Utah Consumer Privacy Act (UCPA): An Overview

The Utah Consumer Privacy Act (UCPA) went into effect on December 31, 2023. Utah was the fourth US state to pass a data privacy law, and the legislation drew on earlier states’ efforts, like Virginia and Colorado. Utah’s data privacy law is considered one of the more “business-friendly” regulations.

What is the Utah Consumer Privacy Act (UCPA)?

The Utah Consumer Privacy Act (UCPA) protects the privacy rights of residents of Utah and establishes data privacy and protection responsibilities for companies that process the personal data of Utah residents.

The UCPA covers the sale of personal data, and defines a sale as any “exchange of personal data for monetary consideration by a controller to a third party.”

The UCPA uses an opt-out model for consent, like all of the other US state-level privacy laws to date. This means that personal data can be collected without first requiring consumers’ consent, but with some exceptions, consent must be obtained before the data can be sold.

The UCPA does not require prior consent for the processing of data categorized as sensitive, which is unusual among US state-level privacy laws. Companies just need to notify consumers about collection and use and provide an opt-out option.

Who has to comply with the Utah Consumer Privacy Act?

The UCPA applies to for-profit companies that operate in Utah,either by conducting business there or by offering a product or service to consumers who reside in the state, as well as:

• Meet the annual earnings and data processing thresholds, meaning they report revenue of USD 25 million, and either
• Control or process the data of 100,000 consumers

or

• Derive more than 50 percent of gross revenue from the sale or control of personal data of 25,000 or more consumers

The revenue threshold excludes smaller SMBs from being required to comply, and this requirement has not been included in a number of the more recently passed state-level privacy laws.

Exemptions to Utah Consumer Privacy Act compliance

There is a variety of exemptions to the UCPA’s compliance requirements, centered around type of entity, types of data, and other factors.

Organizational exemptions

In addition to organizations that fall below the revenue or data processing volume thresholds, the UCPA exempts a number of other entities, including:

• Institutions of higher education
• Nonprofit organizations
• Government organizations and contractors
• Indigenous groups
• Air carriers
• Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)

Data exemptions

The UCPA does not apply to personal data that is already subject to any of the following regulations:

• Driver’s Privacy Protection Act (DPPA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Farm Credit Act (FCA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)

Employment exemptions

The UCPA exempts personal data that is processed or maintained during the course of an individual’s employment.

This includes instances when an individual is applying for a job, or when they are “acting as an employee, agent, or independent contractor of a controller, processor, or third party,” provided that the data is “collected and used within the context of that role.”

What are consumers’ rights under the Utah Consumer Privacy Act?

Utah residents have fairly consistent rights under the UCPA compared to many other US state-level privacy laws in terms of what they can request and have done with their data:

• Right to access –confirm whether a controller is processing their data, and the ability to request and receive that data
• Right to deletion of personal data – if the data subject directly provided the data to the controller
• Right to portability –obtain a copy of their personal data from the controller, in a format that is:
  • Portable to a technically reasonable extent
  • Readily usable to a practical extent
  • Enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
• Right to opt out of certain processing – Specifically for the sale of the personal data or the purposes of targeted advertising

Companies are also prohibited from discriminating against individuals for exercising their data privacy rights under the UCPA, which gives consumers that additional right.

The UCPA does not give consumers the right to appeal refusals of their requests to companies, or the right to have incorrect or outdated personal data about them that a company has corrected.

The Utah privacy law also does not allow for a private right of action, which is an individual’s ability to sue a controller for violating the law, e.g. in the case of a data breach. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.

The UCPA does not require data controllers to recognize “universal opt-out signals” as a mechanism for consumers to opt out of data processing. This excludes global privacy control (GPC) measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active.

Consumer requests under the UCPA

Companies must fulfill consumer requests free of charge to the consumer, unless the request is:

• The second or subsequent request within the same 12-month period
• “Excessive, repetitive, technically infeasible, or manifestly unfounded”
• Reasonably believed by the controller to have the primary purpose of “something other than exercising a right”
• Intended to harass, disrupt, or impose undue burden on the resources of the controller’s business

Controllers must notify the consumer of their actions in response to a request within 45 days of receiving it. If the controller cannot or will not respond to or fulfill the consumer’s request, e.g. if the company is dealing with a high volume of requests or the consumer’s identity cannot be reasonably verified, they must communicate this during that same 45-day period.

However, the response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex and involves a lot of data. Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.

As noted, the UCPA does not have an appeal process for consumers whose requests are denied.

What are companies’ responsibilities under the Utah privacy law?

The UCPA requires companies to be transparent about their data processing operations, respond promptly to requests, take reasonable care to protect data they have collected, and other functions.

UCPA transparency requirements

Controllers make information available to consumers that is “reasonably accessible and clear.” This notice would typically appear on a business’s website, like in a privacy policy, and must include:

• Categories of personal data processed by the controller
• Categories of personal data the controller shares with third parties
• Categories of third parties with whom the controller shares personal data
• A clear explanation of how consumers can exercise their rights, including the right to opt out
• “Clear and conspicuous” disclosure if personal data is sold to a third party or used for targeted advertising

Cookiebot consent management platform (CMP) can streamline meeting these requirements. It enables companies to generate an accurate, comprehensive, and up to date privacy policy and keep users up to date on data processing.

UCPA requirements for data security

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that have been “designed to protect the confidentiality and integrity of personal data.”

This applies both to the controller and any third parties they have contracted to perform processing.

UCPA requirements for third-party data processing

Companies are required to have contracts in place with any third parties they use for data processing. The contract must include instructions for data processing, as well as:

• Nature and purpose of the processing
• Type of data to be processed
• Duration of processing
• All parties’ rights and obligations, including a duty of confidentiality
• A provision that requires the processor to have a written contract with any subcontractor engaged to process personal data that mirrors the obligations on the processor

Controllers don’t have to evaluate the risks of their data processing activities via data protection assessments, which is a requirement included in a number of other states’ privacy laws. A contract between a controller and processor also does not need to stipulate that the processor must comply with any reasonable data privacy audits set in motion by the data controller.

UCPA requirements for processing children’s personal data

The only activity for which the UCPA requires prior and explicit consent is the processing of children’s personal data. The law defined a child to be an individual who is known to be under 13 years of age.

Controllers have to obtain verifiable parental or guardian’s consent prior to processing and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA).

UCPA prohibition on discrimination

As noted, controllers may not discriminate against any consumer who exercises their privacy rights, e.g. opts out of allowing sale of their data. Examples of potential discrimination include:

• Denying goods or services
• Charging a different price or rate for goods or services
• Providing a different level of quality for goods or services

Controllers are allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.

Enforcement and penalties under the Utah Consumer Privacy Act

The Utah attorney general has full enforcement authority of UCPA. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.

Penalties and fines under the UCPA

In cases where punitive action is required, such as if the controller or processor fails to resolve or repeats a violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action. This includes damages and fines up to USD 7,500 per violation.

Investigations and cure period

Where regulatory authorities find reasonable cause or evidence of a violation under the UCPA, it’s referred to the Attorney General. If the Attorney General pursues the investigation, their office must provide the data controller or data processor with a written notice about the violation.

The UCPA provides the offending party with a 30-day “cure” period. The controller has 30 days to rectify any violation and provide a statement to the Attorney General about what has been done to resolve the violation and ensure it won’t be repeated. There is no sunset date on the UCPA’s cure period.

Updates to the UCPA

On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The Utah Artificial Intelligence Policy Act (UAIP), which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business.

The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI.

It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it’s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.

The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.

Utah Consumer Privacy Act and consent management

The UCPA requires companies to provide clear notification about data processing and rights in all cases, obtain prior consent for access to children’s data, and enable consumers to opt out of usage of their data.

To provide clear information about data processing, companies need to know what kinds of tracking they’re doing on websites and apps at all times.

Cookiebot CMP automatically scans sites and apps to detect all cookies and trackers in use. This list can also be automatically categorized and used to populate the cookie banner and the privacy policy. It’s also kept up to date for you as technologies in use and data processing changes, to give you compliance peace of mind.

Utah’s data privacy law has been in effect long enough that it has already been updated, which is expected to continue as technologies and the business and legal landscapes change. 

Usercentrics helps customers stay up to date with regulatory requirements with solutions like Cookiebot CMP™.

As more states pass data privacy laws, the likelihood that businesses will need to comply with more state-level laws, and even international privacy laws, continues to grow. Usercentrics has the solutions you need to achieve and maintain data privacy compliance, protect your revenue, and build trust and long-term engagement with your audience.

FAQ