Advertiser Disclosure
All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
Editorial Policy
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
More and more states and countries are using legislation to protect their citizens’ internet privacy and sensitive data. These state privacy laws also outline checks and balances for companies to help them comply with internet regulations.
Utah is the latest U.S. state to write internet privacy into law: the Beehive State joined four others with similar regulations: California, Colorado, Connecticut, and Virginia. The Utah Consumer Privacy Act (UCPA) is similar to other acts, such as the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act, the California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA). It was signed into law in March 2022 and goes into effect on Dec. 31, 2023.
The UCPA was created to protect both consumers and businesses. Utah’s legislation includes a variety of stipulations for what businesses must do to comply, as well as what information the UCPA protects for Utah residents. The legislation applies to state citizens and outlines data processing stipulations for any company doing business with them.
Although only five states currently have privacy legislation, more states will likely add their own comprehensive privacy laws in the future (there’s also the possibility of a federal privacy act). Here’s how the UCPA protects Utahns and what businesses need to know to stay in compliance.
Why is the UCPA important?
Who does the UCPA impact?
What are consumer rights under the UCPA?
How does the UCPA impact businesses?
What are the exemptions of the UCPA?
How is the UCPA enforced?
UCPA FAQ
Bottom line
What is the UCPA?
The UCPA is legislation aimed at protecting the personal information of Utah’s citizens. The UCPA defines personal information as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.”
A few definitions are important to understand the UCPA and who it protects. Here are the essential terms:
- Consent: ”[A]n affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer.”
- Consumer: “An individual who is a resident of the state acting in an individual or household context. Consumer does not include an individual acting in an employment or commercial context.”
- Controller: “A person doing business in the state who determines the purposes for which and the means by which personal data is processed, regardless of whether the person makes the determination alone or with others.”
- Personal data: “Information that is linked or reasonably linkable to an identified individual or an identifiable individual. Personal data does not include de-identified data, aggregated data, or publicly available information.”
- Process: “An operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
- Processor: “A person who processes personal data on behalf of a controller.”
In summary, the UCPA protects the identifiable information (personal data) of citizens in Utah (consumers). The business (controller or processor) is responsible for how that data is acquired (process).
Why is the UCPA important?
The UCPA gives citizens of Utah protections over how businesses use or exploit their personal data. The UCPA is similar to other privacy acts like the GDPR or CCPA.
It’s easy to input your personal information into a website when you're looking for a discount or joining a newsletter, but those websites collect and keep all of that data. Is there a way to see what information companies have about you or how they use that data? Not really. The UCPA and other data privacy acts are trying to give consumers some power over how businesses use their data.
And while the UCPA focuses on consumer rights, it also focuses on making compliance easier for businesses. The legislation offers many provisions that allow companies to be exempt from the UCPA.
Who does the UCPA impact?
The UCPA impacts consumers living in Utah and any entity that conducts business in the state or provides a product or service to residents.
Just because a business meets one of those two requirements doesn’t mean it has to comply, however. According to Section 3 of the UCPA, the business must also:
- Have an annual revenue of $25 million or more
- Reach one or more of the following thresholds:
during a calendar year, controls or processes personal data of 100,000 or more consumers; or
derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
Several types of companies do not need to comply with the UCPA, including:
- A governmental entity or third party acting on behalf of the government
- A tribe
- A higher education institution
- A nonprofit corporation
- A covered entity
- A business associate
What are consumer rights under the UCPA?
So, what does the UCPA mean for consumers in Utah? The legislation gives Utahns specific rights to their personal data. Let’s look at the rights outlined in the legislation in Section 5:
- “A consumer has the right to confirm whether a controller is processing the consumer's personal data; and access the consumer's personal data.”
- “A consumer has the right to delete the consumer's personal data that the consumer provided to the controller.”
- “A consumer has the right to obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that:
(a) to the extent technically feasible, is portable;
(b) to the extent practicable, is readily usable; and
(c) allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.” - “A consumer has the right to opt out of the processing of the consumer's personal data for purposes of:
(a) targeted advertising; or
(b) the sale of personal data.”
Essentially, the UCPA gives the citizens of Utah the right to know what information a company has about them and how they use it. Utahns also have the right to a copy of their personal data and can submit a consumer request for their personal data to be removed.
This is a high-level summary of the bill and does not account for all stipulations. The UCPA has stringent requirements for which businesses must comply with the privacy act.
How does the UCPA impact businesses?
Businesses must understand the legislation and ensure compliance if subject to the UCPA. The UCPA has been touted as more business-friendly than other privacy acts.
Businesses are required to comply with requests for information from consumers. Businesses have 45 days to respond to a request, and the initial request from the consumer must be free. Businesses can get a 45-day extension if necessary and can charge for additional requests within one year.
Accessible and clear privacy notice
The UCPA also outlines that businesses should provide consumers with a clear and easily accessible privacy notice. The legislation outlines a few things that the privacy notice must include, such as the categories of personal data that will be processed, the purpose of processing that data, how consumers can exercise their rights, and if any data will be shared with third parties (and which ones).
If businesses are going to sell a consumer’s data, they must also provide information on how to opt out of the sale or out of targeted advertising.
Data security
Businesses must also “maintain reasonable, administrative, technical, and physical data security practices,” according to Section 9 of the bill. These physical and cybersecurity practices must protect personal data and reduce any risks of harm.
Companies cannot complete the processing of personal data without giving the consumer clear notice and an opportunity to opt out. If the information concerns a child, the data must be processed in accordance with the federal Children’s Online Privacy Protection Act of 1998.
Discriminating against consumers
In Section 9, the UCPA also explicitly restricts companies from discriminating against consumers who exercise their rights under the legislation. This discrimination includes:
- “Denying a good or service to the consumer;
- Charging the consumer a different price or rate for a good or service; or
- Providing the consumer a different level of quality of a good or service.”
However, the UCPA also allows businesses to offer different pricing, quality, or selection of goods if the consumer has opted out of targeted advertising.
What are the exemptions of the UCPA?
The Utah Consumer Privacy Act also excludes some types of information from the legislation, including data already publicly available or sets of data where personal information has been de-identified. Think of de-identified like redacting a document. If a company has already removed the personal information from the data, it is not subject to the UCPA.
The UCPA also includes exemptions for businesses covered by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. Information already subjected to other legislation is also excluded. Examples of such legislation include the Health Insurance Portability and Accountability Act, the Driver's Privacy Protection Act, and the Family Education Rights and Privacy Act.
The legislation also states that the requirements outlined do not change a business's ability to complete the following as listed in Section 11:
- “Comply with a federal, state, or local law, rule, or regulation
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;
- Cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
- Investigate, establish, exercise, prepare for, or defend a legal claim;
- Provide a product or service requested by a consumer or a parent or legal guardian of a child; perform a contract to which the consumer or the parent or legal guardian of a child is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer or parent or legal guardian before entering into the contract with the consumer;
- Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual”
While the UCPA adds many rights for consumers, the legislation also outlines many exemptions for business owners.
How is the UCPA enforced?
The Utah attorney general is the sole enforcer of the UCPA. The Utah Division of Consumer Protection manages complaints and refers those complaints to the attorney general. If a company is found to be in violation, the attorney general must notify them in writing and give a 30-day window to fix the issue.
If the issue is not remedied, the attorney general can bring an action to recover actual damages for the consumer, as well as an up to $7,500 fee per violation.
UCPA FAQ
When does the UCPA go into effect?
The effective date of the Utah Consumer Privacy Act is December 31, 2023. Governor Spencer Cox signed the legislation into law on March 24, 2022.
Which states have data privacy laws?
Only five states currently have data privacy laws: California, Colorado, Connecticut, Virginia, and Utah. Utah was the fourth state to enact a consumer privacy law.
Does Utah privacy law apply to employees?
No, the UCPA only applies to individuals or households. The UCPA says a consumer does not include someone acting in an employment or commercial context.
Bottom line
While the Utah Consumer Privacy Act does not go into effect until December 31, 2023, it is important for businesses to start preparing so they can be in compliance by 2024.
Businesses should prepare to properly store consumer data and keep it safe. They also need a privacy policy that complies with the requirements set out in the bill. If businesses prepare for these changes now, they will be more prepared when this new Utah law is enacted.
It is important to know your rights and how legislation like the UCPA protects you. Once the bill is enacted, you may see more pop-up requests to opt into using your data. You will also be able to request a copy of your data from companies and opt out as needed. It is important to protect your online data and stay current on the UCPA and any other legislation that may affect you as a consumer.
- High-quality VPN offering safety and speed
- Loads of servers for multiple connection options
- Works with popular streaming services, including Netflix
- Too many confusing plans