Terratrue understands UCPA

June 6, 2022

Privacy in Utah: Everything you need to know about UCPA


What is the Utah Consumer Privacy Act?

The Utah Consumer Privacy Act is a narrowly-focused law protecting the consumer data rights of Utahns. The UCPA gives Utahns some control over the data organizations collect about them, allowing them to access, delete, or obtain a copy of the data, and opt out of data sales. The privacy law applies to many businesses doing business in Utah or with Utahns, but does not cover any organizations with an annual revenue of under $25 million. The UCPA goes into effect on December 31, 2023.

Who enforces the UCPA?

The Utah attorney general enforces the UCPA. The Utah Division of Consumer Protection will receive and investigate consumer complaints and refer cases to the attorney general when they believe a company has broken the UCPA.

While citizens may file complaints with the attorney general, they do not have a right to initiate legal actions under Utah privacy law. This puts Utah in line with Virginia and Colorado, but out of step with California — the only state which allows citizens to initiate privacy enforcement actions so far.

Are you ready to get UCPA compliance right?

Who does Utah privacy law apply to?

Like Virginia and Colorado, Utah’s privacy act only covers consumer data. However, as the only state privacy law with a minimum revenue threshold, the UCPA is significantly narrower in scope than consumer privacy laws in California, Virginia, and Colorado.

The law only applies to businesses that conduct business in Utah or with Utahns, make at least $25 million in annual revenue, and either:

  • Process the personal data of 100,000 consumers or more during a calendar year; or
  • Process the personal data of 25,000 or more consumers, and generate over 50% of gross revenue from selling personal data

Both the California Privacy Rights Act and the UCPA use $25 million as a revenue threshold to determine applicability, which may cause confusion. But the two revenue thresholds work in different ways. In California, businesses are automatically covered if they meet the $25 million threshold, while in Utah, businesses are automatically exempt if they are under the $25 million threshold.

So for example, a business with $10 million in annual revenue will always be exempt from the UCPA, but may still be on the hook for CPRA compliance. Similarly, a business making over $25 million may be exempt in Utah because it doesn’t meet personal data thresholds, but would be automatically covered in California (assuming it isn’t part of an exempted group.)

The UCPA also has a narrow definition of “data sale.” Only data sold for “monetary considerations” is covered. So if you trade personal data for products or services, it does not count towards UCPA applicability.

Utah Consumer Privacy Act Exemptions

The UCPA exempts nonprofits, higher education institutions, and all businesses that qualify as covered entities or business associates under HIPAA. The law also exempts financial organizations covered by the GLBA and FCRA, tribes, government entities, and air carriers.

Virginia and Utah privacy laws have similar levels of exemption, although Utah’s air carrier exemption is unique. However, Utah privacy law has significant exemptions that California and Colorado do not share.

California privacy law does not exempt government entities, for-profit educational institutions, or HIPAA and GLBA covered entities (although HIPAA and GLBA data is exempt.) The Colorado Privacy Act also requires HIPAA covered entities to comply (but exempts HIPAA data), as well as nonprofits.

Data under the UCPA

What does the UCPA consider personal data?

The UCPA considers consumer data to be “personal” if it Is linked or can be linked to an identifiable individual. Like Virginia and Colorado, Utah privacy law does not cover data used in “an employment or commercial context,” such as HR records. Utah also exempts data covered by a wide range of federal regulations, including:

  • The Health Insurance Portability and Accountability Act
  • The Driver’s Privacy Protection Act
  • The Farm Credit Act
  • The Fair Credit Reporting Act
  • The Family Educational Rights and Privacy Act

Like Virginia, Colorado, and California, the UCPA also excludes de-identified data and aggregate data.

Utah’s definition of personal data is broadly similar to that used by other states, with a few differences. Utah is the only state to pass a law that does not exempt public records broadly, and only Utah and Colorado fail to exempt lawfully obtained information of public concern. However, in most other respects, all four states have similar ideas about what constitutes personal data.

How does the UCPA define “sensitive data?”

The Utah Consumer Privacy Act provides enhanced protection for certain types of personal information that are considered sensitive. This category includes:

  • Immigration or citizenship status
  • Precise geolocation
  • Race and ethnicity (except when used by video communication processors and in certain health care applications)
  • Religious beliefs
  • Sexual orientation
  • Health and medical history
  • Uniquely identifying genetic and biometric data

The UCPA does not include children’s data under the category of “sensitive data,” however businesses must comply with the Children’s Online Privacy Protection Act. COPPA requires platforms to obtain verifiable parental consent before collecting any personal information from children under 13.

Utah and Colorado do not consider government identity information to be sensitive information, while Virginia and California do. But in most other respects, Utah, Colorado, and Virginia have similar definitions of sensitive data. California is somewhat of an outlier, being the only state that treats login ID, password, union membership, and philosophical beliefs as sensitive data.

Build consumer rights into your product.

What consumer rights does the UCPA provide?

Under the UCPA, consumers have the right to:

  • Access
  • Delete
  • Data portability
  • Opt out of certain data processing

UCPA consumer rights are relatively limited compared to other state privacy laws. Opt out rights and deletion rights are fairly restricted, and the UCPA does not provide the right to correct inaccurate information, unlike privacy laws in California, Colorado, and Virginia. Additionally, like California, Utah has no right to appeal data request rejections.

Right to access

Utahns have the right to know whether a business is processing their personal data, and to access that data.

Right to delete

Utah consumers have the right to delete any personal data they provided to a business. However, the law does not guarantee the right to delete personal data they didn’t provide, such as data provided by a vendor. This is the narrowest right to delete of all four states. In particular, it is much narrower than California’s right to delete, which covers all data a vendor possesses on a subject, along with data shared with or sold to third parties.

Right to data portability

Utahns have the right to obtain a copy of personal data they’ve provided to you. The data should be formatted in a way that’s portable, readily usable, and able to be easily transmitted to another controller. As with the right to delete, data portability is defined very narrowly in Utah — it only applies to data that a consumer has previously provided to an organization.

Right to opt out

Consumers can opt out of processing sensitive data, data sales, and personal data processing for targeted advertising. However, Utah is unique in having no right to opt out of profiling.

Operationalize UCPA compliance in minutes.

What are my obligations under the UCPA?

Utah law imposes fewer obligations than Colorado, California, or Virginia. Of the four states, Utah is the only one where companies are not required to conduct data protection impact assessments or data minimization. 

Maintain clear and accessible privacy notices

Privacy notices for the Utah Consumer Privacy Act should cover:

  • What categories of personal data you collect or process
  • Your purpose for each data type
  • What types of data you’re sharing with third parties
  • What types of third parties you’re sharing personal data with, and
  • How consumers may exercise their data rights, including opt-out rights.

All four state privacy laws have similar requirements for what types of information should go into privacy notice, but each state has different rules governing consumer rights. Therefore, you may have to choose before between posting several different state privacy notices and creating a privacy policy that satisfies all four laws simultaneously.

Obtain opt-in consent for children’s data

Utah never requires affirmative, or “opt in” consent for data belonging to adults — where an adult’s consent is required, providing an opt-out option is sufficient. However, following the rules of COPPA, controllers must obtain opt-in consent from a verifiable parent or guardian for the data of children under the age of 13.

Provide opt out options for sensitive data, data sales, and targeted advertising

Utahns must be able to opt out of processing sensitive data, along with data sales, and data processing for targeted advertising. Provide consumers with a clear notice, and a convenient way to opt out before you engage in any of these data practices.

Process Utah data requests within 45 days

The UCPA requires you to respond to consumer requests within 45 days, and inform consumers of what actions you took. You can extend the response period for an additional 45 days if necessary, but you must inform the consumer and explain why you need the extension within the first 45 days.

Generally, you must provide this service for free. However, you can charge a reasonable fee if the consumer has already made a request within the past 12 months. The law also allows you to impose fees if a user is using requests in an abusive way, such as pestering you with “excessive, repetitive,” and infeasible requests, or using requests as a way to disrupt your company or waste your resources.

Update your security

While Utah privacy law does not have detailed security rules, the UCPA does require controllers to maintain “reasonable administrative, technical, and physical data security practices.” Make sure that you’re protecting consumer data everywhere in your organization, and among your partners.

Create and implement a non-discrimination policy

The UCPA prohibits controllers from discriminating against consumers for exercising their rights. You are not allowed to charge extra, deny goods or services, or offer lower quality goods to those who exercise their data right.

However, like Virginia, Colorado, and California, Utah does allow certain types of incentivization, such as rewarding consumers for participating in a loyalty program. Additionally, Utah privacy law specifies that if a product requires personal data to work, you’re not required to provide the product if the consumer won’t furnish the data.

Essentially, you can reward customers with special offers in exchange for providing personal data, but you can’t penalize consumers for refusing to provide data, making data requests, or exercising other data rights.

Foster trustworthy relationships with your partners.

Make sure you have contracts with data partners

The UCPA requires controllers and processors to have contracts, spelling out the rules and responsibilities of both organizations. These contracts should explain:

  • What types of data are being processed
  • What purpose the data processing serves
  • How the data should be processed
  • How long the data processing agreement lasts

Additionally, the processor must ensure the data is being processed confidentially. Processors should sign agreements with any subcontractors spelling out their obligations, and meeting the same requirements as controller-processor agreements.

What if I have a data breach affecting Utahns?

Data breaches are covered by Utah Code § 13-44-202 (2). If you have personal data from a Utah resident, and you suspect a breach may have occurred, you must “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes.”

If you find that data misuse has occurred or is “reasonable likely,” you must notify each affected Utah resident. The law allows you to use first class mail, telephone, or electronic channels (it doesn’t specify which channels, but presumably conventional channels like email and messaging apps are fine.)

If you have no way to notify a victim directly, you can instead publish a breach notice in “a newspaper of general circulation,” following Utah legal notice publication rules.

The Utah Code states that law enforcement may request you to delay notification because they believe it will impede an investigation. In that case, you should notify victims as soon as law enforcement gives you the go ahead.

How will the attorney general enforce the UCPA?

If the Utah attorney general believes you’ve violated privacy law, they’ll give you a written notice, explaining what rules they think you’ve violated and their reasons for suspecting a violation. You will then have 30 days to cure the violation, and provide the attorney general with a written statement that “the violation has been cured; and no further violation will occur.”

If you fail to cure the violation within 30 days, or continue to violate the same rule or rules, the attorney general may initiate an enforcement action. The law empowers the attorney general to seek compensation for “actual damages to the consumer,” along with a fine of up to $7,500 for each violation. If multiple organizations are involved, the fine will be divided up based on how much responsibility each organization has for the violation.