On March 24, 2022, Utah’s Governor Spencer Cox signed into law the Utah Consumer Privacy Act (the UCPA).
The Utah Consumer Privacy Act (UCPA) went into effect on December 31, 2023. Utah will join California (CCPA) and Virginia (VCDPA) with comprehensive data privacy laws, as it rolls out its new Utah Consumer Privacy Act. Following shortly are Colorado (CPA) Connecticut (CTDPA).
⏰ Short on time? Jump to what you need to do to prepare for the UCPA →
The UCPA is a new consumer privacy law in Utah went into effect on December 31, 2023. The UCPA is similar to the Virginia Consumer Data Protection Act (VCDPA), but takes a lighter, more business-friendly approach to consumer privacy. The UCPA is intended to provide a workable standard for businesses while also protecting Utah consumers’ guaranteed rights.
To comply with the UCPA, businesses must take several steps, including reviewing and updating their privacy notice, implementing processes to respond to consumer requests, and providing an opt-out mechanism for sensitive data processing.
🔎 Keep reading to learn more about the upcoming changes in Utah, or jump to what you need to do to prepare for the UCPA →
Under the Utah Consumer Privacy Act (UCPA), “personal data” is defined as information that is linked or reasonably linkable to an identified or identifiable individual. This includes any data that can be used to directly or indirectly identify a person, such as their name, address, email address, phone number, or other similar identifiers. The UCPA does not consider de-identified data, aggregated data, or publicly available information as personal data.
To determine if you will be affected by the Utah Consumer Privacy Act (UCPA), you will need to assess if it meets the criteria listed in the law. The UCPA applies to any organization that:
If you meet the above criteria, it will be subject to the UCPA.
If you’re subject to the Utah Consumer Privacy Act (UCPA), you must provide a privacy policy that is reasonably accessible and clear to consumers. Your privacy policy should include the following:
If your organization sells* consumers’ personal data to one or more third parties or processes personal data for targeted advertising purposes, you must clearly and conspicuously inform consumers of these activities and provide a way for them to opt out.
*Sale→ under the UCPA means the exchange of personal data for monetary consideration by a controller to a third party.
Remember: It’s important to regularly review and update your privacy policy to ensure that it accurately reflects your organization’s data processing practices and compliance with the UCPA.
Remember: It’s important to regularly review and update your privacy policy to ensure that it accurately reflects your organization’s data processing practices and compliance with the UCPA.
iubenda’s Privacy and Cookie Policy Generator allows you to add all currently required US state-level privacy disclosures in one simple click!
Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.
👉 Easily create your privacy policy for the upcoming UCPA →
Under the UCPA, consumers will have enhanced rights in regard to their personal data, including:
❗️ Please note that, unlike laws like the GDPR, the UCPA currently does not grant consumers the right to request the correction of inaccurate personal data.
When entered into force, you will have additional responsibilities, including responding to consumers’ requests for the exercise of their rights within a 45-day period.
Sensitive data is given special consideration under the UCPA. You must not process sensitive data without providing clear notice and an opportunity to opt out of the processing. This applies to personal data that reveals an individual’s:
⚠️ If you process sensitive data, you must provide a clear notice that informs consumers of the type of sensitive data you collect and the purpose for which you process it. Additionally, you must provide an opportunity for consumers to opt out of the processing of their sensitive data. You must also obtain verifiable parental consent if the sensitive data concerns a known child who is younger than 13 years old.
Under the Utah Consumer Privacy Act (UCPA), consumers have the right to opt out of the processing of their personal data for targeted advertising purposes or the sale of their personal data to third parties. However, the Act does not provide specific guidelines on how you should enable consumers to exercise this right.
The method for submitting opt-out requests is left up to the discretion of the controller, as long as it is accessible and clear to the consumer.
You are not required to honor consumers’ opt-out requests through opt-out preference signals like the GPP and GPC.
Unlike other US state-level privacy legislations, it’s important to note that, under UCPA, opt-out links come into consideration only in relation to consumers’ right to opt out of the processing of sensitive data.
To ensure compliance with the UCPA, you should include a clear and accessible opt-out process in your privacy policy.
The Utah Consumer Privacy Act (UCPA) imposes certain obligations on businesses that collect, process, or sell personal data of Utah residents. To prepare with the UCPA, you should: