Data Privacy Buy-In: The Usual Suspects and What to Say to Them
Getting the business to say “yes” to data privacy isn’t easy. Yet it...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 23, 2024
Published: July 25, 2023
In March 2022, Utah became the fourth state to enact a comprehensive consumer data privacy law. Slated to go into effect in December 2023, the Utah Consumer Privacy Act (UCPA) is considered more business friendly than its predecessors in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); Virginia, the Virginia Consumer Data Protection Act (VCDPA); Colorado, the Colorado Privacy Act (CPA); as well as newer U.S. privacy laws, such as Iowa’s Iowa Consumer Data Protection Act (ICDPA).
In this blog, we’ll dive into the UCPA, the protections it provides to Utah residents, and what that means for businesses that serve Utahns.
The Utah Consumer Privacy Act is one of multiple statewide data privacy laws that establishes rights for consumers and responsibilities for companies that process the data of Utah residents.
Like other privacy acts, the Utah privacy law gives consumers a number of rights related to their personal data, including the right to:
It also requires businesses to provide information to consumers about how their data is used and to accept and comply with requests to exercise their rights, including requests to delete or stop selling the consumer’s personal data.
The bill also allows the Division of Consumer Protection to investigate complaints and authorizes the attorney general’s office to enforce the law and impose penalties against businesses that fail to comply.
The UCPA applies to businesses that:
Compared to other data privacy laws, the UCPA is more friendly to businesses in that it has a narrower scope, which excludes many companies from compliance.
For one, the law’s definitions vary from other state laws. The Utah privacy law defines “consumer” as “an individual who is a resident of the state acting in an individual or household context,” but it explicitly excludes “those acting in an employment or commercial context.” So, employee data is not protected under the UCPA. That’s in contrast to other laws, such as California’s CCPA/CPRA.
The definition of “sale” is also limited in scope in that it only applies to the exchange of data for monetary consideration by a controller to a third party. Unlike other U.S. privacy laws, it does not include an “other valuable consideration” clause, as is the case in the California, Colorado, and Virginia laws. These other state laws consider any valuable exchange—even if it isn’t a monetary one—to constitute a sale.
“Data” is defined broadly as “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” The UCPA also makes exceptions for aggregated and de-identified data that can’t be linked back to the original data subject, whereas the California, Colorado, and Virginia data laws all stop at making an exception for de-identified data.
Additionally, consumers have fewer options under the UCPA compared to other states. For example, unlike its predecessors, Utah consumers cannot appeal a business’s decision not to provide information in response to data subject access requests (DSARs). They cannot opt out of profiling, and they cannot request the correction of inaccuracies in their data.
Lastly, the UCPA has 30-day cure period with no sunset provision. That means violators of the law will be given 30 days to fix (or “cure”) their violation, and that this cure period won’t go away. Most other state laws have similar cure periods, but these are only meant to serve as temporary solutions to help businesses adjust to the regulation—after a year or two, they typically expire, and businesses are on the hook for any violations.
The UCPA requires data controllers (i.e., the organization that determines the purposes and means of processing personal data) and processors (i.e., the organization that processes personal data on behalf of the controller) to have a contract that governs the processing of data and binds the processor to a “duty of confidentiality with respect to the personal data.”
Controllers must also provide consumers with a privacy notice that includes:
If a controller sells personal data to third parties or engages in targeted advertising, the controller must disclose how consumers can opt out of the sale of data and processing for targeted advertising.
The Utah attorney general is charged with enforcing the UCPA and the Division of Consumer Protection oversees consumer complaints. If a business is found to be in violation of the law, the attorney general will provide written notice and a 30-day cure period, as described above.
If a controller or processor fails to cure the violation, the attorney general can fine the organization for actual damages and up to $7,500 per violation. Since each instance of improper use of personal data counts as a violation, penalties can become very steep, very quick.
Because it is more business friendly than other state data privacy laws, it's relatively easier to become compliant—but that doesn’t mean it’s actually easy.
When a new law that will impact your business operations takes effect, it’s important to review the text of the law and bring in legal counsel to help sort through the specifics.
It’s also imperative you stay up to date on new privacy laws. The Osano newsletter is a great resource for all things data privacy. Or, if you don’t want to worry about data compliance, you may want to try Osano’s Consent Management Platform (CMP).
Listed below are some frequently asked questions about the Utah Consumer Privacy Act.
December 31, 2023.
Sensitive data is personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status. The UCPA doesn’t require consent for processing this data, but controllers must notify consumers and give them an opportunity to opt out of processing sensitive personal data.
The UCPA defines a child as someone younger than 13 years old. To process their information, verifiable consent must be granted by their parent or legal guardian. Data must be processed in compliance with the Children’s Online Privacy Protection Act (COPPA).
In addition to organizations that don’t meet the revenue or volume thresholds, there are other exemptions for higher education institutions, nonprofit organizations, government organizations and contractors, indigenous tribes, air carriers, those covered by the Health Insurance Portability and Accountability Act (HIPAA), and financial institutions governed by the Gramm-Leach-Bliley Act.
In addition, information subject to other laws is exempt, such as HIPAA, the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, or Farm Credit Act.
The U.S. now has 12 data privacy laws with many others potentially on the way. Managing the complexity of such a dispersed landscape can be challenging, however, there are common steps any organization can take to prepare.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.