Utah Consumer Privacy Act: How to Prepare

• The Utah Consumer Privacy Act (UCPA) is Utah’s new data privacy law. Passed on March 25, 2022, the UCPA is slated to go into effect on December 31, 2023.

• The fourth state to pass privacy legislation in recent years, Utah is joining California, Virginia, and Colorado in a growing trend towards state-based data privacy laws.

• To prepare for the Utah Consumer Privacy Act, businesses should update their privacy policies, provide opt-out options for targeted advertising, and create processes for responding the consumer data requests.

What is the Utah Consumer Privacy Act?

• Scope: Who is subject to the UCPA?

• Utah Consumer Privacy Act vs VCDPA vs CPA vs CCPA

• UCPA consumer rights

• UCPA enforcement

• Exemptions to the UCPA

How to prepare for the Utah Consumer Privacy Act

• Determine whether the UCPA applies to your business

• Update your privacy policy

• Provide opt out for targeted advertising and sales

• Create workflows for responding to data subject requests

The Utah Consumer Privacy Act is a 22-page bill passed through the Utah legislature on March 3, 2022. It lays out obligations for businesses who process personal data and data rights for Utah citizens.

In its overall framework, the Utah’s data privacy bill is quite similar to the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA). That said, there are some notable differences, which we’ll cover in greater detail below.

To be subject to the Utah Consumer Privacy Act, an entity (business or other organization) must:

• Have an annual revenue of at least $25 million

• Do business in Utah or market their product/service to Utah residents

Additionally, the entity must either:

• Process or control the data of at least 100,000 Utah residents OR

• Derive at least half its gross revenue from the sale of personal data and control the data of at least 25,000 consumers

Take note! The final requirement doesn’t limit data control to just Utah residents. This means businesses with revenue over $25M, who control data for at least 25,000 consumers, and target their product or service to Utah residents are beholden to the UCPA’s requirements.

That said, Utah’s privacy bill actually is more limited in scope than the CPA or VCDPA––neither of which place a revenue-based threshold.

While the Utah Consumer Privacy Act shares broad-strokes with other state privacy laws (many have noted its similarity to “the Virginia model”), certain provisions do set it apart.

State-based privacy compliance is not a one-size-fits-all approach, so businesses that operate in multiple states should understand these differences to ensure proper compliance.

The UCPA does not include a private right of action, meaning consumers cannot pursue legal action on their own behalf. Though also not provided under Colorado and Virginia’s privacy laws, the private right of action is available to California consumers under certain circumstances.

More notably, the Utah Attorney General’s office is not the first line of enforcement, as it is for all other state privacy laws. Under the Utah Consumer Privacy Act, enforcement is a two step process.

First, the Utah Division of Consumer Protection (UDCP) investigates the complaint and determines its validity. If the UCPA finds the complaint legitimate, only then will it be referred to the Utah Attorney General’s office.

Utah consumers have a slimmer set of data rights when compared to other state laws. The Utah Consumer Privacy Act does not offer the right to correct personal data, opt-out of decision-making based on automated profiling, or appeal an organization’s decision in regards to a data request.

In Utah, a company must meet the $25M revenue threshold. Otherwise, it is exempt.

Neither Virginia or Colorado offer a revenue-based threshold. Rather, their scope is decided by the number of consumers whose data a company processes.

The CCPA’s scope does include a revenue threshold; however, it is just one of three criteria that can determine whether or not the legislation applies.

Unlike the Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA), the UCPA is an opt-out consent regime. This means that, until they opt-out, companies can legally collect sensitive data on Utah consumers.

The one exception is collecting data on children, which does require opt-in before collection can legally begin.

Like most state privacy laws, consent opt-outs must be clear and easy to find. The UCPA states data controllers must ”[present] the consumer with clear notice and an opportunity to opt out of the processing.”

Unlike other state privacy laws, the Utah Consumer Privacy Act does not require organizations conduct data protection assessments to ensure proactive protection of consumer data.

Keep reading to learn more about consumer rights granted under the UCPA.

Utah consumers are provided a set list of data rights under the UCPA.

Consumers can request access to any personally-identifiable data possessed by an entity.

Consumers have the right to request deletion of their personal data. However, it’s worth noting that, unlike other state privacy laws, the UCPA limits data deletion to information the consumer provided.

Utah consumers have the right to obtain a copy of their data in an easily usable, portable format.

Utah consumers have the right to opt out in regards to:

• Targeted advertising and the sale of personal data

• Processing of sensitive personal data

They cannot, however, opt out of profiling in regards to automated decision making.

If a consumer feels their data rights have been violated, the Utah Consumer Privacy Act outlines a two-step process for enforcement.

First, the Utah Division of Consumer Protection analyzes and investigates the complaint to determine its validity. If deemed legitimate, the complaint is then referred to the Attorney General’s office.

The Attorney General (AG) has exclusive rights to UCPA enforcement, and is required to send written notice to entities found in violation.

Once notice has been sent, organizations are offered a 30 day cure period, in which they can attempt to address the alleged violation.

If a violation is found “uncured” within 30 days, the Attorney General has the power to recover damages on behalf of the consumer and issue fines of $7,500 per violation.

This enforcement process was reportedly designed to limit the number of frivolous claims, but critics say it acts as a layer of protection for businesses––one that could result in less data protection for consumers.

Utah’s data privacy bill offers more exemptions than other state privacy laws. The most significant being the $25M revenue threshold, which exempts any businesses whose annual revenue falls short of that amount.

There are also several entity-based exemptions, including organizations under the Health Insurance Portability and Accountability Act (HIPAA), Driver’s Privacy Protection Act, and Family Educational Rights and Privacy Act.

Businesses covered by the Fair Credit Reporting Act or Gramm-Leach-Bliley Act can also receive entity-based exemptions.

In addition, non-profits, higher education institutions, Native tribes, and government entities are not subject to the UCPA.

Though businesses do have some time to prepare for UCPA enforcement, savvy organizations will start laying the groundwork now.

Compliance is complex and deadlines have a way of approaching faster than expected. Taking certain steps now can ensure compliance without the last minute crunch––helping your business avoid violations and potential fines.

The first step towards preparing for the Utah Consumer Privacy Act is determining whether or not your company falls within its stated scope. If your business falls below the revenue threshold, the UCPA doesn’t apply to you.

Remember, the UCPA’s scope applies to businesses that:

• Have annual revenues of at least $25 million

• Do business in Utah or market their product/service to Utah residents

Additionally, the entity must either:

• Process or control the data of at least 100,000 Utah residents OR

• Derive at least half its gross revenue from the sale of personal data and control the data of at least 25,000 consumers

This scope in mind, your next step is to determine:

1. Your organization’s annual revenue

2. If not located in Utah, whether your company markets to Utah residents

3. How much consumer data your organization is processing

4. Whether or not any of that data is being sold

A comprehensive privacy policy is key to effective compliance. Publishing a privacy policy gives customers the information they need to fulfill their data rights, and ensures your company is disclosing the right information as outlined by the UCPA.

Make sure your policy uses clear, concise language, and is easily accessible to any user who comes to your website. Clarify how you collect and use consumer data, and make that information freely available to your consumers.

Under the GDPR, privacy policies that don’t meet these requirements have been subject to significant fines––though it remains to be seen if Utah regulators will apply the same level of stringency.

Another good guideline is to provide as many self-serve options in your policy as possible. Include links to your consent manager if you have one, as well as your privacy request center.

If you don’t have an automated privacy request center, include instructions on how a user can request or access their data, as well as an outline for what happens after they do.

The Utah Consumer Privacy Act requires that organizations provide a way for consumers to opt out of targeted advertising and personal data sale––with enforcement beginning December 31, 2023.

Implementing this requirement will be easiest with a consent management tool (think cookie banners), which will allow users to determine what, if any, tracking they will allow while on your site.

Utah’s privacy bill gives consumers the right to access, move, or delete their data–meaning your company needs a way to fulfill those requests within the 45 day deadline.

Processors can request another 45 days if necessary, but creating backlogs and bottlenecks is unwise. Requests will continue to accumulate in the interim, so developing an effective process now will pay future dividends.

Privacy@ email boxes are a common short-term solution for data subject request fulfillment. However, tracking and fulfilling requests in this way requires a team who fields each request and manually tracks down data across all company systems.

As privacy requests continue to increase, this type of manual workflow is unsustainable in the long-term.

Implementing an automated privacy request platform streamlines the request process, minimizes the level of manual work, and increases end-to-end security for sensitive data.

If your organization has been impacted by the Utah Consumer Privacy Act or other data privacy laws, Transcend can help you ensure compliance. Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.