Utah may have been the 45th state to get a star on the Star-Spangled Banner, but it’s at the forefront of data privacy in the US.

As the fourth state to pass a comprehensive privacy law governing how businesses can collect and use consumer data, it makes sense that Utah is part of the vanguard that’s setting standards for the intersection of tech and privacy. 

Utah is also known as Silicon Slopes and is one of the country’s most successful tech hubs outside of Silicon Valley—the tech industry accounts for at least 11.2% of Utah’s total economy and employs almost 9.4% of its workforce.

Home to large operations centers for major technology companies such as Adobe, Cisco, eBay, Facebook, Micron, Microsoft, Oracle, Domo, Qualtrics, and NortonLifeLock, Utah’s legislature has a vested interest in staying on the cutting edge of tech law.

In March 2022, Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law. The UCPA follows the same general principles as other state laws (California’s CCPA, Virginia’s VCDPA, Colorado’s CPA); but perhaps unsurprisingly, for a state where the economy is heavily dependent on being tech-friendly, the UCPA has fewer regulatory obligations for businesses than other US laws.

What businesses are impacted by the UCPA?

When it comes to scope, Utah’s consumer privacy law is most similar to the VCDPA. When it goes into effect in December 2023, the UCPA will apply to any data controller (an organization that collects data from consumers) or processor (an organization that processes personal data to make it usable for a controller) who:

  • Conducts business in, produces a product or service targeted to, or collects data from residents of Utah
  • Has an annual revenue of $25M or more
  • Satisfies one or more of the following thresholds:
    • Controls or processes the personal data of 100K+ consumers per calendar year
    • Derives over 50% of gross revenue from the sale of personal data and controls or processes the data of more than 25K consumers

The $25M annual revenue threshold reduces the impact the UCPA will have on small businesses that would be subject to laws in other states. Large companies that make more than $25M are similarly exempt if they don’t collect data from more than 100K consumers. Taken together, these two exemptions mean that although the restrictions and penalties in the UCPA are similar to other consumer privacy laws, the overall scope is smaller.

How is data protected under the UCPA?

Personal data is defined by the UCPA as “information that is linked or reasonably linkable to an identified individual or identifiable individual.” Data that is de-identified or publicly available is exempt from protection, as is information collected from people acting in “commercial or employment contexts.”
The UCPA definition for “sale” of data is similar to that of the VCDPA, meaning the regulations only apply to personal data exchanged for monetary consideration. By contrast, the CCPA and CPA try to close the data-sharing loophole by stipulating that data is considered “sold” if it’s exchanged for money or “other valuable considerations.”

Sensitive personal data

Following a general trend in privacy legislation, the UCPA provides special protections for certain categories of sensitive personal information including:

  • Race, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental health diagnoses, or treatment plans
  • Genetic or biometric data
  • Specific geolocation information

Businesses in Utah only have to provide clear notices and give consumers the option to opt out of processing, a less burdensome practice than the opt-in requirements of other U.S. data privacy regulations. They’re also exempt from a requirement to perform data protection impact assessments.

What rights do consumers have under the UCPA?

Under the UCPA, consumers have the right to:

  • Delete personal data they’ve provided to the controller
  • Obtain a copy of the data they’ve provided in a way that’s easy to transfer and use
  • Opt out of having their data processed for targeted advertising
  • Opt out of having their data sold

At first glance, these rights may look just like the rights established in other privacy laws, but the UCPA does have notable exceptions, including:

  • Consumers don’t have the right to correct their information
  • Consumers can only delete personal data they’ve provided (i.e. not all their data)
  • Consumers don’t have the right to opt out of having their data processed for profiling
  • Consumers don’t have the right of private action if their data is exposed in a breach

How will the UCPA be enforced?

Like its other US counterparts, the UCPA places administration authority with the state attorney general’s office. But unlike other laws, Utah has taken a unique tiered approach to initiate enforcement actions.

Under the UCPA, Utah’s Division of Consumer Protection initially receives notifications of and then investigates potential violations. If the DCP determines there is reasonable cause to believe a violation has occurred, it will refer the case to the AG’s office.

After being notified of compliance issues by the attorney general, the controller or processor will have 30 days to cure the violation. If it isn’t remedied, offenders can be fined up to $7,500 per violation.

What do businesses have to do to comply with the UCPA?

Almost all privacy laws share the same goals: provide transparency, improve data security, and increase the amount of control consumers have over how their data is used online. The UCPA is no exception to this trend. 

Transparency

The UCPA requires companies to have a privacy policy that’s easy to understand and tells consumers:

  • What categories of data they’re collecting and why
  • Who collected data is shared with and why
  • What consumers need to do to exercise their rights

In line with similar requirements in the VCDPA and CPA, the UCPA also requires that any data processing activities performed by a third party must be governed by a contract between the data controller and data processor that matches the practices outlined in a privacy policy.

In a nod to being business-friendly, however, the UCPA doesn’t stipulate that controllers need to perform data protection assessments to determine risks to data being processed (but between us, you should do it anyway).

Security

Under the UCPA, businesses must provide reasonable “administrative, technical, and physical data security practices” that will help “reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.” 

This requirement isn’t any different from rules outlined in the other privacy laws and also aligns with privacy best practices, so adhering to it doesn’t create an unreasonable burden for controllers.

Consumer control

To be UCPA-compliant, businesses need to create effective processes that allow consumers to opt out of having their information sold or processed for targeted advertising. They must also offer consumers a way to opt out of having their sensitive information collected.

Additionally, businesses must have internal processes to ensure they can respond to consumer requests within 45 days.

The UCPA also permits businesses to charge fees if consumers submit more than one request per year or if they file requests that are “excessive, repetitive, technically infeasible, or manifestly unfounded.”

Looking to the future

Utah State Senator Kirk Cullimore, sponsor of the UCPA, said the UCPA isn’t “a perfect bill, but it’s a good starting point everybody can live with. We will certainly look to tweak it.” In fact, the UCPA includes a stipulation that its effectiveness must be reviewed by July 2025.
If you have questions about the UCPA or any other privacy laws, Red Clover Advisors is here to help. Give us a call and let our experts help you.