Along with a growing number of other American states, Utah is the fourth state to enact its privacy law—the Utah Consumer Privacy Act (UCPA)—to safeguard consumer data privacy for state residents. The governor of Utah, Spencer Cox, signed the state privacy law. So what can a Utah resident expect when the Utah law takes effect next year? How is it different from Colorado’s privacy law or Virginia’s privacy laws?
The UCPA safeguards are similar to those listed in other privacy laws, such as the Colorado Privacy Act (CPA), California Consumer Privacy Act (CCPA), Connecticut’s Privacy Law (CTDPA), and the Virginia Consumer Data Protection Act (VCDPA). However, Utah’s framework provides more leeway than other regulations.
In this blog, we’ll explore how Utah’s Consumer Privacy Act might apply to your business.
Enacted on March 24, 2022, the Utah Consumer Privacy Act (UCPA) will be effective December 31, 2023.
Organizations must meet two sets of criteria to be required to comply with the Utah privacy law. The first is conducting business operations in Utah or providing products or services to Utah residents. Then, the law applies if an organization earns annual revenues amounting to or greater than $25 million and meets one or more of the following:
- The organization collects or processes the personal data of 100,000 or more Utah residents.
- The entity handles the personal data of 25,000 or more Utah residents and obtains over 50% of its gross revenue from selling these consumers’ data.
Per the Utah privacy law’s definitions, organizations subject to the UCPA are categorized as either controllers or processors. A data controller is any entity or person that is actively responsible for determining why and how consumers personal data is processed. Generally, controllers are the primary entities involved in any given consumer relationship. The law defines a processor as a person or entity that processes personal data on behalf of a controller (e.g., third-party vendors).
In some instances, an organization can be both a data controller and processor, depending on how or why they are handling Utah residents’ personal data. Controllers and processors must work together to identify the best path to achieving compliance with the UCPA’s data privacy regulations.
Personal Information Covered Under UCPA
Under the Utah privacy bill, sensitive personal data is defined as information that can be used to directly and uniquely identify an individual, except de-identified, aggregated or publicly available data.
Per the Utah privacy law’s provisions, controllers must not proceed with processing sensitive consumer data without first notifying the consumer and then allowing the consumer to exercise their UCPA rights.
Sensitive data categories under the UCPA include:
- Identifiers of race and ethnicity
- Information about religious beliefs
- Sexual orientation
- Citizenship and immigration status
- Protected health information (e.g., medical history)
- Current or future mental or physical condition
- Genetic and biometric data
- Specific geolocation information
However, the Utah privacy law does not consider personal data “processed by a video communication service” and revealing racial or ethnic origin to be sensitive data.
UCPA’s Enumerated Privacy Rights
Consumers have five major rights under the Utah privacy law’s regulations:
- Right to know and access – Consumers in Utah have the right to know if an organization is processing their personal data and to confirm if so. Consumers can also request access to their data.
- Right to deletion – Utah consumers can request data controllers to delete any of their (consumers) personal data from their systems.
- Right to data portability – Consumers in Utah can also request businesses to provide copies of their personal data in a portable format.
- Right to opt-out – Utah consumers can opt-out of processes involving targeted advertising and sales of their personal information.
- Right to nondiscrimination – Once they exercise their rights under the UCPA, Utah residents cannot be discriminated against by organizations subject to the Utah privacy law’s regulations.
Rights Response Timelines
Businesses responding to privacy requests must be mindful of several operational timelines:
- Response: 45 days
- Response extension: 45 days
Business’s UCPA Obligations
Compliance requirements for businesses subject to the Utah data privacy law include:
- Privacy notice – Any business that processes data covered by the Utah privacy law’s regulations must provide consumers with a clear privacy notice that outlines their rights and:
- The categories of personal data the business processes
- The purposes for which the business processes these personal data categories
- The various ways consumers can exercise their privacy rights
- The third parties with access to the consumers’ personal data
- Which categories of personal data third parties process
- Vendor contracts – To ensure robust data privacy, contracts between controllers and processors must be established with the understanding that:
- Controllers are to instruct processors on how to process personal data categories, including which consumer data privacy rights apply to processing activities.
- Processors must continually safeguard data confidentiality as the information is processed.
- Processors may only hire subcontractors if they agree to the full scope of terms listed under the Utah privacy law.
Unlike the CPA and VCDPA, the UCPA does not require data controllers to conduct privacy impact assessments to evaluate the risk of data processing activities on the privacy rights of consumers.
Special Topics Related to UCPA Rules
The UCPA provides the following guidelines regarding special topics:
- Children – When processing the personal data of a child, a parent or legal guardian may exercise privacy rights on their behalf. All data processing activities involving the personal data of children must comply with the regulations of the federal Children’s Online Privacy Protection Act (COPPA) and its implemented regulations.
- Data sales and monetization – Per the UCPA, data sales are any activities that involve the exchange of personal data for monetary value. However, the disclosure of data to processors or associates of the controller is not considered a sale if the activity is in line with “consumers’ reasonable expectations.”
- Targeted advertising – If an organization collects the personal data of consumers and sells it to another party or processes it for targeted advertising, the organization must notify the consumers of these activities. If the consumer contacts the organization to exercise their UCPA rights, the organization must respond to these requests within 45 days of receiving the said communication.
- Automated decisioning – Compared to privacy regulations like the CPA, the Utah data privacy law does not list any regulations regarding profiling or automated decision-making processes and their impact on the livelihoods of consumers.
UCPA Exemptions & Limitations
The UCPA also lists several exemptions and limitations that controllers and processors must be aware of when enacting policies and processes to protect consumer data privacy.
These exemptions and limitations include the following:
- De-identified data – Per the Utah privacy law, de-identified data is any data that cannot be linked back to a specific individual. If personal data or sensitive categories can be traced back to a unique person, that information is not de-identified. When processing de-identified data, businesses are required to:
- Confirm that the data cannot be connected to an individual
- Use and maintain the data without re-identifying it
- Ensure internal and external compliance with these guidelines
- Limitations on privacy rights – The Utah privacy law limits secondary liability if a controller or processor complies with the law’s regulations when disclosing consumers’ data to third-party controllers and processors. The controller or processor is not liable for any third-party violations if they have no prior knowledge of the intention to violate the UCPA regulations.
- Exempted organizations – Entities exempt from meeting the UCPA’s regulations include:
- State agencies and other such political organizations
- Financial institutions subject to the Gramm-Leach-Bliley Act
- HIPAA-defined covered entities and their business associates
- Higher education institutions
- Nonprofit organizations
- Air carriers
- Exempted data categories – Categories of data exempt from the UCPA regulations include:
- Information subject to and protected by HIPAA
- Patient identifiers
- Human subject research data
- Consumer reporting information
- Personal data subject to certain federal laws
- Data processed by controllers concerning the roles performed by their employees, independent contractors, or agents
- Limitations on data collection – The Utah privacy law’s regulations are also limited when it comes to data collected for:
- Compliance with federal, state, and local regulations
- Compliance with legal processes
- The investigation, exercise, preparation, or defense of legal claims
- Consumer requests
- The protection and physical safety of individuals
- Mitigating security threats or other illegal activities
- Research purposes, such as to improve product or service quality and safety
- Optimization of internal operations in line with customer expectations
Considering the broad scope of limitations and exemptions described by the UCPA, your business should consider consulting with a data privacy partner before applying any of them.
Enforcement of the UCPA
Utah’s Attorney General is the sole enforcer of the Utah privacy law.
If you are a controller or processor found in violation of its privacy regulations, you will be provided a 30-day cure period by the Utah Attorney General. And if you do not cure the violation during this period, the Office of the Attorney General may seek damages on behalf of the consumer and levy penalties of up to $7,500 per violation.
The Utah privacy law establishes a consumer protection division to aid enforcement by receiving and investigating any consumer complaint about potential violations. If investigations into these complaints reveal evidence of a violation, the UCPA consumer protection division will refer the case to the Utah Attorney General.
Enforcement of the UCPA will also be supported by funds received from levying civil penalties on potential violators of the law’s safeguards. These funds will be deposited into a Consumer Privacy Account and enable the investigation of alleged violations, recover legal fees, and provide privacy rights education to consumers and businesses.
Utah’s state privacy law does not currently provide a right of action (i.e., consumers’ legal standing to sue organizations violating their enumerated data privacy rights).
Prepare for UCPA with DataGrail
Compliance with the Utah privacy law requirements will help you safeguard consumer data privacy and avoid legal penalties. And as more and more states enact these state laws, businesses will have to increasingly adopt data privacy protection measures. But many of these privacy regulations can seem complex if your business handles vast amounts of personal data.
That’s where Datagrail comes in. With high-performance tools like our Live Data Map, you can stay ahead of privacy risks and establish a strong data privacy foundation across your organization.
Learn more about our data privacy platform.
- Data Privacy Laws: What to Know
- How to Build a Privacy Program
- Data Privacy vs. Data Security: A Guide
Utah State Legislature. Utah Consumer Privacy Act. https://le.utah.gov/~2022/bills/sbillenr/SB0227.pdf