Select your interface:
You are currently viewing instructions for the: Manager
Skip introduction and take me to checklist
Introduction to the Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA) is the fourth state-level privacy law passed in the United States and is considered the most “business-friendly”, which has an effective date of December 31st, 2023.
Previously passed state laws served as a source of information and influence, and the UCPA shares a number of components with Colorado’s CPA, as well as drawing heavily from Virginia’s CDPA. Interestingly, those laws already show evolution in thought and approach to legislation since the passing of the first privacy law in California (CCPA), which went into effect in 2020.
Overall, the Utah privacy law can be seen as “lighter” and more business-friendly than the other state-level laws to date. Progress on a federal US privacy law remains slow moving.
What is the Utah Consumer Privacy Act?
In summary, the UCPA was signed into law on March 24th, 2022. It protects the privacy rights of residents of Utah and establishes data privacy responsibilities for companies doing business in the state (i.e. processing the data of Utah residents).
The UCPA applies to the sale of personal data and targeted advertising, and defines what does and does not include a sale: “the exchange of personal data for monetary consideration by a controller to a third party.”
Unlike the CCPA and CPRA, Utah does not include non-monetary “other valuable consideration” options as a sale. Additionally, unlike California’s Privacy Rights Act (CPRA), Utah’s law does not apply to the sharing of data. However, since targeted advertising is included, while that has monetary considerations, it is not a direct transaction with the consumer.
Like the other US state laws, the UCPA uses an opt-out model, which means that personal data can be collected, sold, or used for targeted advertising without requiring consumers’ consent, unless the data belongs to a child. In that consent must be obtained from a parent or legal guardian. However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising, and if they do so, it can no longer be used for the previously stated purposes.
Definitions in the Utah Consumer Privacy Act
The UCPA applies to controllers or processors of data. It defines a controller as: “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” “Person” in this case can refer to a natural person or commercial or noncommercial entity, if it processes data and meets the applicability criteria.
A processor is defined as: “a person who processes personal data on behalf of a controller.” Again, while these definitions list “a person” they also cover company entities like third-party vendors that might process data, not just individuals.
A consumer is defined as: “an individual who is a resident of the state acting in an individual or household context.” This definition refers to people in private life, and explicitly excludes those “acting in an employment or commercial context” so for business purposes.
Personal data means “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Note that some forms of personal data can make an individual directly identifiable, like a name or email address. Other types of data may not qualify on their own, e.g. an IP address, but when aggregated with additional forms of personal data, they can become identifying.
Exclusions to the definition of personal data
There are a number of exclusions in the UCPA regarding what does not constitute personal data, for example, information that is publicly available or that has been deidentified or anonymized, and aggregated data of groups of consumers, where identifying individuals is not possible.
Definition of sensitive personal data
Under the UCPA, sensitive data is defined as personal data that includes/reveals:
- racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
- religious beliefs
- sexual orientation
- citizenship or immigration status
- medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
- genetic or biometric data, if the processing is for the purpose of identifying a specific individual
- geolocation data, if the processing is for the purpose of identifying a specific individual
Unlike some other data privacy laws, the Utah privacy law does not require consent for processing sensitive personal data. However, controllers do have to clearly notify consumers and provide the opportunity to opt out of having their sensitive personal data processed before such data is collected and processed.
Who does the Utah Consumer Privacy Act apply to?
The UCPA has three primary criteria for applicability to businesses:
- conducting business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- annual revenue of $25,000,000 or more;
and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers;
or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
This differs from some of the other data privacy laws in that entities have to meet multiple criteria for applicability, and not, for example, US $25 million revenue or processing data from 100,000 consumers. Meeting multiple criteria narrows the scope of which entities will qualify for compliance. The revenue threshold will also exclude smaller SMEs from qualifying.
Exemptions to Utah Consumer Privacy Act compliance
Organizational exemptions
In addition to organizations that fall below the revenue or processing volume thresholds for inclusion, the UCPA has exemptions a number of other entities, including:
- institutions of higher education
- nonprofit organizations
- government organizations and contractors
- Indigenous tribes
- air carriers
- organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
- financial institutions governed by the Gramm-Leach-Bliley Act
Data exemptions
The UCPA has data-level exemptions as well, and does not apply to information that is already subject to the following regulations:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act
- Fair Credit Reporting Act
- Driver’s Privacy Protection Act
- Family Educational Rights and Privacy Act
- Farm Credit Act
Employment exemptions
Data processed or maintained in the course of employment is exempt from the UCPA, including: “in the course of an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role.”
How to be compliant with Utah law?
Users must have the option to opt out of personal data being used for so-called targeted advertising.
Targeted advertising is when websites and companies use personal data to tailor marketing campaigns to the users, and is defined in the UCPA as advertising that is “selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”
In other words, under the Utah Consumer Privacy Act (UCPA), users inside Utah must be enabled to opt out of cookies and trackers on websites that collect personal data for the purpose of targeted advertising.
This is usually done through a Consent Management Platform (CMP) that automatically detects cookies and controls them based on the consent state of users, as they navigate a consent banner (also known as a ‘cookie banner’) on the website they visit.
Want to know more about UCPA?
Check out our blog post: Utah Consumer Privacy Act (UCPA): An Overview
UCPA: A Cookiebot checklist
This guide is focusing solely on providing the tools needed to make your website’s use of cookies and online tracking compliant with UCPA. Other aspects of the UCPA are therefore not covered or addressed in the checklist.
The checklist is not intended as legal advice - if in doubt, seek advice from a trusted legal source or your Data Protection Authority.
Step 1: Add your domain
- Log into the Cookiebot Manager and navigate to the Domains tab.
- Enter the domain name (excluding https://-part, for example: domain.com)
Step 2: Configure your banner type
Colorado Law has the following requirement for the cookie banner:
- It must show an opt-out option (decline cookies)
Any GDPR compliant banner might also be compliant with UCPA. If you only need to set up a cookie banner according to the UCPA regulations, you can follow these settings:
- Navigate to the "Banner" tab
- Select "Do Not Sell or Share (Opt-in)" under "Opt-in / Opt-out settings"
- Ensure that the "Display banner" box is checked.
Geo location settings (optional)
If you wish to only display a banner to visitors in Utah, you can do so by configuring "Distribution" at the bottom of the page:
Step 3: Get your scripts
- Navigate to the "Your scripts" pane
- Follow the instructions to insert your banner and cookie declaration on your website.
If you intend to implement Cookiebot CMP by other means than manually adding the script(s) to your template, please refer to our implementation section in the Help Center.
Comments
0 comments
Please sign in to leave a comment.