Skip introduction and take me to checklist
Introduction to the Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA) is the fourth state-level privacy law passed in the United States and is considered the most “business-friendly”, which has an effective date of December 31st, 2023.
Previously passed state laws served as a source of information and influence, and the UCPA shares a number of components with Colorado’s CPA, as well as drawing heavily from Virginia’s CDPA. Interestingly, those laws already show evolution in thought and approach to legislation since the passing of the first privacy law in California (CCPA), which went into effect in 2020.
Overall, the Utah privacy law can be seen as “lighter” and more business-friendly than the other state-level laws to date. Progress on a federal US privacy law remains slow moving.
What is the Utah Consumer Privacy Act?
In summary, the UCPA was signed into law on March 24th, 2022. It protects the privacy rights of residents of Utah and establishes data privacy responsibilities for companies doing business in the state (i.e. processing the data of Utah residents).
The UCPA applies to the sale of personal data and targeted advertising, and defines what does and does not include a sale: “the exchange of personal data for monetary consideration by a controller to a third party.”
Unlike the CCPA and CPRA, Utah does not include non-monetary “other valuable consideration” options as a sale. Additionally, unlike California’s Privacy Rights Act (CPRA), Utah’s law does not apply to the sharing of data. However, since targeted advertising is included, while that has monetary considerations, it is not a direct transaction with the consumer.
Like the other US state laws, the UCPA uses an opt-out model, which means that personal data can be collected, sold, or used for targeted advertising without requiring consumers’ consent, unless the data belongs to a child. In that consent must be obtained from a parent or legal guardian. However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising, and if they do so, it can no longer be used for the previously stated purposes.
Definitions in the Utah Consumer Privacy Act
The UCPA applies to controllers or processors of data. It defines a controller as: “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” “Person” in this case can refer to a natural person or commercial or noncommercial entity, if it processes data and meets the applicability criteria.
A processor is defined as: “a person who processes personal data on behalf of a controller.” Again, while these definitions list “a person” they also cover company entities like third-party vendors that might process data, not just individuals.
A consumer is defined as: “an individual who is a resident of the state acting in an individual or household context.” This definition refers to people in private life, and explicitly excludes those “acting in an employment or commercial context” so for business purposes.
Personal data means “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” Note that some forms of personal data can make an individual directly identifiable, like a name or email address. Other types of data may not qualify on their own, e.g. an IP address, but when aggregated with additional forms of personal data, they can become identifying.
Exclusions to the definition of personal data
There are a number of exclusions in the UCPA regarding what does not constitute personal data, for example, information that is publicly available or that has been deidentified or anonymized, and aggregated data of groups of consumers, where identifying individuals is not possible.
Definition of sensitive personal data
Under the UCPA, sensitive data is defined as personal data that includes/reveals:
- racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
- religious beliefs
- sexual orientation
- citizenship or immigration status
- medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
- genetic or biometric data, if the processing is for the purpose of identifying a specific individual
- geolocation data, if the processing is for the purpose of identifying a specific individual
Unlike some other data privacy laws, the Utah privacy law does not require consent for processing sensitive personal data. However, controllers do have to clearly notify consumers and provide the opportunity to opt out of having their sensitive personal data processed before such data is collected and processed.
Who does the Utah Consumer Privacy Act apply to?
The UCPA has three primary criteria for applicability to businesses:
- conducting business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- annual revenue of $25,000,000 or more;
and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers;
or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
This differs from some of the other data privacy laws in that entities have to meet multiple criteria for applicability, and not, for example, US $25 million revenue or processing data from 100,000 consumers. Meeting multiple criteria narrows the scope of which entities will qualify for compliance. The revenue threshold will also exclude smaller SMEs from qualifying.
Exemptions to Utah Consumer Privacy Act compliance
Organizational exemptions
In addition to organizations that fall below the revenue or processing volume thresholds for inclusion, the UCPA has exemptions a number of other entities, including:
- institutions of higher education
- nonprofit organizations
- government organizations and contractors
- Indigenous tribes
- air carriers
- organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
- financial institutions governed by the Gramm-Leach-Bliley Act
Data exemptions
The UCPA has data-level exemptions as well, and does not apply to information that is already subject to the following regulations:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act
- Fair Credit Reporting Act
- Driver’s Privacy Protection Act
- Family Educational Rights and Privacy Act
- Farm Credit Act
Employment exemptions
Data processed or maintained in the course of employment is exempt from the UCPA, including: “in the course of an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role.”
How to be compliant with Utah law?
Users must have the option to opt out of personal data being used for so-called targeted advertising.
Targeted advertising is when websites and companies use personal data to tailor marketing campaigns to the users, and is defined in the UCPA as advertising that is “selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”
In other words, under the Utah Consumer Privacy Act (UCPA), users inside Utah must be enabled to opt out of cookies and trackers on websites that collect personal data for the purpose of targeted advertising.
This is usually done through a Consent Management Platform (CMP) that automatically detects cookies and controls them based on the consent state of users, as they navigate a consent banner (also known as a ‘cookie banner’) on the website they visit.
Want to know more about UCPA?
Check out our blog post: Utah Consumer Privacy Act (UCPA): An Overview
UCPA: A Cookiebot checklist
This guide is focusing solely on providing the tools needed to make your website’s use of cookies and online tracking compliant with UCPA. Other aspects of the UCPA are therefore not covered or addressed in the checklist.
The checklist is not intended as legal advice - if in doubt, seek advice from a trusted legal source or your Data Protection Authority.
First time set up
If you are setting up Cookiebot for the first time, you can select the UCPA preset at the very first step in the lower left portion of the screen.
This will automatically configure the banner to comply with UCPA. You can still make some changes to suit your needs though.
Adding UCPA as an additional legislation
When adding UCPA as an additional legislation, you will need to create a separate domain group that is configured to comply with UCPA.
Follow the following steps to create the additional domain group.
- Add a new domain group.
-
If you only have a single domain group:
- Select "Domains & Aliases" from the left-hand menu.
- Click "Manage your domain groups".
-
If you already have multiple domain groups:
- Click "Manage" at the top of the domain group section of the left-hand menu
- Click "Manage" at the top of the domain group section of the left-hand menu
- Click the "+ Create group" button.
-
If you only have a single domain group:
- Name your new domain group "UCPA" and press the "Create group" button.
- Click the "Configure CMP" icon on the line with your new domain group.
- Click "Legislation presets" at the right side of the screen and select the UCPA preset.
- Click the "Save changes" button to save your domain group settings.
Comments
0 comments
Please sign in to leave a comment.