Utah Consumer Privacy Act
The Utah Consumer Privacy Act (the UCPA) was enacted on March 24, 2022, and will go into effect on December 31, 2023. The UCPA bolsters consumer (i.e., residents acting in an individual or household context) protections by imposing rules on businesses that control or process Utah consumers’ personal data. This encompasses any data that they have previously provided to the business.
Key Roles Referenced in the UCPA Controllers In the UCPA, a controller is a person who determines the purposes and means by which a business processes personal data. Controllers are responsible for ensuring that Utah consumers’ rights are adhered to according to the rules of the UCPA. In addition, controllers are responsible for implementing and maintaining systems to support administrative, technical, and physical data security. Processors A processor is a person that processes personal data on behalf of the controller. The UCPA requires a contract between the controller and processor to govern all processing. The contract must outline relevant consumer privacy provisions. The UCPA requires processors to adhere to the controller’s instructions and assist and cooperate to ensure meeting its obligations under the law. This includes meeting obligations regarding the security of data processing and data breach notifications. |
Under the UCPA, Utah consumers have been granted six categories of rights. While these are meaningful rights, it is important to note that the UCPA does not include a private right of action for consumers. Therefore, only the Utah Attorney General can enforce the consumer rights set forth in the UCPA.
- The Right to Know
Consumers have the right to confirm whether a controller is processing their personal data. - The Right to Access
Consumers have the right to access the personal data a controller has collected about them. - The Right to Deletion
Consumers have the right to delete the personal data they have provided to a controller. - The Right to a Copy
Consumers have the right to obtain a copy of the personal data they previously provided to the controller in a portable and readily usable format (if technically feasible). - The Right to Opt-Out
Consumers have the right to opt out of the processing of personal data for the purposes of targeted advertising and the sale of their personal data to third parties. - The Right to Avoid Discrimination
Controllers may not discriminate against a consumer for exercising a right provided by the UCPA.
In addition to the rights above, the UCPA stipulates that consumers must be provided with a reasonably accessible and clear privacy notice. It must include the categories of personal data processed, the purposes of such processing, and whether third parties have access to that data.
If personal data have been sold to third parties or processed for targeted advertising, this activity must be clearly and conspicuously disclosed to the consumer. And, if a consumer contacts a business to exercise rights granted under the UCPA, the business must respond within 45 days of receipt of the communication.
Businesses also have rights under the UCPA, including broader permission to charge consumers fees when responding to requests under some circumstances. For instance, controllers can charge a fee for a second request within 12 months. They can also charge for requests that are excessive, repetitive, technically infeasible, or manifestly unfounded. The UCPA also allows controllers to charge fees if the controller reasonably believes the primary purpose for submitting a request is not to exercise a consumer right or if the request is part of an effort to harass, disrupt or impose an undue burden on the business.
UCPA Compared with CPA, CPDA, and CPRA
Comparison of Defined Terms across UCPA, CPA, CPDA, and CPRA
Defined terms | UCPA | CPA | CDPA | CPRA |
Controllers and processors | Yes | Yes | Yes | No |
Businesses and service providers | No | No | No | Yes |
Contractor | No | No | No | Yes |
Controllers and processors | Yes | Yes | Yes | No |
Sale | Yes | Yes | Yes | Yes |
Share | No | No | No | Yes |
Third-party | Yes | Yes | Yes | Yes |
Businesses Subject to UCPA, CPA, CPDA, and CPRA
Thresholds | UCPA | CPA | CDPA | CPRA |
Annual revenue of at least $25 million | Yes | No | No | No |
Annual revenue over $25 million | No | No | No | Yes |
Conduct business in the State | Yes | Yes | Yes | Yes |
Control or process the personal data of at least 50,000 residents | No | No | No | Yes |
Control or process the personal data of at least 100,000 residents | Yes | Yes | Yes | Yes |
Derive over 50% of gross revenue from the sale of personal data and controlling or processing personal data of at least 25,000 residents | Yes | Yes* | Yes | No |
Derive 50 percent or more of its annual revenues from selling consumers’ personal data | No | No | No | Yes |
Produce or deliver a product or service targeted to State’s residents | Yes | Yes | Yes | No |
* Colorado and Virginia do not set a threshold amount for the revenue derived.
Businesses that Are Exempt from UCPA, CPA, CPDA, and CPRA
Exemptions | UCPA | CPA | CDPA | CPRA |
Aggregated data | Yes | No | No | Yes |
Information and/or entities subject to HIPAA and covered entities/business associates | Yes | Yes, but only information | Yes | Yes, but only information and limited entities |
Information and/or institutions subject to GLBA | Yes | Yes | Yes | Yes, but only information |
Institutions of higher education and/or information subject to FERPA | Yes | Yes | Yes | Yes |
Non-profit organizations | Yes | No | Yes | Yes |
Personal information in the commercial (business-to-business) context | Yes | Yes | Yes | Yes, exempt until January 1, 2023 |
Personal information within the scope of employment | Yes | Yes | Yes | Yes, limited exemption until January 1, 2023 |
Rights Granted to Consumers Under UCPA, CPA, CPDA, and CPRA
Consumers’ rights | UCPA | CPA | CDPA | CPRA |
Access | Yes | Yes | Yes | Yes |
Correct inaccurate information | No | Yes | Yes | Yes |
Data portability | Yes | Yes | Yes | Yes |
Delete | Yes | Yes | Yes | Yes |
Know | Yes | Yes | Yes | Yes |
Non-discrimination | Yes | Yes | Yes | Yes |
Opt-in for processing of sensitive information | No | Yes | Yes | Yes |
Opt-out for processing of sensitive information | Yes | No | Yes | Yes |
Opt-out of sale | Yes | Yes | Yes | Yes |
Opt-out of sharing | No | No | No | Yes |
Controllers’ Obligations Under UCPA, CPA, CPDA, and CPRA
Obligations | UCPA | CPA | CDPA | CPRA |
Commercial contract provisions | Yes | Yes | Yes | Yes |
Consent to process children’s personal data | No | Yes | Yes | Yes, but only for sales and sharing |
Data minimization | No | Yes | Yes | Yes |
Data processing assessments | No | Yes | Yes | Yes |
Data security | Yes | Yes | Yes | Yes |
Honor universal opt-out signals | No | Yes | No | Yes |
Non-discrimination | Yes | Yes | Yes | Yes |
Purpose specification | Yes | Yes | Yes | Yes |
Timing for consumer request responses | Yes, 45 days with the option for a 45-day extension | Yes, 45 days with the option for a 45-day extension | Yes, 45 days with the option for a 45-day extension | Yes, 45 days with the option for a 45-day extension |
Transparency | Yes | Yes | Yes | Yes |
Disclosures Included in Privacy Policies for UCPA, CPA, CPDA, and CPRA
Disclosures | UCPA | CPA | CDPA | CPRA |
Consumer rights and choices available | Yes | Yes | Yes | Yes |
Controller’s contactinformation | No | Yes | No | Yes |
Collection of personal data and categories thereof | Yes | Yes | Yes | Yes |
Data retention period | No | No | No | Yes |
Disclosure of personal data to third parties, if any, and categories thereof | Yes | Yes | Yes | Yes |
How a consumer may appeal a controller’s action | No | Yes | Yes | No |
Instructions for exercising consumer rights | Yes | Yes | Yes | Yes |
Purpose(s) of processing | Yes | Yes | Yes | Yes |
Use of automated decision-making or profiling | No | Yes | Yes | Yes |
Whether controller engages in targeted advertising or shares personal information for cross-context behavioral advertising purposes | Yes | Yes | Yes | Yes |
Whether the controller sells personal data and to whom | Yes | Yes | Yes | Yes |
How UCPA, CPA, CPDA, and CPRA Enforce Personal Data Protection Rules
Enforcement | UCPA | CPA | CDPA | CPRA |
Enforced by the Attorney General | Yes | Yes | Yes | Yes |
Enforced by the District Attorney | No | Yes | No | No |
Penalty per violation | Yes, up to $7,500 for each violation | Yes, up to $20,000 per violation, with a maximum penalty of $500,000 for a series of related violations | Yes, up to $7,500 for each violation | Yes, up to $7,500 for each violation |
Private right of action | No | No | No | Yes, but it is limited to certain breaches of personal information |
Right to cure | Yes, 30 days | Yes, 60 days, but sunsets in January 2025 | Yes, 30 days | Yes, 30 days for private actions only |
UCPA Compliance
To facilitate compliance with the UCPA, businesses should review the following checklist as it provides a framework for assessing compliance obligations under this Utah law.
- Allow consumers to opt-out of personal information processing by creating a mechanism to enable Utah residents to exercise this right if the business sells their personal data to a third party or uses it for targeted advertising
- Confirm that the business is subject to the UCPA by determining if it meets the legal threshold of the law
- Annual revenue of at least $25 million
- Conduct business in the State
- Control or process the personal data of at least 100,000 residents
- Derive more than 50% of gross revenue from the sale of personal data and controlling or processing personal data of at least 25,000 residents
- Produce or deliver a product or service targeted to State’s residents
- Enable the receipt of and response to consumers’ requests to exercise their rights under UCPA to access and delete their records by developing systems for accepting, tracking, verifying, and responding to consumers’ requests
- Implement processes for collecting sensitive information that first present consumers with clear notice and an opportunity to opt-out of the collection of their information
- Implement reasonable data security controls, including assessing cybersecurity policies, practices, and controls to ensure they are aligned with industry-recognized standards
- Update privacy policies to reflect personal data processing activities, communicate the new rights available to consumers, and identify the systems that have been put into place to help consumers to exercise their rights under the UCPA
Utah Consumer Privacy Act: What Do Businesses Need to Know
UCPA identifies and imposes obligations on controllers and processors. Businesses need to understand these two roles and how they apply to their personal data collection and processing activities. It is also important for businesses to understand the threshold requirements that would make them subject to the rules of the UCPA, including:
- Conducting business in Utah or producing a product or service that is targeted to consumers who are Utah residents
- Having an annual revenue of $25M or more
- Meeting one of these criteria:
- Controlling or processing personal data of 100,000 or more Utah consumers during a calendar year
- Deriving more than 50 percent of gross revenue from the sale of personal data and controlling or processing the personal data of 25,000 or more Utah consumers.
Businesses should also know that the UCPA’s definition of a consumer does not include individuals who act in a commercial or employment context.
What Does Utah Consumer Privacy Act Mean for U.S. Businesses?
U.S. businesses should understand that the UCPA, as the fourth such law after those enacted by Virginia, Colorado, and California, is a further indication of states’ willingness to increase the protection of consumers’ personal data privacy. Businesses must be aware of and comply with the requirements of multiple state privacy laws and regulations, which can be tricky due to the ease with which goods and services flow across U.S. state boundaries.
Failure to comply with UCPA, and other states’ privacy laws, puts businesses at risk. They could easily be liable for violating UCPA or other states’ privacy laws, which look to increase. As of the most recent update of this guide,11 states have active privacy legislation, including Alaska, Louisiana, Massachusetts, Michigan, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Rhode Island, and Vermont.
Businesses that are subject to the UCPA should:
- Assess systems, processes, policies, procedures, and systems to identify UCPA compliance gaps
- Embed opt-out capabilities into the processing of sensitive data, the use of personal data for targeted advertising, and the sale of personal data
- Ensure that systems, processes, policies, procedures, and systems are designed to respond to consumer rights requests under the UCPA
- Evaluate and update data collection and privacy policies and practices
- Is subject to the UCPA
- Review privacy notices to ensure they contain the content that’s required by UCPA
- Understand what personal data and sensitive data the business collects and discloses
- Update contracts with service providers to include the provisions required by the UCPA
UCPA a Lighter Touch than Other State Privacy Laws
Businesses that are subject to the UCPA generally find that their efforts to meet the requirements for other states’ privacy laws provide a significant foundation. In addition, most of those businesses that have already implemented systems and processes to meet the requirements for Colorado (CPA), California (CPRA), and Virginia (VCDPA) find that the UCPA has a lighter-touch approach that makes compliance easier.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 15th March, 2023