Utah Enacts New Consumer Data Privacy Law

Privacy & Cybersecurity Update

Date: March 24, 2022

Utah has joined the growing patchwork of states enacting comprehensive privacy laws, adding to the complications of complying with overlapping and sometimes inconsistent standards. On March 24, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (UCPA), which grants Utah residents new data privacy rights and creates new obligations for how businesses collect and use their personal data.

Although the UCPA does not create a private right of action, it grants Utah’s attorney general the authority to investigate and impose civil penalties of up to $7,500 per violation against noncompliant businesses. The UCPA takes effect on December 31, 2023, and its key provisions and obligations are set forth below. Businesses should consider the UCPA when seeking to implement programs and policies to comply with the data privacy laws in California, Colorado, and Virginia, which enter into force in 2023.

Scope of applicability. The UCPA primarily applies to a limited set of organizations that process Utah residents’ personal data (classified as data “Controllers”) and to the third-party service providers that assist in data processing activities (classified as data “Processors”). These classifications mirror the structure of other data protection laws. In particular, the UCPA applies to Controllers that conduct business in Utah or produce a product or service that targets Utah residents, have an annual revenue of at least $25 million, and either (i) process the personal data of at least 100,000 consumers annually or (ii) derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. This is a higher threshold than other state data privacy laws, as annual revenue is a precondition to the law’s applicability (as opposed to just a factor).

Definition of personal data. Like other data privacy laws, the UCPA defines personal data broadly as any “information that is linked or reasonably linked to an identified individual or an identifiable individual.” The statute provides exceptions to its scope of applicability and does not, for example, apply to personal data in the commercial or employment context or to protected health information, publicly available information, deidentified data, aggregated data, or other data subject to certain federal laws (e.g., HIPAA, GLBA, FCRA, FERPA, COPPA).

Data privacy rights. The UCPA creates several new data privacy rights and privileges for Utah consumers:

  • The right to confirm whether a Controller is processing their personal data
  • The right to access personal data and obtain a copy of such personal data in a portable, and to the extent technically feasible, readily usable format to enable transfer to another entity
  • The right to delete personal data

Unlike other data privacy laws, the UCPA does not give consumers the right to “correct” or “rectify” personal data in a Controller’s custody or control. It sets forth a framework for how Controllers must intake, authenticate, and respond to consumer privacy requests, including applicable response timelines, response content requirements, and the limited availability to impose fees on such privacy requests. It also provides very specific exceptions that exempt Controllers from complying with the law, including these data privacy rights, and businesses need to incorporate these exceptions into their data subject intake and response protocols and templates.

A Controller may not discriminate against a consumer for exercising a data privacy right (e.g., by denying the consumer a good or service or charging a different price, or by providing a different level of quality of a good or service). However, the UCPA does permit Controllers to offer different services or similar services at different prices that are related to loyalty or rewards programs. In addition, a Controller is not required to provide any product, service, or functionality to a consumer if the consumer must furnish their personal data but elects to not do so.

Opt-out rights. The UCPA gives consumers the right to opt out of the processing of their personal data to the extent it relates to targeted advertising and the sale of personal data. The UCPA does not mandate a separate timeframe from the law’s effective date to implement opt-out rights, nor does it require specific universal opt-out mechanisms as described in other privacy laws. Under the UCPA, “sale” means “the exchange of personal data for monetary consideration by a Controller to a third party” and importantly excludes references to “valuable consideration” (which is included in other privacy laws). The UCPA creates common exemptions to the definition of “sale,” such as the disclosure of personal data to a Processor or a Controller’s affiliate. The term “targeted advertising” essentially refers to a Controller’s ability to display an advertisement to consumers based on their personal data collected over time from their online activities and to predict preferences or interests.

Processor obligations and contracts. The UCPA places affirmative obligations on Processors, such as those related to compliance with the Controller’s instructions and the implementation of security controls to safeguard personal data from unauthorized use. It also requires the Controller and Processor to execute data processing agreements setting forth the nature and purpose of data processing, the use of subcontractors, and each party’s rights and responsibilities.

Privacy policies and other notices. Controllers are required to provide consumers with a “reasonably accessible and clear” privacy notice that describes their data processing activities (e.g., categories of personal data collected and processed, purposes of processing, categories of personal data shared with third parties, categories of recipients). The notice must also describe how consumers can exercise their data privacy rights. A Controller that sells personal data or uses it for targeted purposes has the additional obligation to “clearly and conspicuously disclose” such processing and how consumers can exercise their opt-out rights.

Consent. The UCPA prohibits Controllers from processing a consumer’s “Sensitive Data” unless they first give the consumer the opportunity to opt out of such processing (or comply with federal law related to the processing of children’s personal data). The UCPA defines “Sensitive Data” as personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status, as well as certain health care-related data, biometric data, and specific geolocation data. This opt-out/implied consent framework minimizes the burden on Controllers, especially in the online context where they may be collecting geolocation data from cookies, pixels, tags, or other online tracking tools.

Data security. The UCPA places affirmative data security obligations on Controllers. It requires them to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices,” which must be appropriate for the volume and nature of the personal data and the Controller’s “business size, scope, and type.”


For more information, please contact:

Steven G. Stransky
Certified Information Privacy Professional/Government (CIPP/G)
Certified Information Privacy Professional/United States (CIPP/US)

Thomas F. Zych

Thora Knight

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.