Understanding the Utah Consumer Privacy Act

Utah may have been one of the last American states to declare statehood, but it was one of the first to pass a data privacy law. Signed into law in March 2022, the Utah Consumer Privacy Act became the fourth piece of state-level data privacy legislation in the country.

The Utah Consumer Privacy Act officially went into effect last month. Let’s take a closer look at what businesses will need to understand about meeting compliance. What rights does the law afford consumers, and what responsibilities does it place on organizations? Read on to find out.

What are the key elements of the Utah Consumer Privacy Act?

Utah’s legislation borrows from its three predecessors: the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA). Like Virginia’s law, the UCPA is considered more business-friendly than consumer-friendly.

Consumer rights under the UCPA

The Utah Consumer Privacy Act offers similar consumer rights to other states, with a few exceptions. The UCPA offers Utah residents the rights to:

Access their personal data
Delete their personal data
Opt out of the collection and use of their personal data for certain purposes, including targeted advertising
Obtain a copy of their personal data in a readily usable format (portability)

The UCPA also allows consumers to opt out of the sale of their personal data — although it narrowly defines “sale” as an exchange for money and not an “other valuable consideration” like the other states.

Notably, the Utah law does not contain two consumer rights that are present in most other state-level laws: the right to opt out of profiling and the right to correct inaccuracies in a consumer’s personal data.

Sensitive data under the UCPA

Each state defines sensitive data a bit differently, though there are many commonalities. Under the Utah Consumer Privacy Act, sensitive data includes information that is linked to an identified or identifiable individual and includes any of the following:

race and ethnic origin
religious beliefs
sexual orientation
citizenship or immigration status
medical history, including mental and physical health conditions as well as treatment plans and diagnoses
genetic and biometric data
geolocation data, if the processing of that data is intended to identify a specific individual

New business obligations under the UCPA

The Utah Consumer Privacy Act imposes specific requirements and obligations on businesses. First data controllers must provide a “reasonably accessible and clear” privacy notice that discloses:

the categories of personal data being processed and, if relevant, shared with third parties
the purposes for that data processing
the categories of third parties with which personal data is shared
how consumers can exercise their rights around that data processing, including the rights to access and delete data

Data controllers must also provide a clear and conspicuous notice about opting out of the sale of their personal data or the processing of their personal data for targeted advertising. Additionally, they must not process sensitive data without an opt-out mechanism or, if that data belongs to a known child, without receiving parental consent and complying with the federal Children's Online Privacy Protection Act (COPPA).

Finally, the UCPA requires that data controllers establish and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data and mitigate risks to consumers.

Timeframe and enforcement of the Utah Consumer Privacy Act

The Utah Consumer Privacy Act was passed by the Utah state legislature in March 2022 and signed into law by Governor Spencer J. Cox later that same month. It went into effect on Dec. 31, 2023.

The UCPA will be enforced by the Utah attorney general. The Division of Consumer Protection under the Utah Department of Commerce will oversee and investigate consumer complaints, with a 30-day cure period if a business is found to be in violation of the law.

If a data controller or data processor fails to cure the violation, the attorney general can then impose fines for actual damages and penalties of up to $7,500 per violation. Since each instance of personal data processing counts as a separate violation, these monetary penalties can quickly become very significant.

Who must comply with the UCPA, and what exemptions exist?

The UCPA has a more narrow scope than many of its counterparts. It applies only to data controllers or data processors that have annual revenues of $25 million or more and that either 1) control or process the personal data of 100,000+ Utah consumers a year, or 2) control or process the personal data of 25,000+ Utah consumers a year while deriving over 50% of their gross revenue from the sale of personal data.

Much like the other state privacy laws, the UCPA exempts certain categories of organizations, including:

Native American tribes
Nonprofits
Institutions of higher education
Air carriers
Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA)
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
Government entities and contractors

The UCPA also does not apply to certain categories of personal information, including data governed by the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), and the Farm Credit Act.

How does the UCPA compare to other state privacy laws?

Although it bears some resemblance to all three US state laws that preceded it — as well as the CPRA amendment and EU’s General Data Protection Regulation (GDPR) — the Utah Consumer Privacy Act draws most heavily from the Virginia Consumer Data Protection Act. For several reasons, it is one of the more business-friendly laws among the now 14 US state data privacy acts.

No DPAs. Unlike California, Colorado, Virginia, and other states, Utah does not require that businesses conduct data protection assessments (DPAs) to determine the risks and impacts of the types of data processing they conduct. This means that organizations do not have to assess whether their usage of personal data is potentially harmful to Utah residents.

Relatively narrow scope. Different states set different thresholds for applicability in their data protection laws. Some, like the Texas Data Privacy and Security Act, apply to almost any organization that is not a small business. Others, like the Florida Digital Bill of Rights, apply to very few organizations. While Utah’s revenue threshold of $25 million is a common one, its additional thresholds — processing the data of 100,000+ consumers or 25,000+ consumers with 50% of annual revenue from the sale of personal data — means that a good number of businesses will not need to comply with the UCPA. These limits are especially notable in a small state like Utah, whose population is under 3.4 million.

Limited consumer rights. Like many of the other state privacy laws, the UCPA does not offer a private right of action. However, unlike those laws, the UCPA also does not offer the right to opt out of profiling or the right to request corrections to inaccuracies in personal data. Utah individuals also cannot appeal a business decision to deny their consumer requests.

How to prepare for compliance with the Utah Consumer Privacy Act

There is still no comprehensive federal law for data protection in the United States, making compliance with a growing number of state regulations a challenging task. Fortunately, businesses subject to the UCPA can still take plenty of steps to improve their data security posture and minimize risks under the new legislation.

Creating privacy notices. Businesses will need to update or create new written notices informing Utah residents of the categories of personal data being processed, the purposes for that data processing, the ways that consumers can exercise their rights, and more. These notices must be “reasonably accessible and clear.”

No DPAs — but plenty of need for data security. Companies subject to the UPCA do not need to conduct data protection assessments, but they do need to implement robust data security measures at the administrative, technical, and physical levels. This includes basic security measures like employee training and restricted access to physical locations as well as software solutions like role-based access controls (RBAC), end-to-end encryption, ransomware mitigation, and more.

Preparing for compliance with ShardSecure. Organizations should consider the ShardSecure platform for data privacy, security, and resilience. The platform offers an innovative and agentless form of end-to-end encryption, safeguarding consumer data against unauthorized third-party access without changes to existing workflows. ShardSecure also meets Use Case 5 of the EDPB’s recommendations for cross-border data transfers under the GDPR and strengthens security and privacy postures, wherever in the world your data resides.

To learn more, check out our resources page here or get in touch with us here.