Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law

Utah is one of the few US states with a consumer privacy law. It is the fourth state to enact legislation to protect consumers’ personal information.

The UCPA follows the trend set by the states of California, Virginia, and Colorado, which also have passed privacy laws in recent years. Connecticut followed soon after Utah.

If you operate a business from Utah or online and target Utah customers, you need to learn about this law because it will affect your business. It sets simple requirements similar to other state privacy laws.

This article is a brief overview of these requirements. It will give you an idea of what you need to do to comply with it and stay safe from penalties.

What is the Utah Consumer Privacy Act (UCPA)?

The Utah Consumer Privacy Act (UCPA) is one of the few US state data privacy laws. State laws protect consumers against excessive data processing practices without a federal data protection law.

Governor Spencer Cox signed the UCPA in March 2022. Its effective date is 31 December 2023.

It grants consumers rights and imposes some duties on businesses. All are described further in this article.

How are businesses impacted by the UCPA?

Here are some of the key ways in which the UCPA impacts businesses:

In addition to these general requirements, the UCPA also imposes specific requirements on certain types of businesses, such as:

Does UCPA apply to my business?

UCPA applies to any business that:

Some entities are exempt from the UCPA. The exemptions include:

How can businesses comply with the UCPA?

Here are some of the key ways in which businesses comply with the UCPA:

What is personal data under UCPA?

UCPA defines personal data as any information that is linked or reasonably linkable to an identified individual or an identifiable individual. Simply put, any information that could directly or indirectly identify a person are personal data.

This includes personal names, Social Security Numbers, Driver’s License Numbers, email addresses, phone numbers, IP addresses, browsing behavior, or any other information that could lead to a person acting in an individual or household context.

Deidentified data, aggregated data, or publicly available information are not under the UCPA scope. They are excluded.

What is UCPA sensitive personal data?

Sensitive data means personal data that reveals:

What are data controllers and data processors?

The data controller is the person that makes decisions on the data processing. The data processor processes the data on behalf of a controller. In CCPA and CPRA, data processors are called service providers.

You have a business and decide to install website analytics software. You install Google Analytics. In your relationship with Google, you are the controller because you decide how you want to process the data and what to include in the processing. Google is your processor because they process data on your behalf.

What are processing agreements?

Processing agreements are the contracts between controllers and processors for the processing of personal data. They must be in written form.

The processing agreement serves the controller, among other things, to instruct the processor on the data processing, such as what categories of personal data to process, for what purpose, to establish data security standards, and so on.

The controller must have a processing agreement with every data processor they engage with. This includes every third-party tool, even the small plugins installed on the website. In many cases, the Terms and Conditions will serve as a processing agreement as long as they contain provisions on the data processing.

What is a UCPA privacy notice?

You have transparency duties to your consumers, which obliges you to give them a privacy notice on data collection. It must contain a clear notice of:

Do I need to collect users’ consent to process personal data?

No, UCPA does not require businesses to collect users’ consent to process personal information, nor any other form of opt-in. This law, as well as all other US state privacy laws, relies on the opt-out principle. It allows businesses to collect and process personal data until the consumer object to that and opts out of the processing.

You have to request consent, however, in two cases:

What is the sale of personal data under the UCPA?

Unlike other privacy legislation of the US states, the Utah CPA limits the definition of the sale of personal data strictly to the exchange of consumer data for monetary compensation. It does not include “other valuable consideration,” as CPRA does.

You sell consumers’ personal data only if you receive money for it. If you do so, you need to let them opt out of the sale if they want to.

How to allow consumers to opt out of the sale of personal data or targeted advertising?

The UCPA does not specify the methods for opting out. Unlike the CCPA/CPRA, which explicitly requires an opt-out link, UCPA allows you to determine your methods to allow consumers to opt out of the sales of their data or targeted advertising.

What are UCPA consumer rights?

Like other data privacy laws, UCPA grants consumers rights as follows:

How to comply with UCPA consumer requests?

You have no choice but to honor consumer requests unless:

In all other cases, you must comply with the requests and respond to them free of charge. The deadline for response is 45 days, which can be extended to 45 more days for complex requests.

Before responding, you must identify the person who exercises their rights to ensure that you do not allow access to personal information to an unauthorized person.

What are the UCPA data security requirements?

UCPA, like many other privacy laws, prescribes only a general duty to implement adequate data security measures. It doesn’t explicitly state what measures are necessary. Still, it allows the business to determine the technical, organizational, and physical measures that are the most adequate for the specifics of their processing.

Unlike California and Virginia privacy laws, the Utah Consumer Privacy Act does not require data protection assessment as a data security measure. However, implementing one is a good data security practice that could benefit your business.

Who enforces the UCPA?

The Utah Attorney General enforces the UCPA. They can investigate the cases related to UCPA violations and impose penalties on businesses if they determine any breaches.

Before imposing any fines, the Attorney General will allow the business in breach a 30-day cure period. If the business remedies the violation within this period, it will avoid the fine. If the violation is still in place, penalties are unavoidable.

The Division of Consumer Protection can also investigate consumer complaints but is not competent to take any enforcement action.

The UCPA does not grant consumers a private right of action, unlike the California Privacy Rights Act. Consequently, they can rely only on the Attorney General to protect consumer privacy rights. They cannot do it themselves.

What are the UCPA penalties for non-compliance?

The Attorney General can:

Is the UCPA similar to other US state privacy laws?

UCPA shares many similarities with the Colorado Privacy Act, California Consumer Privacy Act, and the Virginia Consumer Data Protection Act (VCDPA). You can assume that its requirements are still not as comprehensive as those of the GDPR of the EU. It is not the most comprehensive data protection law to date, but it makes Utah one of the few states with a state privacy law.