Utah—the 45th state to join the Union—is the fourth state to adopt comprehensive consumer privacy legislation.
Signed into law on March 24, 2022, the Utah Consumer Privacy Act (UCPA) passed through the state legislature with remarkable speed and consensus. It contains many of the broad data privacy concepts found in California, Colorado, and Virginia privacy laws. Still, the UCPA is generally narrower in scope and has some unique aspects, including a bifurcated enforcement process and a first-of-its-kind enforcement assessment.
The UCPA took effect on December 31st, 2023. While businesses that have taken steps to comply with data protection requirements in other states should be well-positioned to comply with the UCPA, they’ll still want to familiarize themselves with Utah’s data privacy framework and develop a plan to meet its key provisions.
How Utah got here
To date, United States data protection laws have largely been left to individual states. Data privacy laws are pending in state legislatures across the country, and experts expect some of these to pass in 2024. But Utah becoming the first of these states to cross the legislative finish line and enact a data privacy bill alongside California, Colorado, and Virginia was a bit of a surprise.
For starters, Utah was the first “red” state to pass a law of this kind, disproving the idea that data privacy is strictly a Democratic issue. Utah is one of the most Republican states in the country. The Republican Party currently controls both chambers of the state legislature and has done so for decades. Governor Spencer Cox is also a Republican. The UCPA (Senate Bill 227) passed both chambers unanimously—by a vote of 28-0 in the Senate and 71-0 in the House.
What’s equally striking is that the Utah Legislature approved the UCPA within just five working days, notes the International Association of Privacy Professionals (IAPP).
Consumer privacy advocates, who said the bill doesn’t go far enough, urged Governor Cox to return it to the legislature for further work. Still, if he hadn’t signed SB 227, there’s a good chance a deal wouldn’t have gotten done, according to Sen. Kirk Cullimore, a Republican who sponsored the bill. He told IAPP prior to the bill’s signing that, "We have a very delicate and fragile coalition. Any change at this point would probably lose a mass of support."
Cullimore sponsored the UCPA for two-and-a-half years, and it failed to move out of the Utah Senate as recently as 2021. The bill’s latest version—introduced in February 2022—represents a compromise between business and consumer interests.
IAPP calls the UCPA’s approach “lighter” and more “business-friendly” compared to the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the California Consumer Protection Act (CCPA), and the California Privacy Rights Act (CPRA).
Utah consistently ranks among the top states for business, and the Salt Lake City region is home to the tech startup hub known as “Silicon Slopes.” So while consumer advocates may be disappointed with the UCPA, any version of the bill that did not consider Utah’s strong pro-business climate may not have passed.
“The bill does not impose onerous regulations, but significantly pares back the more burdensome and confusing provisions found in similar state privacy legislation, (...) The bill accomplishes a balancing act by focusing directly on Utah consumers and their guaranteed rights, not the red tape that confuses businesses and consumers alike.”
- Sen. Kirk Cullimore, R-Utah, March 1, 2022, UCPA final House committee hearing (Source: IAPP)
Which businesses does the UCPA apply to?
A partner from the Salt Lake City office of law firm Foley & Lardner LLP told IAPP that the biggest challenge of the UCPA for companies is trying to figure out whether it covers them.
In line with other state privacy laws, the UCPA applies to two types of for-profit entities: data “controllers” and data “processors.” But the UCPA has a narrower scope than other state privacy laws because it uses both a financial threshold and a data threshold to determine applicability. Processors and controllers that meet the following requirements must comply with the UCPA:
Conducting business in Utah or producing a product or service in the state targeting residents of Utah;
Reporting annual revenue of $25,000,000 or more; and either:
Controlling or processing the personal data of 100,000 or more Utah consumers in a calendar year; or
Deriving over 50% of its gross revenue from the sale of personal data and controlling or processing the personal data of 25,000 or more Utah consumers.
A smaller number of companies will likely be required to comply with the UCPA than the CCPA, CPRA, CPA, or VCDPA due to Utah’s double threshold requirement. The annual revenue threshold rules out smaller businesses, while the additional thresholds could exempt some larger entities.
Certain types of entities are explicitly exempted from the UCPA, as they are under laws in California, Colorado, and Virginia. They include:
Government entities and government contractors
Higher education institutions
Organizations covered by the Gramm-Leach-Bliley Act (GLBA)
Organizations covered by the Fair Credit Reporting Act (FCRA)
What and who Does the UCPA cover?
The UCPA is intended to protect the “personal data” of Utah “consumers.” Here’s how the law breaks down each of these terms:
Personal data, as defined in the UCPA, is information linked to (or reasonably linkable to) an identified (or identifiable) individual. The UCPA, like the CPA and the VCDPA, doesn’t consider deidentified data and publicly available information as personal data. Unlike the CPA and the VCDPA, but similar to the CCPA, the UCPA excludes “aggregated data.”
Information subject to federal laws like FCRA, GLBA, and the Health Insurance Portability and Accountability Act (HIPAA) is also excluded, as is employee data, job applicant data, and data provided in a B2B context.
Consumer, under the UCPA, is defined as “an individual who is a resident of the state acting in an individual or household context.” Individuals “acting in an employment or commercial context” are not considered consumers.
What data rights do Utah consumers have under the UCPA?
Anyone who meets the above definition of a Utah consumer is afforded the following personal data rights:
The right to confirm whether a controller is processing their data, and if so, the right to access that data.
The right to delete personal data that the consumer provided to a controller.
The right to obtain, in a portable manner, a copy of the data that the consumer provided to a controller.
The right to opt-out of the processing of personal data for the purposes of targeted advertising, or the sale of their personal data.
There are a few aspects of the Utah law that depart from its California, Colorado, and Virginia counterparts and are worth clarifying:
Consumers do not have the right to delete all personal data held by a controller; only the data they provide to the controller.
The “sale” of personal data has a very specific meaning in the UCPA: data that is disclosed to a third party for “monetary consideration.” Excluded from this definition is data disclosed to an affiliate of the controller, disclosures to a third party for the purpose of providing a product or service requested by the consumer, and disclosures made to a third party for purposes “consistent with a consumer’s reasonable expectations.”
Absent from the UCPA are the right to opt-out of profiling and the right to correct inaccuracies in a consumer’s personal data.
Unlike the CPA and VCDPA, the UCPA doesn’t require controllers to obtain opt-in consent for the processing of “sensitive data” (i.e. personal data that reveals a person’s citizenship or immigration status, genetic or biometric data, geolocation data, medical history, mental or physical health condition, racial or ethnic origin, religious beliefs, or sexual orientation). However, consumers must be given “clear notice and an opportunity to opt out” of sensitive data processing.
A way for consumers to submit a request exercising their rights must be specified by controllers. Controllers are prohibited from discriminating against Utah consumers for exercising their data privacy rights.
How is the UCPA enforced?
The UCPA does not contain a private right to action. To date, California remains the only state that permits individuals to bring lawsuits for privacy violations. Enforcing the UCPA is ultimately the responsibility of the attorney general’s office, but the law has an enforcement process that sets Utah’s data privacy enforcement apart from other states.
Initially, when a Utah consumer submits a claim over an alleged UCPA violation, the claim goes to the Division of Consumer Protection (DCP). Claims that the DCP deems legitimate then move to the Office of the Attorney General (AG), which has the discretion to decide whether the claim is worthy of enforcement.
If it is deemed enforcement-worthy, the AG will give the business 30 days to cure the violation and provide the AG with an “express written statement that the violation has been cured and no further violation of the cured violation will occur.”
Violations that aren’t cured within 30 days are subject to actual damages to the consumer and fines of up to $7,500. The money collected through enforcement actions is deposited into the Consumer Privacy Account to fund, among other things, education about UCPA consumer rights.
Experts say this multi-layered scheme is unlikely to result in many fines against noncompliant businesses. Some have, therefore, called the law toothless, but one attorney told IAPP, “I think a law is seen as a failure if no one gets a huge fine, but compliance, not fines, should be the goal."
Another unique aspect of Utah’s privacy law is that Utah lawmakers will have a chance to revisit the UCPA in 2025 by way of a report from the attorney general’s office. The report will evaluate the AG’s enforcement efforts and propose changes for what may need to be fixed.
How can my business comply with the UCPA?
Although companies that do business in Utah probably don’t need to be overly concerned about UCPA fines, they should nonetheless understand their compliance obligations and be prepared to meet them. At a minimum, companies should do the following to comply with the Utah Consumer Privacy Act:
Confirm that you are subject to the UCPA. Given the narrower scope of the law and its thresholds and exemptions, you may not have to comply at all. Figuring this out should be your first priority.
Provide a consumer privacy notice. The UCPA states that controllers must provide consumers with a “reasonably accessible and clear” privacy notice that specifies:
The categories of personal data that the controller processes
The purposes for the controller’s data processing activities
How consumers can exercise their data privacy rights
The categories of personal data the controller shares with third parties
The categories of third parties that the controller shares data with
Give consumers a way to opt out. If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, it must “clearly and conspicuously” disclose to the consumer how they can exercise their opt-out right. Similarly, if you plan on collecting sensitive data, as defined by the UCPA, give consumers clear notice and a way to opt out.
Do not discriminate against Utah data subjects for exercising their privacy rights. Controllers are prohibited from charging consumers a different price/rate for a good/service or providing a different level of service to consumers when they exercise their UCPA rights.
Respond to consumer requests within 45 days. When a Utah consumer makes a permissible request to a controller (e.g., a request to access or delete their personal information), the controller must respond to the consumer within 45 days. This deadline can be extended in certain circumstances. Businesses should put in place mechanisms to accept, track, verify, and honor consumer requests.
Obtain parental consent for processing children’s data. Before processing the data of Utah consumers under the age of 13, controllers must obtain verifiable parental consent.
Implement appropriate security practices. Controllers have a duty to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices'' that are designed to protect the integrity and confidentiality of personal data and to reduce the risk of foreseeable harm to consumers related to data processing.
Industry-recognized standards should be used as a model for security practices. However, controllers are not required to conduct data protection assessments as they are with the CPA and VCDPA.
Have contracts with processors: The UCPA mandates that processors and controllers must enter into contracts prior to a processor performing processing activities on a controller’s behalf. These types of agreements are found in the CPA and VCDPA, but the UCPA has fewer requirements for its controller-processor contracts.
Didomi helps companies get ready for the data privacy revolution
The data privacy revolution may have started in Europe with the GDPR, but it is rapidly spreading across the world. More and more countries—and more and more states—are rolling out data privacy legislation. The UCPA’s passage shows that data privacy is not a red-state issue or a blue-state issue. It’s an issue for all Americans.
Although U.S. privacy law remains fragmented, there is widespread consensus among Americans that their information is less secure than it used to be and that current laws and practices are out of date. Most say it is difficult to control who has access to their online information, and they have little trust in companies to keep their personal information secure.
The message is clear for marketers: those who make customer privacy a priority will enjoy a strong competitive advantage. Complying with the UCPA, CCPA, CPA, VCDPA, and future iterations of these laws is a floor—not a ceiling. And the sky’s the limit for companies that place consumer consent at the center of their digital marketing strategy, especially as we move further into the cookieless future.
A brand based on trust is a brand positioned for success in a user-centric world. Find out how Didomi’s Consent Management Platform and Preference Management Platform take the guesswork out of data compliance and help you turn privacy into business opportunities.