Privacy-proof consumer data and stay ahead of UCPA compliance
The #1 cookie consent solution, trusted by 1.4 Million+ websites
Utah Consumer Privacy Act (UCPA) is a state-wide data privacy that regulates how businesses process the personal information of consumers in Utah and grants consumer rights including the right to opt-out of targeted advertising and sale of personal data. The Act is set to take effect on December 31, 2023.
UCPA Compliance Checklist for Websites
- Provide opt-out for the sale of personal data and targeted advertising
- Enable consumers to make data subject access requests
Prepare for UCPA Compliance with CookieYes
Implement opt-out requests
Under UCPA, when businesses sell personal data or use it for targeted advertising (including the use of third-party cookies), they should provide consumers with the right to opt out.
With CookieYes you can
Automate consent management
Ensure that websites set third-party cookies only based on user preferences and maintain continuous compliance.
With CookieYes you can
With CookieYes you can
Achieve cookie compliance
without spending hours
Learn more about UCPA and take the next
step towards compliance
What is UCPA?
Utah Consumer Privacy Act (UCPA) establishes data privacy obligations for businesses in the state that process the data of Utah residents. Utah became the fourth state in the United States to enact a comprehensive consumer privacy law when UCPA was passed into law on March 24, 2022.
UCPA shares similarities with the privacy laws in California, Virginia and Colorado, but also has some key differences such as its exemptions for employee data and the definition of ‘sale’.
Who does UCPA apply to?
UCPA is applicable to any controller or processor who:
- Conducts business in Utah and produces products or services that target the residents of the state
- Has an annual revenue of $25,000,000 or more and
- Satisfies one or more of the following thresholds:
- During a calendar year, has processed the personal data of 100,000 or more consumers:
- Derives 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.
The UCPA does not apply to non-profit organizations or higher education institutions, tribes, air carriers, and government organizations.
What are consumer rights
Right to know
The right to know whether a business collects personal data about them and how it is used and shared.
Right to access
The right to access the personal data a business has collected about them.
Right to delete
The right to delete personal information that a business has collected from them.
Right to data portability
The right to obtain a copy of their personal data in a portable format.
Right to opt-out
The right to opt out of the processing of personal data for targeted advertising and the sale to third parties.
Right to non-discrimination
The right to not be discriminated against for exercising their consumer rights under UCPA.
What is the penalty for non-compliance?
The Utah Attorney General (AG) has the enforcement authority over UCPA compliance and penalties. In case of an alleged violation, the AG will give businesses a 30-day period to cure the violation.
Businesses that fail to correct the violation within the cure period will be subject to fines of up to $7,500 per violation.
FAQ on UCPA Compliance
The Utah Consumer Privacy Act or UCPA is a privacy law that was enacted on March 24, 2022. Utah became the fourth US state to enact a comprehensive consumer privacy law after California, Virginia and Colorado.
UCPA provides consumers (i.e. residents acting in an individual or household context) in Utah rights over their personal data by imposing obligations on how businesses control or process the data. The Act will go into effect on December 31, 2023.
Personal data under the UCPA is defined as “information that is linked or reasonably linkable to an identified or identifiable individual”. This includes data that can be used to directly or indirectly identify a person, such as their name, address, email address and phone number.
The UCPA excludes de-identified data, aggregated data, or publicly available information as personal data. Data regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Driver’s Privacy Protection Act, and the Family Education Rights and Privacy Act (FERPA) are also exempted from its scope.
The UCPA defines a sale as, “the exchange of personal data for monetary consideration by a controller to a third party.” UCPA does not include CCPA/CPRA’s definition of sale which involves personal data exchanged for “other valuable consideration” on top of monetary consideration.
The UCPA also excludes certain types of disclosures to third parties from the definition of sale, including disclosures for the purpose of providing products or services and for the purpose consistent with a consumer’s reasonable expectations.
In addition, a sale does not occur under UCPA if the disclosure is made to processors and affiliates of the data controller.
Utah Attorney General (AG) has exclusive authority to enforce the UCPA. However, under the Act, the enforcement actions by the Attorney General may be initiated after a referral from the Utah Division of Consumer Protection. The Division receives consumer complaints, conducts an investigation, and then refers the matter to the AG if there’s substantial evidence to support a violation identified in the consumer complaint. The AG can then issue a formal notice of violation and grant the business 30 days to cure before taking enforcement action.
Fast-track your UCPA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.