What is the Utah Consumer Privacy Act (UCPA)?

The Utah State government passed the Utah Consumer Privacy Act (UCPA) in March 2022, scheduling the law to go into effect on December 31, 2023. Utah is the fourth state in the United States to pass a state privacy law.

Compared to preceding US privacy laws, such as the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA), the UCPA has a narrower scope, making the law more friendly to businesses and data controllers. 

This article dissects the Utah Consumer Privacy Act, providing an overview of the privacy legislation's scope, obligations, and consumer rights. Keep reading to learn everything your organization needs to know about the UCPA, including if you need to comply with its obligations.

Eliminate the hassle of compliance management with UpGuard> 

Scope of the Utah Consumer Privacy Act

Veering slightly from the precedent set by the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), the UCPA holds a narrow scope that excludes several categories of companies and data from its compliance provisions.

The UCPA applies to organizations that meet at least one of the following processing and revenue thresholds: 

• UCPA threshold 1: Organizations that exceed an annual revenue of $25 million or control or process the data of more than 100,000 resident consumers in a calendar year
• UCPA threshold 2: Organizations that generate fifty percent of their gross revenue from the sale of personal data and process the data of more than 25,000 resident consumers annually

By requiring a revenue and processing component, the UCPA’s thresholds apply to fewer organizations than those within the CCPA, CPRA, or VCDPA. The Utah Consumer Privacy Act also outlines several exemptions.

UCPA exemptions 

The Utah Consumer Privacy Act does not apply to government agencies or their business associates, institutions of higher education, nonprofit organizations, air carriers, or indigenous tribes. The UCPA also outlines exemptions for de-identified data, employer data, publicly available information, and data regulated by the following laws: 

• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Family Education Rights and Privacy Act (FERPA)
• Fair Credit Reporting Act
• Driver’s Privacy Protection Act
• Federal Farm Credit Act

The UCPA does not include comprehensive exemptions for healthcare or financial institutions regulated by HIPAA or GLBA, meaning these institutions must still comply with the UCPA when processing all other types of data. The UCPA also applies to all other forms of consumer data, granting Utah residents a wide range of consumer rights, protections, and safeguards. 

What rights does the UCPA grant to consumers?

The Utah Consumer Privacy Act grants resident consumers rights when acting in an individual capacity or a household context. As previously stated, this provision excludes consumers acting in an employment capacity from its scope. Under the UCPA, consumers have the following rights:

• Confirmation: The UCPA grants consumers the right to confirm when, how, and what categories of personal data a controller collects or processes.
• Access: The UCPA grants consumers the right to access the data a controller has previously collected or processed.
• Correction: The UCPA grants consumers the right to correct inaccuracies found in their personal data.
• Deletion: The UCPA grants consumers the right to delete personal data that a controller has previously collected or processed. 
• Data portability: The UCPA grants consumers the right to obtain a copy of their personal data if a controller has previously collected or processed any. 
• Opt-out: The UCPA grants consumers the right to opt out of data collection activities established by a controller for targeted advertising, data sales, or profiling. 

To exercise their rights, Utah residents must submit an authenticated data subject access request (DSAR) to the controller responsible for processing their data. Controllers have 45 days to respond to consumer requests, with an extension period of an additional 45 days for complex requests.

Unlike other state privacy laws, the UCPA does not grant consumers the right to appeal a controller's decision not to provide information or obtain written notice of this decision. However, in addition to honoring consumer requests, data controllers must also adhere to several disclosure and transparency obligations included within the UCPA.

What obligations does the UCPA impose on controllers?

Even with its business-friendly provisions, the Utah Consumer Privacy Act requires data controllers to comply with several transparency and privacy provisions. Under the UCPA, data controllers must comply with the following obligations:  

•  Limited collection: The UCPA requires data controllers to limit their collection of a consumer’s personal data to what is reasonably adequate, relevant, and necessary for the disclosed data processing purposes.

• Data security controls: The UCPA requires data controllers to establish and maintain reasonable administrative, technical, and physical data security practices to safeguard the confidentiality and integrity of consumer data.
• Customer consent: The UCPA requires data controllers to obtain consumer consent before they process the consumer’s sensitive data (such as the geolocation data of an identifiable individual, biometric data, sexual orientation, immigration status, etc.).
• Privacy notice: The UCPA requires data controllers to provide a clear and accessible privacy policy. The notice must include the types of personal data they will collect and process, the purpose for this collection and processing, the categories of personal information they will share with third-party vendors and service providers, the categories of third parties that will receive the data, contact information, and an explanation of how data subjects can exercise the rights granted to them by the UCPA. 
• Sale of personal data: The UCPA requires data controllers to disclose if they intend to participate in the sale of personal information to third parties or participate in targeted advertising.
• Universal opt-out mechanism: The UCPA requires data controllers to allow consumers to opt out of the sale or processing of their data for targeted advertising.
• Data protection assessment: The UCPA requires data controllers to conduct a data protection impact assessment on processing activities that present privacy risks to consumers, including targeted advertising, the sale of data, and the processing of sensitive data. Data controllers must also conduct impact assessments on any profiling activities.
• De-identified data: The UCPA requires data controllers who have collected de-identified data to take reasonable security measures to ensure the data cannot be re-identified or connected to an individual in the future. Data controllers must also contractually obligate any third parties or other recipients of the data to comply with the UCPA.
• Data of a known child: The UCPA aligns with the Children’s Online Privacy Protection Act (COPPA) and requires data controllers to obtain parental consent before processing the data of any child under 13 years of age.

The Utah Consumer Privacy Act primarily imposes obligations on data controllers but also outlines provisions specifically for data processors. 

What obligations does the UCPA impose on processors? 

While the Utah Consumer Privacy Act’s processing obligations are far less restrictive than the obligations the law applies to data controllers, it explicitly requires data processors to assist controllers with compliance obligations, including promptly responding to all consumer requests. The Utah Consumer Privacy Act also requires controllers and processors to create a formal contractual agreement before a processor begins to process data on behalf of a controller. 

UCPA penalties, fines, and enforcement

The Utah Attorney General is solely responsible for enforcement actions under the Utah Consumer Privacy Act and monitoring the compliance status of covered organizations. The Utah Division of Consumer Protection is responsible for overseeing consumer complaints. The UCPA does not afford a private right of action.

If the Utah State Attorney General finds a controller or processor violating the law, it can fine the organization up to $7,500 per violation. However, the UCPA outlines a 30-day cure period, where violators have 30 days to fix violations. 

Important note: Most other US State privacy laws also have a cure period that expires after a year or two of the law becoming effective. The UCPA is unique because its cure period does not expire or sunset after a given period.

Utah Consumer Privacy Act Effective Date

The Utah Consumer Privacy Act became effective on December 31, 2023. All covered organizations that process Utah residents' consumer data must now comply with all applicable provisions outlined by the law. Consumer residents are also now awarded all the rights the Consumer Privacy Act outlines. 

List of US state privacy regulations

• California Privacy Rights Act‍
• Colorado Privacy Act‍
• Connecticut Data Privacy Act‍
• Delaware Personal Data Privacy Act
• Indiana Consumer Data Protection Act
• Iowa Consumer Data Protection Act
• Kentucky Consumer Data Protection Act‍
• Montana Consumer Data Privacy Act‍
• New Hampshire Senate Bill 255
• New Jersey Senate Bill 332‍
• Oregon Consumer Privacy Act‍
• Tennessee Information Protection Act‍
• Texas Data Privacy and Security Act
• ‍Utah Consumer Privacy Act‍
• Virginia Consumer Data Protection Act

Achieve comprehensive UCPA compliance with UpGuard

Navigating the US’s convoluted privacy landscape can be extremely challenging, especially when your organization processes the data of resident consumers residing in various states and must simultaneously comply with several consumer privacy laws. The easiest way to eliminate the hassle associated with compliance and ensure you abide by all the US data privacy laws nationwide is to utilize a comprehensive cybersecurity solution like UpGuard. 

UpGuard empowers organizations to take control of their compliance management program and grants security teams the tools to holistically elevate their cybersecurity and third-party risk management processes. 

Here’s how UpGuard has helped organizations similar to yours with TPRM and compliance management:

• Mattress Firm: “When I add a new vendor in UpGuard, I see their ratings and download the report to keep as a baseline. I can also identify any outstanding remediation issues on existing vendors and ensure they’re resolved.”
• Rimi Baltic: “Before UpGuard, conducting proper research for each vendor would eat up a lot of time – Does it comply with our requirements? Where is their data located? Do they have privacy policies? UpGuard has saved us a significant amount of time with its automation process. I would say it definitely saves us a few days per month. For example, in initial research that would have taken me 1-2 hours, I can get that answer in 5-10 minutes.” 
• Wesley Mission Queensland: “One of the best features of the platform is being able to bring all our vendors into one place and manage it from there. We can also set reassessment dates which means we don’t have to manage individual calendar reminders for each vendor.”

These and other UpGuard customers have elevated their TPRM programs with UpGuard Vendor Risk’s powerful features and tools: 

• Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture‍
• Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene‍
• Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
• ‍Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders  ‍
• Risk mitigation workflows: Comprehensive workflows to streamline risk management measures and improve overall security posture‍
• Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls‍
• Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches‍
• 24/7 continuous monitoring: Real-time notifications and new risk updates using accurate supplier data‍
• Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍
• Shared Profile: Eliminate having to answer security questionnaires by creating an UpGuard Shared Profile‍
• Intuitive design: Easy-to-use first-party dashboards‍‍
• World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard

Elevate your compliance reporting and management with UpGuard Vendor Risk today. The UCPA became effective on December 31, 2023.