Utah's Consumer Privacy Act (UCPA)

Utah's Consumer Privacy Act was signed in March 2022 and took effect in December 2023.

This article explains Utah's Consumer Privacy Act (UCPA), what it is, who it applies to, the penalties and exceptions involved, and how your business can comply.

What is Utah's Consumer Privacy Act (UCPA)?

With the Utah's UCPA in effect, consumers residing in Utah gain certain rights regarding the privacy of their personal data. They'll be able to access and delete their data stored by businesses, and even opt out of its collection entirely.

It puts the responsibility on businesses to protect the confidentiality of their consumers and their personal data, timely observe consumers' requests to exercise their rights, and explicitly communicate the type and purpose of data collection with the consumer through a compliant privacy notice.

What are the Key Definitions Under Utah's Consumer Privacy Act (UCPA)?

Here are some of the key definitions used in the UCPA.

Who is a Consumer Under Utah's Consumer Privacy Act?

Utah's Consumer Privacy Act (UCPA) defines a consumer as "an individual who is a resident of the state acting in an individual or household context."

It excludes any individual who works in an employment or commercial context. This means that the personal data of any individual about their employment isn't protected by the Utah's UCPA.

What is Consent Under Utah's Consumer Privacy Act?

According to the Utah's UCPA, consent is an:

"...affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer."

What is Data Processing Under Utah's Consumer Privacy Act?

Any data that a business collects regarding a consumer undergoes "processing," which Utah's Consumer Privacy Act defines as:

"an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data."

What is Personal Data Under Utah's Consumer Privacy Act?

Personal data is any data that can be linked to an individual and used to identify them. This can include but isn't limited to the following types of data:

• Name
• Email address
• IP address
• Geolocation data
• Biometric information
• Social security number

The Utah's UCPA excludes "deidentified data, aggregated data, or publicly available information" from being a part of personal data.

Aggregated data is common information about a group of individuals, like their location or association with an organization, through which the individual consumer identities have been removed. Such data cannot be linked to one single individual.

Deidentified data is any data regarding a consumer from which the information that can personally identify that individual, such as name and social security number, is removed.

Since both aggregated and deidentified data about a consumer cannot identify who they are, both are excluded from the Utah's UCPA.

What is Sensitive Data Under Utah's Consumer Privacy Act?

The Utah's UCPA defines sensitive data as any personal data that reveals any of the following:

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Citizenship or immigration status
• Medical history, either mental or physical
• Genetic or biometric data processing, if done for the purpose of identifying an individual
• Specific geolocation

Sensitive information needs to be responsibly protected as it can be dangerous to the individual if this information gets leaked.

Who Must Comply With Utah's Consumer Privacy Act (UCPA)?

The Utah's UCPA applies to "data controllers" and "data processors." Let's look at who exactly these two entities are.

The Utah's UCPA defines a data controller as an individual who decides, with or without the help of others, how and why a consumer's data is processed.

A data processor is an individual or company that processes consumer data on behalf of a data controller, to provide services such as targeted advertising.

To fall under the scope of the UCPA, a business must meet the following criteria:

• Either operate within Utah, or provide services and products to its residents,
• Have an annual revenue of $25,000,000 or more, and
• Process the personal data of at least 100,000 consumers, or of at least 25,000 consumers if over 50% of the businesses revenue comes from the sale of personal data

Are There Exceptions to Utah's Consumer Privacy Act (UCPA)?

Yes, the Utah's UCPA doesn't apply to any government entity and any third-party entity working on behalf of or under contract with a government entity.

How Does Utah's Consumer Privacy Act (UCPA) Affect Consumers?

With the Utah's UCPA in place, consumers of Utah gain new rights including accessing the following information:

• What personal data has been collected about them
• Who has access to their personal data
• How and why is their personal data processed

How Does Utah's Consumer Privacy Act (UCPA) Affect Businesses?

The Utah's UCPA will require applicable businesses to do the following:

• Create a Privacy Policy or Privacy Notice for consumers
• Have security practices in place to protect personal data you hold
• Set up a way that consumers can exercise their rights, such as requesting to see what personal data you hold about them and opting out of having their personal data processed in certain circumstances. Set up a process to authenticate the request and respond timely to these requests as well.
• Review any contracts you are a part of that involve the processing of consumer personal data to make sure they meet the requirements of the UCPA.

What Does Utah's Consumer Privacy Act (UCPA) Require?

If you or your business falls under the definition of a controller or a processor under the Utah's UCPA, you'll need to take certain steps to avoid violating the act.

Have a Compliant Privacy Policy

Have a Privacy Policy that discloses the following information:

• What personal data you collect/process, including sensitive personal data
• Why you collect/process this personal data
• What types of personal data you share with anyone else
• What types of third parties you share the personal data with
• How consumers can exercise their rights

Here's how PlayStation discloses what types of personal data it shares but also who it's shared with and why:

Allow Consumers to Exercise Rights and Opt Out

The Utah's UCPA requires data controllers to have a system in place to allow their consumers to opt out of the processing, selling, or targeted advertising of their personal data whenever they want.

In case a controller needs to process a consumer's sensitive data, they need to clearly inform the consumer about it along with an option to opt out of it.

The Utah's UCPA grants Utah's consumers a number of rights including the right to access their data from a controller free of charge, once every 12 months. To comply with this, a controller must establish a straightforward and reliable means to grant consumers this request.

This can be done by asking the consumer to simply request their data via e-mail, or by creating a standalone self-service model for the consumer where the data access requests are automated. Do note that security is a major concern in such requests and your business needs to fully verify the identity of the consumer before handing out personal data.

Such requests, or any other where the consumer wants to exercise their rights, must be entertained within 45 days. If the controller is unable to fulfill a request due to the volume of requests received or their complexity, they can extend the time period by 45 days with due notice to the consumer.

In Coca-Cola's privacy policy, consumers are informed about their rights and how they can exercise them:

The McDonald's Privacy Policy clearly states what rights consumers possess and gives consumers more than one link to opt out of data processing along with a link to where they can submit a request to exercise their rights:

The law also requires that you don't discriminate against consumers who do exercise their rights. Discrimination can involve not providing services, charging more money, or reducing the quality of service.

Have Data Security Practices in Place

Since the controller possesses personal and sensitive data regarding their consumers, the Utah's UCPA requires them to have technical and physical data protection practices. This is to protect the confidentiality of consumer's data and to minimize any risk the processing of such data might bring to the consumer.

The data security practices must be proportional to the size and volume of data the controller processes. This can involve but isn't exclusive to:

• Encrypting data
• Improving the physical security of the drives that hold the data
• Restricting access of data to only authorized users

Have a Contract Placed Between the Controller and Processor

Before a processor processes data on behalf of a controller, the Utah's UCPA requires both parties to enter into a contract that ensures the following commitments are met:

• The instructions and duration for processing data should be set forth
• Decide the type of data and the purpose for its processing
• Outline both parties' rights and obligations
• Instructions on security measures and mandatory data confidentiality

Get Consent Before Processing Children's Data

You are required to get verifiable permission/consent from a parent or legal guardian before knowingly processing information of a child under the age of 13.

How is Utah's Consumer Privacy Act (UCPA) Enforced?

The exclusive right to enforce the Utah's UCPA is held by Utah's Attorney General.

In case a controller or a processor is found in violation of this law, the Attorney General shall give the offending business a written notice identifying their violations and a 30-day period to fix them.

After the 30 days, if the violations have not been remedied, the Attorney General can initiate enforcement action against the violating business.

What are the Penalties for Violating Utah's Consumer Privacy Act (UCPA)?

If a business fails to fix a violation within 30 days, it may receive the following penalties:

• A maximum of $7500 fine for every violation
• A requirement to compensate the consumer for damages incurred because of the violation

Summary

Utah's Consumer Privacy Act (UCPA) helps strengthen the rights of Utah residents while holding businesses operating in the state accountable for their actions when it comes to personal data.

If you fall under the scope of the act you must take a number of steps to comply, including the following:

• Disclose your privacy practices, such as in a Privacy Policy
• Grant users specific rights and timely respond to user requests
• Have a data security plan in place
• Work with other data processors and data controllers under Utah's UCPA-compliant contracts

Utah's Attorney General is in charge of enforcing the requirements of the law and may levy fines and/or penalties against businesses that violate its requirements.