in the UCPA, the Attorney General can take legal action against them. The organization would then have to:

• Pay monetary damages to consumers to cover any losses due to the violation
• Pay fines of up to $7,500 to the State of Utah for each violation

The Attorney General allows a 30-day cure period to remedy the breach.  

All money recovered from UCPA cases goes into Utah’s Consumer Privacy Account.

• Develop and publish clear, accessible privacy notices for consumers
• Regularly update notices to reflect changes in data processing practices
• Establish and maintain reasonable administrative, technical, and physical security measures
• Conduct regular risk assessments and adjust security practices accordingly
• Ensure opt-out processes are straightforward and easily accessible
• Obtain parental consent for data processing related to minors
• Develop and communicate policies that prohibit discrimination against consumers exercising their rights
• Establish processes for handling consumer requests

What is protected under the Privacy Act?

​​The Utah Consumer Privacy Act protects personal data, which includes any information linked or reasonably linkable to an identified or identifiable individual (Utah resident). This does not include publicly available, aggregated, or de-identified data. Specific protections include consumer rights to access, delete, obtain, and opt out of the processing of their personal data.

What is Utah right to privacy law?

The UCPA establishes new privacy rights under Utah law, giving consumers control over personal data collected about them by qualifying businesses. These rights include:

• The right to be informed about their personal data
• The right to access their personal data
• The right to delete personal data they provided
• The right to obtain their data in a portable format
• The right to opt out of processing for targeted advertising or data sales

What is the UCPA summary?

The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, gives Utah residents control over personal data. It applies to businesses with over $25 million in annual revenue targeting Utah or processing data of a certain scale.

• UCPA defines personal data broadly, including sensitive info like race or health. 
• Covered entities exemptions include government entities and non-profits.

• Requirements include clear privacy notices, secure data practices, consent for sensitive or children’s data, and no discrimination against rights-exercising consumers.

• Consent means a voluntary, informed agreement. For minors under 13, compliance follows COPPA mechanisms.

• Consumer rights include being informed, access, deletion, data portability, and opting out of targeted ads or data sales.

• Violations lead to legal action, requiring organizations to pay damages to consumers and fines of up to $7,500 per violation.

What does the UCPA do?

UCPA grants Utah residents greater control over their personal data held by businesses. It imposes several key requirements on businesses, including the obligation to provide clear and accessible privacy notices, establish secure data practices, obtain consent for processing sensitive or children’s data, and refrain from discriminating against consumers exercising their privacy rights.