Utah's Consumer Privacy Act (UCPA takes effect: Are you covered?

The Utah Consumer Privacy Act (UCPA) took effect on New Year’s Eve (31 December 2023) and will impact how thousands of businesses collect, use, and share personal data in “The Beehive State”.

The UCPA is one of many “comprehensive” privacy laws being passed by US states. Such laws are already in effect in California, Virginia, Colorado, and Connecticut and will take effect across at least six other states over the next few years.

This article will help you determine whether you’re covered by the UCPA. We’ll look at the definition of a “controller” and “processor” under the law, consider the various application thresholds, and look at the exemptions.

Controller or Processor

First, the UCPA only applies to “controllers” and “processors”, as defined under the law.

• A “controller” determines the purposes and means of the processing of personal data. This means making decisions about how and why to collect or use personal data. Virtually all organizations do this, to some extent
• A “processor” processes personal information on behalf of a controller. This type of business provides services that involve personal data collected by a business, such as data analytics, customer services, or cloud storage

For the purposes of this article, we’ll assume your business is a “controller”, and we’ll generally use terms like “business”, “company”, or “organization” instead of “controller or processor”.

Conducting business in Utah

The UCPA applies to a company that either:

• Conducts business in Utah
• Produces a product or service that is targeted to consumers who are residents of Utah

Businesses based inside or outside of Utah may meet this definition.

Bear in mind that “consumer” does not include a person acting as an employee or a commercial representative of a business. As such, the UCPA only covers business-to-consumer (B2C) transactions.

$25 million revenue

The UCPA only applies to a business with annual revenues of at least $25 million.

Consumers’ personal data

In addition to the above conditions, the UCPA only applies to a business that either:

• Controls or processes personal data of at least 100,000 Utah consumers per calendar year; or
• Both:
  • Derives over 50% of gross revenues from the sale of personal data, and
  • Controls or processes the personal data of at least 25,000 Utah consumers.

“Processing” personal data is a broad term, so the UCPA likely applies to your business if it meets the other thresholds (above) and has at least 100,000 customers in Utah.

Exceptions

A business will not be covered by the UCPA even if it meets the above conditions, provided it falls under one of the law’s many exemptions.

Among other exemptions and carve-outs, the UCPA does not apply to:

• Government bodies
• Third parties acting on behalf of a governmental body
• Tribes
• Higher education institutions
• Nonprofits
• Covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA)
• Consumer reporting agencies
• Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)
• Personal data regulated under the Family Education Rights and Privacy Act (FERPA)
• Personal data processed about job applicants, employees, or contractors
• Personal data process about individuals acting as agents of a business (i.e., B2B data)

There are many more exemptions, so be sure to check the text of the UCPA itself to ensure the law applies to your organization.

Requirements Under the UCPA

If the UCPA applies to your business, you have responsibilities in the following areas:

• Consumer rights: The UCPA requires you to provide consumers with access to their personal data on request and enable consumers to delete their personal data under certain conditions
• Targeted advertising: You must enable consumers to opt out of targeted ads on your website or app
• Selling personal data: If you “sell” personal data (the term is defined relatively broadly under the law), you must allow consumers to opt out of this activity
• Data processing agreements: Controllers must put contracts in place with data processors that oblige the processor to keep personal data secure, not re-use the data for its own purposes, and assist the controller with facilitating consumer rights requests
• Security: Controllers must implement and maintain reasonable technical, physical, and administrative security practices to protect personal data.

For more information on navigating US privacy law, read:

• 2023: The start of a new era of US privacy law
• Targeted Advertising under 2023’s five new US State privacy laws
• 5 US State Privacy Laws taking effect in 2023