The Utah Consumer Privacy Act (UCPA) is the fourth state-level privacy law passed in the United States and is considered the most “business-friendly”, which has an effective date of December 31st, 2023.

Previously passed state laws served as a source of information and influence, and the UCPA shares a number of components with Colorado’s CPA, as well as drawing heavily from Virginia’s CDPA. Interestingly, those laws already show evolution in thought and approach to legislation since the passing of the first privacy law in California (CCPA), which went into effect in 2020.

Overall, the Utah privacy law can be seen as “lighter” and more business-friendly than the other state-level laws to date. Progress on a federal US privacy law remains slow moving.

In summary, the UCPA was signed into law on March 24th, 2022. It protects the privacy rights of residents of Utah and establishes data privacy responsibilities for companies doing business in the state (i.e. processing the data of Utah residents).

The UCPA applies to the sale of personal data and targeted advertising, and defines what does and does not include a sale: “the exchange of personal data for monetary consideration by a controller to a third party.”

Unlike the CCPA and CPRA, Utah does not include non-monetary “other valuable consideration” options as a sale. Additionally, unlike California’s Privacy Rights Act (CPRA), Utah’s law does not apply to the sharing of data. However, since targeted advertising is included, while that has monetary considerations, it is not a direct transaction with the consumer.

Like the other US state laws, the UCPA uses an opt-out model, which means that personal data can be collected, sold, or used for targeted advertising without requiring consumers’ consent, unless the data belongs to a child. In that consent must be obtained from a parent or legal guardian. However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising, and if they do so, it can no longer be used for the previously stated purposes.

The UCPA applies to controllers or processors of data. It defines a controller as: “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” “Person” in this case can refer to a natural person or commercial or noncommercial entity, if it processes data and meets the applicability criteria.

A processor is defined as: “a person who processes personal data on behalf of a controller.” Again, while these definitions list “a person” they also cover company entities like third-party vendors that might process data, not just individuals.

A consumer is defined as: “an individual who is a resident of the state acting in an individual or household context.” This definition refers to people in private life, and explicitly excludes those “acting in an employment or commercial context” so for business purposes.

Personal data means “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Note that some forms of personal data can make an individual directly identifiable, like a name or email address. Other types of data may not qualify on their own, e.g. an IP address, but when aggregated with additional forms of personal data, they can become identifying.

Exclusions to the definition of personal data

There are a number of exclusions in the UCPA regarding what does not constitute personal data, for example, information that is publicly available or that has been deidentified or anonymized, and aggregated data of groups of consumers, where identifying individuals is not possible.

Definition of sensitive personal data

Under the UCPA, sensitive data is defined as personal data that includes/reveals:

• racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
• religious beliefs
• sexual orientation
• citizenship or immigration status
• medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
• genetic or biometric data, if the processing is for the purpose of identifying a specific individual
• geolocation data, if the processing is for the purpose of identifying a specific individual

Unlike some other data privacy laws, the Utah privacy law does not require consent for processing sensitive personal data. However, controllers do have to clearly notify consumers and provide the opportunity to opt out of having their sensitive personal data processed before such data is collected and processed.

The UCPA has three primary criteria for applicability to businesses:

• conducting business in the state or produces a product or service that is targeted to consumers who are residents of the state;
• annual revenue of $25,000,000 or more;

and

• satisfies one or more of the following thresholds:

  • during a calendar year, controls or processes personal data of 100,000 or more consumers;

  or

  • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

This differs from some of the other data privacy laws in that entities have to meet multiple criteria for applicability, and not, for example, US $25 million revenue or processing data from 100,000 consumers. Meeting multiple criteria narrows the scope of which entities will qualify for compliance. The revenue threshold will also exclude smaller SMEs from qualifying.

Organizational exemptions

In addition to organizations that fall below the revenue or processing volume thresholds for inclusion, the UCPA has exemptions a number of other entities, including:

• institutions of higher education
• nonprofit organizations
• government organizations and contractors
• Indigenous tribes
• air carriers
• organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
• financial institutions governed by the Gramm-Leach-Bliley Act

Data exemptions

The UCPA has data-level exemptions as well, and does not apply to information that is already subject to the following regulations:

• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act
• Driver’s Privacy Protection Act
• Family Educational Rights and Privacy Act
• Farm Credit Act

Employment exemptions

Data processed or maintained in the course of employment is exempt from the UCPA, including: “in the course of an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role.”