Utah's Consumer Privacy Act (UCPA)

Utah's Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) is an in-depth privacy law designed to protect the privacy rights of Utah residents. It was signed into law on March 24th, 2022, and took effect on December 31st, 2023. Companies that do business in Utah or provide goods or services targeted at Utah consumers need to know what the UCPA requires and how to comply with the law.

This article explains what the UCPA is, who it applies to, what it requires, the penalties for noncompliance, and the steps businesses should take to comply with the law.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.



What is the Purpose of the Utah Consumer Privacy Act (UCPA)?

The UCPA was established to protect Utah consumers' personal data, which is any information that could be used to identify an individual. The law sets data privacy responsibilities for businesses serving residents in the state.

The UCPA gives Utah consumers the following rights:

  • The right to know if a business is collecting or using their personal data
  • The right to access or delete their personal data
  • The right to opt out of the collection and use of their personal data for targeted advertising (marketing based on tracking consumers' online behavior) purposes
  • The right to opt out of the sale of their personal data
  • The right to opt out of the processing of sensitive data
  • The right to obtain a copy of their personal data

The introduction to Senate Bill 227 (the bill that enacts the UCPA) explains that the law gives Utah consumers rights concerning their personal data and requires applicable businesses to take specific steps to protect those rights:

SB-227 Introduction

Who Does the Utah Consumer Privacy Act (UCPA) Apply to?

The UCPA applies to data controllers and processors that do business in Utah or provide products or services to Utah consumers, have an annual revenue of at least $25 million, and satisfy the law's thresholds.

A controller is anyone who does business in Utah and decides (either alone or with others) why and how personal data should be processed (used).

A processor is anyone who processes personal data for a controller.

For the law to apply, controllers and processors must also meet at least one of the following criteria:

  • Control or process personal information of at least 100,000 Utah consumers per year, or
  • Earn over 50% of gross revenue from the sale of personal information and control or process personal information of at least 25,000 Utah consumers per year

Section 13-61-102 (1) of S.B. 227 explains that it applies to data controllers and processors that do business in Utah or offer goods or services to Utah residents, make over $25 million annually, and meet at least one of its thresholds.

SB 227 Section 13 61 102-1

Are There Any Exemptions Under the Utah Consumer Privacy Act (UCPA)?

Certain businesses and types of information are exempt from the UCPA, including small businesses that make less than $25 million per year and personal data that is publicly available.

The UCPA does not apply to the following types of data:

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
  • Information used for the Federal Policy for the Protection of Human Subjects
  • Employment information
  • Emergency contact information
  • Data subject to other laws, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Driver's Privacy Protection Act
  • Certain pseudonymous or de-identified data

Businesses exempt from the UCPA include the following:

  • Small businesses with annual sales of less than $25 million or those that get less than 50% of their annual income from the sale of personal data and control or process data from fewer than 25,000 Utah consumers
  • Government entities
  • Third parties in contract with and acting on behalf of government entities
  • Tribes
  • Institutions of higher education
  • Non-profit organizations
  • Covered entities
  • Business associates
  • Airline companies
  • Financial institutions subject to the Gramm-Leach-Bliley Act

Section 13-61-102 (2) of S.B. 227 details the entities and types of data that are exempt from the UCPA, including government organizations and protected health information:

SB 227 Section 13 61 102-2

What Does the Utah Consumer Privacy Act (UCPA) Require?

To comply with the UCPA, businesses must:

  • Respond to consumer requests in a timely manner
  • Maintain a contract between controllers and processors
  • Provide a clearly written and easily accessible Privacy Policy
  • Keep the personal data they collect and process secure
  • Notify consumers and give them the chance to opt out when processing sensitive data
  • Refrain from discrimination

Section 13-61-302 (1-4) of S.B. 227 details the law's requirements for controllers, including maintaining a Privacy Policy and keeping the data they process safe:

SB 227 Section 13 61 302

What Are the Penalties For Not Complying With the Utah Consumer Privacy Act (UCPA)?

Businesses found in violation of the UCPA can face fines of up to $7,500 per violation, plus any damages the consumer suffers as a result of the violation.

The Utah attorney general enforces the UCPA and will investigate complaints. If a business is found to be in breach of the UCPA, the attorney general will allow the business to have a 30-day cure period before any fines are imposed. If the business rectifies the violation within this time period, a fine may be avoided.

Following the 30-day period, a business in breach of the UCPA may be fined up to $7,500 per violation, plus damages.

Section 13-61-402 of S.B. 227 explains that businesses that violate the UCPA may face financial penalties of up to $7,500 per violation, plus damages sustained by the consumer:

SB 227 Section 13 61 402

How Can Businesses Comply With the Utah Consumer Privacy Act (UCPA)?

To adhere to the UCPA, there are a few steps businesses should take, including responding to consumer requests, maintaining a Privacy Policy, and keeping the personal data they collect and process secure.

Let's go over each of the steps businesses can take to comply with the UCPA.

Respond to Consumer Requests

The UCPA requires data controllers to respond to consumer requests concerning their personal data within 45 days of receiving the request. That means you have 45 days to take action on a consumer's request and notify the consumer of any action taken or decision reached in response to their request.

If you need longer than 45 days to respond to a consumer request, you can extend the initial 45-day period by an extra 45 days, as long as you inform the consumer of your reasons for and the length of the extension.

Consumers are allowed to make one request free of charge each year. After their first request in a 12-month period, you are allowed to charge a "reasonable fee" to cover administrative costs.

Section 13-61-203 (1) of S.B. 227 explains that controllers must respond to a consumer's request regarding their personal data within 45 days of receipt of the request:

SB 227 Section 13 61 203

Create a Contract Between Controllers and Processors

The UCPA requires data controllers and processors to have a contract in place before processors can process Utah residents' personal data.

The contract should contain the following information:

  • Instructions for processing personal data
  • The reasons for processing personal data
  • The types of data to be processed
  • The duration of the processing
  • Each party's rights and responsibilities
  • An agreement that each person responsible for processing personal data will keep the information confidential
  • An agreement that any subcontractors the processor uses must agree to meet the same obligations

Section 13-61-301 of S.B. 227 explains that data processors must contract with controllers before processing Utah consumers' personal data:

SB 227 Section 13 61 301

Keep Personal Data Safe

Controllers must use administrative, technical, and physical security measures to keep personal data safe.

Common security practices include:

  • Administrative measures, which can include training staff on best practices, and only allowing authorized personnel to access personal data
  • Technical measures such as implementing firewalls, encryption, and virus protection software
  • Physical measures, including using locks for doors and filing cabinets, hiring guards, and installing security cameras

The security measures you use should be proportionate to the types and amount of personal data you process.

Section 13-61-302 (2) of S.B. 227 says that controllers need to use appropriate safety procedures to make sure personal data remains confidential:

SB 227 Section 13 61 302-2

Take Care When Processing Sensitive Data

The UCPA has special requirements for controllers who wish to process sensitive data.

Sensitive data is a category of personal data that includes:

  • Race or ethnicity (unless the data is processed by a video communication service)
  • Sexual orientation
  • Religion
  • Citizenship or immigration status
  • Specific geolocation information
  • Mental or physical health conditions, treatments, or diagnoses (unless the data is processed by a licensed health care provider under the Health Care Facility Licensing and Inspection Act)
  • Biometric or genetic data used to identify an individual

To process Utah consumers' sensitive data, controllers must:

  • Provide a conspicuous notice informing consumers that the controller intends to process sensitive data
  • Give consumers the choice to opt out of the processing of their sensitive data
  • Comply with the Children's Online Privacy Protection Act (COPPA) if processing data belonging to children

Section 13-61-302 (3) of S.B. 227 informs controllers that they cannot process Utah consumers' sensitive data unless they notify the consumer of their intention and give them the chance to opt out of the processing of their sensitive data:

SB 227 Section 13 61 302-3

Don't Discriminate

Controllers are not allowed to discriminate against consumers for exercising their rights.

Discrimination can include:

  • Denying goods or services
  • Charging different prices to consumers who exercise their rights
  • Giving consumers who exercise their rights different quality goods or services

However, controllers are allowed to offer different prices, different quality goods or services, or free or discounted goods or services in the following circumstances:

  • If the consumer opts out of targeted advertising
  • If an offer is contingent on a consumer's voluntary participation in a rewards or discount program

Furthermore, controllers don't have to provide products, services, or functionalities that require consumers' personal data if the consumer does not:

  • Provide their personal data or
  • Allow the controller to process their personal data

Section 13-61-302 (4) of S.B. 227 says that controllers cannot discriminate against consumers for exercising their rights by denying goods or services or charging different prices for goods or services:

SB 227 Section 13 61 302-4

Maintain and Display a Privacy Policy

The UCPA requires data controllers to maintain a clearly written and easily accessible Privacy Policy on their websites. A Privacy Policy is a legal document that explains how you handle users' personal information and how consumers can exercise their rights.

A UCPA-compliant Privacy Policy should contain the following information:

  • What personal data the controller processes
  • Why the personal data is processed
  • How consumers can exercise their rights
  • What personal data the controller shares with third parties
  • The types of third parties the controller shares personal data with
  • How consumers can opt out of the sale of their personal data or the use of their personal data for targeted advertising purposes
  • Contact information

Section 13-61-302 (1) of S.B. 227 explains that controllers should maintain a Privacy Policy that explains how they treat consumers' personal data, including the types of personal data they process and how consumers can exercise their rights:

SB 227 Section 13 61 302 1

Let's take a deeper look at the clauses you should include in an UCPA-compliant Privacy Policy.

The Types of Personal Information You Process

This clause should list the categories of personal data you process, such as names, email addresses, and financial information.

Aldi's Privacy Notice describes the types of information it collects, including personal and sensitive data:

Aldi Privacy Notice: Information we collect clause

Your Purposes for Processing Personal Data

You should clearly explain your reasons for processing personal data. It's good business practice (and often required by global and state privacy laws) to limit your collection of personal data to that which is strictly necessary to fulfill your purposes.

Chiquita's Privacy Policy explains its reasons for processing personal data, including for communication and verification purposes:

Chiquita Privacy Policy: Why we collect data clause

What Personal Information You Share With Third Parties

This clause describes the personal data you disclose to third parties.

Meta's Privacy Policy lists the types of third parties it shares users' data with:

Meta Privacy Policy: Third Party clause

When users click on one of the third parties, they receive detailed information about the types of data Meta shares with that party:

Meta Advertisers and Audience Network Publishers information

The Categories of Third Parties You Share Personal Data With

You should let consumers know the types of third parties you share personal data with, such as service providers or affiliates.

General Mills' Privacy Policy explains that it may share information with affiliates, service providers, third parties that use cookies, and other parties when required by law or to protect users or its services:

General Mills Privacy Policy: How we may share information clause

How Consumers Can Exercise Their Rights

This clause should list consumers' rights and explain how consumers can exercise those rights.

This clause should include information on how consumers can opt out of the following data processing activities:

  • The sale of personal data
  • The processing of personal data for targeted advertising purposes
  • The processing of sensitive data

Danone North America's Privacy Policy lists consumers' rights and explains how they can exercise their rights via webform or telephone. It includes a link to its Do Not Sell My Personal Information request form:

Danone North America Privacy Policy: Rights clause

Your Contact Information

Let users know how they can contact you with any questions or concerns they may have regarding their personal data.

Blick Art Materials' Privacy Policy includes a postal address, an email address, and a toll-free phone number:

Blick Art Materials Privacy Policy: Contact clause

How to Display Your Privacy Policy

Once you have your Privacy Policy written, you need to put it somewhere users can easily find it.

You should put links to your Privacy Policy wherever you collect personal information from users, such as within your website footer and on your account creation or checkout pages.

Arby's includes links to its Privacy Policy both within its website footer and as part of its Cookie Notice:

Arbys website footer and cookie notice with Privacy Policy links highlighted

TikTok includes a link to its Privacy Policy on its login page:

Tiktok login with Privacy Policy link highlighted

T.J. Maxx's checkout page contains links to its Privacy Policy:

TJ Maxx checkout page with Privacy Policy link highlighted

Summary

The UCPA is a privacy law that protects Utah residents' personal data and requires applicable businesses to follow its rules.

The law gives Utah consumers the following rights:

  • The right to access delete, or obtain a copy of their personal data
  • The right to opt out of the sale of their personal data, the processing of their sensitive data, or the use of their personal data for targeted advertising purposes

The UCPA applies to data controllers and processors that do business in Utah or provide goods or services to Utah residents, make over $25 million in annual revenue, and meet the following criteria:

  • Control or process personal information of at least 100,000 Utah consumers per year
  • Earn over 50% of gross revenue from the sale of personal information and control or process personal information of at least 25,000 Utah consumers per year

The UCPA does not apply to certain businesses and types of data, including certain small businesses and information that is subject to other laws.

The UCPA requires applicable businesses to:

  • Respond to consumer requests
  • Maintain a contract between controllers and processors
  • Maintain a Privacy Policy
  • Keep personal data safe
  • Notify consumers and give them the chance to opt out when processing sensitive data
  • Refrain from discrimination

One of the most effective ways to comply with the UCPA is to maintain a clearly written, up-to-date Privacy Policy.

Your UCPA-compliant Privacy Policy should contain the following clauses:

  • The types of personal data you process
  • Why you process personal data
  • How consumers can exercise their rights
  • What personal data you disclose to third parties
  • The categories of third parties you share personal data with
  • How consumers can opt out of the sale of their personal data, the processing of their sensitive data, or the use of their personal data for targeted advertising purposes
  • Your contact information

You should display links to your Privacy Policy anywhere you collect personal information. Common places to put Privacy Policy links include within website footers, Cookie Notices, account creation or log-in pages, and checkout pages.

The law is enforced by the Utah Attorney General. Anyone found in violation of the law can face penalties of up to $7,500 per violation, plus damages.