The Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) took effect in December 2023 and is a variation of the stalled Washington Privacy Act model. Considered business friendly, the UCPA provides more limited privacy rights and fewer restrictions on secondary uses of personal information.

Schedule a Free Consultation

What You Need to Know About Utah’s Privacy Law

To Whom Does the UCPA Apply?

The UCPA applies to for-profit entities that:

  1. Conduct business or provide commercial products or services that are targeted to residents of Utah (consumers), and 
  2. Has an annual revenue of at least $25 million, and
  3. Annually control or process PI of either:
    1. 100,000 unique residents; or
    2. 25,000 unique residents and derives more than 50% of gross revenue from the sale of PI.
Where Does UCPA NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits;
  • State government entities;
  • Higher education Institutions;
  • Air carriers;
  • GLBA-covered entities;
  • HIPAA-covered entities and business associates; and
  • Tribal nations.

Exempt Data: Oregon exempts a long list of personal information, including but not limited to:

  • Protected Health Information (PHI) under HIPAA;
  • GLBA-covered data;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit reporting data regulated by the Fair Credit Reporting Act; and
  • Data covered by a variety of other federal laws including FERPA, Farm Credit Act, and the DPPA.

Exempt Use Cases: The UCPA is not applicable to processing PI in an employment or commercial (B2B) context.

Additionally, Utah specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality;
  • Performing internal operations;
  • Internal activities related to security incidents, identity theft, fraud, and other malicious or illegal activity;
  • Protecting health and safety; and
  • Activities related to fulfilling a contract with a consumer.

Key Components of Utah’s Data Privacy Law

What Constitutes PI Under UCPA?

The UCPA covers “personal data,” or PI, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. The definition exempts de-identified and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI Under UCPA?

Utah’s definition of sensitive PI consists of:

  • Racial or ethnic origin (with exceptions);
  • Religious beliefs;
  • information regarding medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional;
  • Sexual orientation;
  • Citizenship or immigration status
  • Specific geolocation data (with exceptions); and
  • Genetic or biometric data for identification purposes.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, the UCPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the UCPA.

Additionally, Utah exempts pseudonymous data from access, correction, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive Data?

In a word, NO!

The UCPA grants Utah consumers the right to opt out of the processing of their sensitive PI, as opposed to requiring consent. However, the law also requires that the controller provide the consumer with clear notice and an opportunity to opt out prior to processing the information.

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI from a known child (under 13) in accordance with COPPA.

What Needs to Be Included in the Privacy Notice?

Under the UCPA, a privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • Privacy rights;
  • Methods for a consumer to exercise their privacy rights (see below); and
  • Description of selling and targeted advertising activities including a procedure for opting out of the processing for these purposes.
What Constitutes “Sale” of PI?

Utah defines “sale” as an exchange of PI for monetary consideration by the controller to a third party, , more limited than many state privacy laws that also include “other” valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI that the consumer intentionally made available to the public, and the disclosure of PI as part of a merger or bankruptcy.

How Will the UCPA Be Enforced?

The Utah Attorney General (AG) is the sole enforcement authority for UCPA. Under the UCPA the AG may bring an enforcement action after providing a 30-day notice and an opportunity for the business to cure the alleged violation(s). Actions can be brought that seek civil penalties, with fines up to $7,500 for each violation.

Privacy Rights

 
 

If UCPA applies to your business, you must provide the following privacy rights to consumers:

  • Right to know whether a business is processing your PI;
  • Right to access PI;
  • Right to delete PI collected from the consumer;
  • Right to obtain a copy of PI (data portability); and
    • Right to opt out of the sale of PI or processing for targeted advertising.

The UCPA requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once per 12 months. If the business cannot authenticate a request or declines to take a requested action for another reason, the business must notify the consumer in writing, including the reason for the declination.

 
 

Universal Opt-Out

 
 

Unlike many other state laws, the UCPA does not that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.

 
 

Privacy Impact Assessments 

 
 

The UCPA does not require data protection assessments for any processing activities.

 

 
 

Vendor Contracts

 
 

Utah requires businesses to have a contract in place with vendors that dictates how obligations with respect to processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • A duty of confidentiality for individuals who process the PI;
  • The rights and obligations of both parties
  • Obligation to employ appropriate security measures; and
  • Passes along the same obligations to any subcontractors in a written contract.

 

 
 

Data Minimization

 
 

Utah takes a far more limited approach to data minimization than other state privacy laws. There is no specific data minimization obligation in the law. However, businesses must include purposes for processing in their privacy notice. This obligation results in the need for businesses to identify a purpose for their collection, retention, use and disclosure of the PI. Beyond that, businesses must maintain reasonable administrative, technical and physical data security practices that protect the confidentiality and integrity of PI and reduce reasonably foreseeable risks of harm to consumers from processing PI.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation