Utah Consumer Privacy Act: 101 Intro to UCPA

James Grieco
James Grieco
Jan 18, 2024
min read
Utah Consumer Privacy Act: 101 Intro to UCPA

In March 2022, Utah became the fourth state to pass comprehensive data privacy regulation. That law, the Utah Consumer Privacy Act (UCPA), is the most recent comprehensive American privacy law to go into effect, having done so on December 31, 2023.

In the 21-month interim between its signature and effect date, Virginia and Colorado’s laws began, and Connecticut’s did as well, jumping the UCPA by entering enforcement on July 1, 2023. Of the first five states to pass data privacy regulation, Utah’s is universally considered to be the most lax and business-friendly.

However, given that 10 other states have passed laws from the start of 2023 until today, the American data privacy landscape is more complex than ever, with different states requiring different aspects of PrivacyOps. This has created a web of compliance challenges that makes complying with any single law, even a more forgiving one like UCPA, a task only organizations with committed privacy programs can fulfill.

Utah Data Privacy Law at a Glance

The applicability threshold for the UCPA covers businesses that:

  • Do business within the state or target their products/services to UT residents AND
  • Make +$25 Million in annual revenue AND
  • Process/control the personal data of 100,000+ UT consumers OR
  • Make over 50% of gross revenue from selling personal data while controlling/ processing personal data of 25,000+ consumers

Most state regulations only have two threshold requirements, but Utah’s data privacy law has three. Likewise, it is one of just four states, alongside California, Tennessee, and Florida, that has an annual revenue threshold.

This is one of the main reasons fewer businesses will need to comply with this law in comparison with other state laws.

Additionally, when defining the sale of personal data, Utah only takes “monetary considerations” into account, whereas the majority of states also include other considerations of value as well.

Most alarmingly, Utah’s law does not require businesses to obtain opt-in consent before processing sensitive data, which has quickly become the norm across the country. This shortcoming, combined with the fact that the law has among the fewest defined categories for sensitive data, provides almost no safeguards for sensitive data.

Covered categories of sensitive data only include:

  • racial or ethnic origin
  • religious beliefs
  • sexual orientation
  • citizenship or immigration status
  • genetic or biometric data *only if processing is done to identify a specific individual
  • geolocation data *only if processing is done to identify a specific individual

Utah Data Privacy Law Exemptions

The UCPA’s list of exemptions is quite long, another business-friendly aspect of the law.

Exempt institutions include:

  • Government & government contractors
  • Higher education
  • Nonprofit organizations
  • Indigenous tribes
  • Air carriers
  • Those subject to Health Insurance Portability and Accountability Act (HIPAA)
  • Those subject to the Gramm-Leach-Bliley Act

While exempt data includes information subject to:

  • Fair Credit Reporting Act
  • Driver’s Privacy Protection Act
  • Family Educational Rights and Privacy Act
  • Farm Credit Act

The UCPA also breaks from preceding data regulations in California, Virginia, Colorado, and Connecticut by providing a blanket exception for aggregated and de-identified data that cannot be linked back to the original data subject. This is not a precedent that others have adopted, as the vast majority of laws that have passed since UCPA have opted not to exempt aggregated and de-identified data.

Utah Consumer Data Rights

Utah residents enjoy the fewest data rights of any states with comprehensive regulation, only having full rights to confirm and access their data.

Residents have partial rights to data portability and deletion, but they are unable to appeal a decision by an organization to not fulfill a DSR, undercutting the right to deletion.

Given the lack of opt-in consent necessary to process sensitive data and the absence of other important data rights like the right to revoke, to correct inaccuracies, to opt-out of profiling, or to use universal opt-out mechanisms, the UCPA is certainly not consumer-friendly.

Individuals may opt-out of targeted advertising and the sale of their data, but the inability to say no to profiling is unusual considering Utah and Iowa are the only two state regulations (of 15, so no longer a small sample size) to not include that ability.

For data subject access requests, the UCPA has the standard 45 day timeline present in American data privacy regulations.

Companies can also request 45-day extensions, but given they can decline to carry out a DSAR with little legal remedies for individuals, that is not as meaningful as it is in other states.

Utah Data Privacy Law Requirements

Utah’s data privacy law does set some standard requirements of organizations, such as:

  • A baseline of data security measures
  • Data processing agreements
  • Transparent privacy policies

That list is shorter than the majority of states, again proving that Utah’s law–along with Iowa’s–are the least stringent in the nation.

The UCPA does not require:

  • Data protection impact assessments
  • Additional protections for children beyond COPPA measures
  • Data minimization
  • The duty to avoid secondary uses of data

Utah Data Privacy Law Enforcement

Utah’s enforcement runs through the state Attorney General, with consumer complaints first vetted by the Division of Consumer Protection.

Fines sit at the standard $7500 per violation, although the UCPA does note that number could also include damages paid to consumers.

As of the final day of 2023, Utah’s data privacy law is active and in effect, although it has a perpetual 30-day cure period. This means that any business that is given notice of violations has a month to correct them before incurring penalties.

As you can see, the law is extremely business-friendly, but as the first conservative state to pass comprehensive data privacy regulation, the UCPA was an important step nevertheless in American data privacy.

If you’re looking to find a compliance solution for the complex compliance web in the U.S., tapping into a single source of data truth is the best first step in that process.

Check out how to do so here.