Submitted by on
Home> Guides> Governance> Utah Consumer Privacy Act

Home > Utah Consumer Privacy Act

Utah Consumer Privacy Act

Share this Page

The Utah Consumer Privacy Act (the UCPA) was enacted on March 24, 2022, and will go into effect on December 31, 2023. The UCPA bolsters consumer (i.e., residents acting in an individual or household context) protections by imposing rules on businesses that control or process Utah consumers’ personal data. This encompasses any data that they have previously provided to the business. 

Key Roles Referenced in the UCPA

In the UCPA, a controller is a person who determines the purposes and means by which a business processes personal data. Controllers are responsible for ensuring that Utah consumers’ rights are adhered to according to the rules of the UCPA. In addition, controllers are responsible for implementing and maintaining systems to support administrative, technical, and physical data security.

A processor is a person that processes personal data on behalf of the controller. The UCPA requires a contract between the controller and processor to govern all processing. The contract must outline relevant consumer privacy provisions. The UCPA requires processors to adhere to the controller’s instructions and assist and cooperate to ensure meeting its obligations under the law. This includes meeting obligations regarding the security of data processing and data breach notifications. 

Under the UCPA, Utah consumers have been granted six categories of rights. While these are meaningful rights, it is important to note that the UCPA does not include a private right of action for consumers. Therefore, only the Utah Attorney General can enforce the consumer rights set forth in the UCPA. 

  • The Right to Know
    Consumers have the right to confirm whether a controller is processing their personal data.
  • The Right to Access
    Consumers have the right to access the personal data a controller has collected about them.
  • The Right to Deletion
    Consumers have the right to delete the personal data they have provided to a controller. 
  • The Right to a Copy
    Consumers have the right to obtain a copy of the personal data they previously provided to the controller in a portable and readily usable format (if technically feasible).
  • The Right to Opt-Out
    Consumers have the right to opt out of the processing of personal data for the purposes of targeted advertising and the sale of their personal data to third parties. 
  • The Right to Avoid Discrimination
    Controllers may not discriminate against a consumer for exercising a right provided by the UCPA.

In addition to the rights above, the UCPA stipulates that consumers must be provided with a reasonably accessible and clear privacy notice. It must include the categories of personal data processed, the purposes of such processing, and whether third parties have access to that data. 

If personal data have been sold to third parties or processed for targeted advertising, this activity must be clearly and conspicuously disclosed to the consumer. And, if a consumer contacts a business to exercise rights granted under the UCPA, the business must respond within 45 days of receipt of the communication. 

Businesses also have rights under the UCPA, including broader permission to charge consumers fees when responding to requests under some circumstances. For instance, controllers can charge a fee for a second request within 12 months. They can also charge for requests that are excessive, repetitive, technically infeasible, or manifestly unfounded. The UCPA also allows controllers to charge fees if the controller reasonably believes the primary purpose for submitting a request is not to exercise a consumer right or if the request is part of an effort to harass, disrupt or impose an undue burden on the business.

UCPA Compared with CPA, CPDA, and CPRA

Comparison of Defined Terms across UCPA, CPA, CPDA, and CPRA 

Controllers and processorsYesYesYesNo
Businesses and service providersNoNoNoYes
Controllers and processorsYesYesYesNo

Businesses Subject to UCPA, CPA, CPDA, and CPRA 

Annual revenue of at least $25 millionYesNoNoNo
Annual revenue over $25 millionNoNoNoYes
Conduct business in the StateYesYesYesYes
Control or process the personal data of at least 50,000 residentsNoNoNoYes
Control or process the personal data of at least 100,000 residentsYesYesYesYes
Derive over 50% of gross revenue from the sale of personal data and controlling or processing personal data of at least 25,000 residentsYesYes*YesNo
Derive 50 percent or more of its annual revenues from selling consumers’ personal dataNoNoNoYes
Produce or deliver a product or service targeted to State’s residentsYesYesYesNo

* Colorado and Virginia do not set a threshold amount for the revenue derived.  

Businesses that Are Exempt from UCPA, CPA, CPDA, and CPRA 

Aggregated dataYesNoNoYes
Information and/or entities subject to HIPAA and covered entities/business associatesYesYes, but only information
YesYes, but only information and limited entities 
Information and/or institutions subject to GLBAYesYesYesYes, but only information
Institutions of higher education and/or information subject to FERPAYesYesYesYes
Non-profit organizationsYesNoYesYes
Personal information in the commercial (business-to-business) contextYesYesYesYes, exempt until January 1, 2023 
Personal information within the scope of employmentYesYesYesYes, limited exemption until January 1, 2023

Rights Granted to Consumers Under UCPA, CPA, CPDA, and CPRA 

Consumers’ rightsUCPACPACDPACPRA 
Correct inaccurate informationNoYesYesYes
Data portabilityYesYesYesYes
Opt-in for processing of sensitive informationNoYesYesYes
Opt-out for processing of sensitive informationYesNoYesYes
Opt-out of saleYesYesYesYes
Opt-out of sharingNoNoNoYes

Controllers’ Obligations Under UCPA, CPA, CPDA, and CPRA

Commercial contract provisionsYesYesYesYes
Consent to process children’s personal dataNoYesYesYes, but
only for sales and sharing 
Data minimizationNoYesYesYes
Data processing assessmentsNoYesYesYes
Data securityYesYesYesYes
Honor universal opt-out signalsNoYesNoYes
Purpose specificationYesYesYesYes
Timing for consumer request responsesYes, 45 days with the option for a 45-day extension Yes, 45 days with the option for a 45-day extensionYes, 45 days with the option for a 45-day extensionYes, 45 days with the option for a 45-day extension

Disclosures Included in Privacy Policies for UCPA, CPA, CPDA, and CPRA

Consumer rights and choices availableYesYesYesYes
Controller’s contactinformationNoYesNoYes
Collection of personal data and categories thereofYesYesYesYes
Data retention periodNoNoNoYes
Disclosure of personal data to third parties, if any, and categories thereofYesYesYesYes
How a consumer may appeal a controller’s actionNoYesYesNo
Instructions for exercising consumer rightsYesYesYesYes
Purpose(s) of processingYesYesYesYes
Use of automated decision-making or profilingNoYesYesYes
Whether controller engages in targeted advertising or shares personal information for cross-context behavioral advertising purposesYesYesYesYes
Whether the controller sells personal data and to whomYesYesYesYes

How UCPA, CPA, CPDA, and CPRA Enforce Personal Data Protection Rules

Enforced by the Attorney GeneralYesYesYesYes
Enforced by the District AttorneyNoYesNoNo
Penalty per violationYes, up to $7,500 for each violationYes, up to $20,000 per violation, with a maximum penalty of $500,000 for a series of related violations Yes, up to $7,500 for each violationYes, up to $7,500 for each violation
Private right of actionNoNoNoYes, but it is limited to certain breaches of personal information 
Right to cureYes, 30 daysYes, 60 days, but sunsets in January 2025 Yes, 30 daysYes, 30 days for private actions only  

UCPA Compliance

To facilitate compliance with the UCPA, businesses should review the following checklist as it provides a framework for assessing compliance obligations under this Utah law.

  • Allow consumers to opt-out of personal information processing by creating a mechanism to enable Utah residents to exercise this right if the business sells their personal data to a third party or uses it for targeted advertising 
  • Confirm that the business is subject to the UCPA by determining if it meets the legal threshold of the law 
    • Annual revenue of at least $25 million
    • Conduct business in the State
    • Control or process the personal data of at least 100,000 residents
    • Derive more than 50% of gross revenue from the sale of personal data and controlling or processing personal data of at least 25,000 residents
    • Produce or deliver a product or service targeted to State’s residents
  • Enable the receipt of and response to consumers’ requests to exercise their rights under UCPA to access and delete their records by developing systems for accepting, tracking, verifying, and responding to consumers’ requests  
  • Implement processes for collecting sensitive information that first present consumers with clear notice and an opportunity to opt-out of the collection of their information
  • Implement reasonable data security controls, including assessing cybersecurity policies, practices, and controls to ensure they are aligned with industry-recognized standards 
  • Update privacy policies to reflect personal data processing activities, communicate the new rights available to consumers, and identify the systems that have been put into place to help consumers to exercise their rights under the UCPA

 Utah Consumer Privacy Act: What Do Businesses Need to Know

UCPA identifies and imposes obligations on controllers and processors. Businesses need to understand these two roles and how they apply to their personal data collection and processing activities. It is also important for businesses to understand the threshold requirements that would make them subject to the rules of the UCPA, including: 

  • Conducting business in Utah or producing a product or service that is targeted to consumers who are Utah residents 
  • Having an annual revenue of $25M or more
  • Meeting one of these criteria:
    • Controlling or processing personal data of 100,000 or more Utah consumers during a calendar year 
    • Deriving more than 50 percent of gross revenue from the sale of personal data and controlling or processing the personal data of 25,000 or more Utah consumers.

Businesses should also know that the UCPA’s definition of a consumer does not include individuals who act in a commercial or employment context.

What Does Utah Consumer Privacy Act Mean for U.S. Businesses?

U.S. businesses should understand that the UCPA, as the fourth such law after those enacted by Virginia, Colorado, and California, is a further indication of states’ willingness to increase the protection of consumers’ personal data privacy. Businesses must be aware of and comply with the requirements of multiple state privacy laws and regulations, which can be tricky due to the ease with which goods and services flow across U.S. state boundaries.

Failure to comply with UCPA, and other states’ privacy laws, puts businesses at risk. They could easily be liable for violating UCPA or other states’ privacy laws, which look to increase. As of the most recent update of this guide,11 states have active privacy legislation, including Alaska, Louisiana, Massachusetts, Michigan, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Rhode Island, and Vermont. 

Businesses that are subject to the UCPA should:

  • Assess systems, processes, policies, procedures, and systems to identify UCPA compliance gaps
  • Embed opt-out capabilities into the processing of sensitive data, the use of personal data for targeted advertising, and the sale of personal data 
  • Ensure that systems, processes, policies, procedures, and systems are designed to respond to consumer rights requests under the  UCPA
  • Evaluate and update data collection and privacy policies and practices  
  • Is subject to the UCPA 
  • Review privacy notices to ensure they contain the content that’s required by UCPA
  • Understand what personal data and sensitive data the business collects and discloses
  • Update contracts with service providers to include the provisions required by the UCPA

UCPA a Lighter Touch than Other State Privacy Laws

Businesses that are subject to the UCPA generally find that their efforts to meet the requirements for other states’ privacy laws provide a significant foundation. In addition, most of those businesses that have already implemented systems and processes to meet the requirements for Colorado (CPA), California (CPRA), and Virginia (VCDPA) find that the UCPA has a lighter-touch approach that makes compliance easier.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 15th March, 2023

Share this Page

Get started with Egnyte.

Request Demo