Partner
In 2022, Utah enacted its version of an Act to protect the privacy of consumer’s personal and private data called the Utah Consumer Privacy Act (“UCPA”). Utah Code § 13-61-101, et seq. The UCPA is now fully operational, having taken effect at the end of 2023. The UCPA has the same structure and aspects as the other consumer data privacy statutes that have been enacted in Europe and here in the U.S. That is, consumers are given certain rights with respect to how their data is collected, processed, sold, shared, etc. Further, certain obligations are imposed on businesses that collect and process consumer data, including, for example, the requirement to give notices to consumers, obtain consent for the collection/processing of personal data, the install high levels of cybersecurity to prevent unauthorized access and exfiltration, and more.
As usual for these types of statutes, the UCPA differentiates between businesses that collect and control consumer personal data — called “controller” — and those businesses that manipulate and process the data — “processors.” As a simple example, the controller might be the business operating an online sales platform and the processor might be a financial institution that processes payment information. Most of the requirements imposed by the UCPA apply to controllers, but there are some mandates imposed on processors.
The UCPA generally does not apply to small businesses. Rather, that Act is intended to apply to large businesses that collect, control, and process a lot of consumer personal data. The UCPA applies to businesses that conduct business in Utah OR produce a product or service targeted to residents of Utah. Further, there are certain thresholds for applicability that exclude small businesses. This is common with these types of statutes. Utah’s thresholds are in line with most similar statutes. The thresholds are:
The UCPA contains a long list of entities that are specifically exempt from applicability, including:
Certain types of data are also excluded from coverage under the UCPA, including various health data covered by federal statutes, data used for credit reporting, personal data collected as part of human subjects research, deidentification data, data collected and processed for purely personal purposes, emergency contact information, and more.
As noted, the UCPA imposes various obligations on covered controllers and processors. First, before collecting a consumer’s personal data, covered businesses must provide notice. This is generally called a “privacy notice.” The notice must inform consumers of the following:
Businesses must also obtain consumer consent to processing of “sensitive data” for purposes like targeted advertising. And consumers must be given an easy and clear method of opting out of processing of their data for such purposes. Notably, the UCPA does not mandate that businesses provide an appeal method if the business refuses or fails to take action after a consumer requests actions pursuant to the UCPA.
Unlike most other state consumer privacy statutes, the UCPA has a two-step enforcement structure. Consumer complaints are filed first with the Utah Division of Consumer Protection (UDCP), which conducts an initial intake and investigation. If the UDCP finds merit in a complaint, it refers the matter to the Utah Attorney General’s Office. The AG’s office then has the authority to bring civil enforcement actions in Utah courts. The mandatory referral step — and the 30-day cure period available to businesses before penalties can be imposed — means that the UCPA’s enforcement process is more business-friendly than, say, California’s or Oregon’s frameworks.
Civil penalties under the UCPA can reach $7,500 per violation, consistent with other state statutes. The UCPA does not create a private right of action, so consumers cannot sue covered businesses directly for UCPA violations. However, this does not eliminate the risk of private litigation — consumers and class action plaintiffs’ firms have pursued claims under state consumer protection statutes, unjust enrichment theories, and common law privacy torts in connection with data breaches and privacy violations that could also support UCPA complaints.
The UCPA is often described as one of the more business-friendly consumer data privacy statutes, and there are several provisions that justify this characterization. First, unlike Virginia’s CDPA and Colorado’s CPA, the UCPA does not require businesses to conduct documented data protection assessments for high-risk processing activities. Second, unlike Oregon’s OCDPA and Colorado’s CPA, the UCPA does not require businesses to recognize and honor Global Privacy Control signals as a valid opt-out mechanism. Third, unlike most other statutes, the UCPA does not require businesses to establish an appeal mechanism when they deny a consumer rights request — the consumer’s only recourse is to file a complaint with the UDCP.
For businesses designing a multi-state privacy compliance program, the UCPA’s requirements represent a floor, not a ceiling. A compliance program built to satisfy California’s CPRA, Colorado’s CPA, or Oregon’s OCDPA will generally satisfy the UCPA as well, since those statutes impose more demanding requirements on each of the dimensions where the UCPA is less prescriptive.
Under the UCPA, businesses must obtain affirmative opt-in consent before processing a consumer’s sensitive personal data. Sensitive data under the UCPA includes racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history or condition, genetic data, biometric data, specific geolocation (within a radius of 1,750 feet), and personal data known to be from a child under 13. The consent requirement means a pre-checked box, a browse-wrap agreement, or inaction does not constitute valid consent for sensitive data processing — the consumer must take an affirmative step acknowledging the processing and agreeing to it.
Businesses that collect sensitive data in any of these categories through apps, websites, wellness platforms, or retail loyalty programs should audit their consent mechanisms to ensure affirmative, informed consent is being obtained and documented before processing begins. A consent management platform (CMP) that logs user consent choices with timestamps and version information is strongly advisable for businesses processing significant volumes of sensitive data.
One important coverage requirement distinguishes the UCPA from most other state consumer privacy statutes: in addition to meeting the consumer-data volume thresholds, a business must have annual gross revenues of at least $25 million to be covered by the UCPA. This revenue threshold excludes most small and mid-sized businesses, meaning startups, small SaaS companies, and local businesses with revenues below $25 million are not subject to the UCPA even if they process data of 100,000 or more Utah consumers.
However, smaller businesses should not be complacent. Even if they fall below the UCPA’s coverage threshold, they may be subject to California’s CPRA (which applies to businesses with $25 million or more in annual gross revenues — the same threshold), as well as Virginia’s, Colorado’s, and Oregon’s statutes, which do not impose a revenue floor and apply based solely on data volume thresholds. A comprehensive privacy compliance analysis requires evaluation of all applicable state statutes, not just the state where the business is physically located.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?