Skip to content

What To Know About the Utah Consumer Privacy Act and its Effective Date

Are you a Utah resident wondering how a new state law will impact your personal data privacy rights? Or perhaps you own or work for a business conducting activities in Utah and need to get up to speed on compliance requirements? The Utah Consumer Privacy Act (UCPA) is slated to take effect on December 31, 2023. This new law will grant Utahns significant control over their personal data collected by companies.

In this article, I‘ll provide an in-depth look at the key provisions of the UCPA, who it applies to, steps businesses should take to comply, and what Utah consumers need to know about exercising their new data privacy rights. Let‘s dive in and unpack the details of this important new consumer protection.

Why Utah Enacted a State Privacy Law

Before getting into the specifics of the law, it‘s helpful to understand the context behind Utah‘s move to pass a comprehensive data privacy act. Residents have growing concerns over how their personal information is collected and used by businesses.

  • According to a 2021 survey by Disconnect, 91% of Utah residents said they support opt-in data privacy legislation similar to laws in states like California and Virginia.

  • 85% reported being more concerned about online privacy compared to a year ago.

Against this backdrop of rising consumer unease, Utah chose to follow early mover states that already implemented privacy laws. The UCPA merges provisions from other state laws but also has unique aspects tailored to Utah.

Summary of Key Provisions

So what exactly does the Utah Consumer Privacy Act do? Here‘s an overview of some of the key rights and provisions under the UCPA:

Consumer Data Privacy Rights

  • Right to access personal data: You can request details on what personal information a business has collected about you and how they use or share that data. This sheds light on what companies know about you.

  • Right to delete personal data: You can ask businesses to delete your personal data, with some exceptions. This allows you to essentially be "forgotten" online if you no longer want a company retaining your info.

  • Right to opt-out of data sales/targeted ads: You can direct companies not to sell or share your personal data, or use it for targeted advertising if you object to these practices.

  • Right to non-discrimination: Companies cannot deny you goods or services, or charge you different prices for exercising your UCPA rights.

  • Private right of action: After January 1, 2025, you will be able to sue companies directly over certain UCPA violations rather than relying on state enforcement.

Business Responsibilities

The UCPA also places significant responsibilities on companies doing business in Utah or interacting with residents‘ personal data, including:

  • Providing transparent privacy policies explaining their data practices and consumer rights.

  • Facilitating consumer rights requests like data access and deletion within 45 days.

  • Limiting data sales and targeted advertising when consumers opt-out.

  • Registering annually with the state if processing extensive consumer data.

  • Implementing reasonable security safeguards for collected personal information.

  • Training staff on handling consumer requests per the law‘s requirements.

Enforcement and Penalties

  • The Attorney General has exclusive enforcement authority under the UCPA.

  • Violations can result in injunctions forcing compliance and civil penalties up to $7,500 per violation.

  • After 2025, consumers will also be able to bring civil suits against companies for certain violations.

While this summary provides a high-level overview, it‘s important businesses carefully review the complete law to understand their obligations.

When Does the Utah Privacy Law Take Effect?

Utah Governor Spencer Cox signed the UCPA into law on March 24, 2022. The law has an effective date of December 31, 2023 – meaning full compliance will be required as of January 1, 2024.

Businesses should not delay preparations until the effective date gets closer. Compliance with far-reaching laws like the UCPA takes significant advance planning and investment.

Here is an overview of the key timing milestones:

  • March 24, 2022: Governor Cox signs the UCPA into law.

  • December 31, 2023: Official effective date of the law. Compliance required as of this date.

  • January 1, 2024: First day businesses must be fully compliant with the UCPA‘s provisions.

  • January 31, 2024: Deadline for first annual registration of companies that must register with the state (more details below).

  • January 1, 2025: Consumers gain the right to bring civil lawsuits against businesses for UCPA violations.

While December 2023 may seem far away, companies should begin reviewing data practices and preparing compliance plans now. It takes time to thoroughly understand new legal requirements and make necessary changes.

Who Does Utah‘s Privacy Law Apply To?

The UCPA places responsibilities on both "controllers" and "processors" of personal data belonging to Utah residents. This generally includes businesses that:

  • Conduct business activities within Utah or produce products/services targeted to Utah consumers

  • Have annual gross revenue exceeding $25 million

  • Control or process the personal data of over 100,000 consumers per year

Some key definitions:

  • "Consumer" – Utah residents acting in a personal/household context. Does not cover workplace data of employees.

  • "Personal data" – Information linked or reasonably linkable to specific consumers/households.

  • "Sale of personal data" – Selling, renting, releasing, disclosing, disseminating, making available or otherwise communicating data for monetary or other valuable consideration.

There are exemptions for certain types of businesses like nonprofits, higher education institutions, and covered health providers. The law also only applies to information belonging to consumers, not employees.

Examples of Affected Businesses

To understand the types of companies subject to the UCPA, let‘s look at some examples:

  • E-commerce retailers selling to Utah residents and collecting data like purchases, browsing history and contact info.

  • Streaming services with over 100,000 Utah subscribers and access to viewing history and other personal data.

  • Ridesharing companies dispatching Utah rides and gathering data on millions of users.

  • Social media platforms with over $25 million in revenue and Utah users sharing personal info.

  • Smart home device makers processing in-home consumer data.

  • Data brokers compiling profiles on residents.

Essentially any medium to large business that interacts with Utah consumers‘ personal information could need to comply depending on their revenue and volume of data.

What are the Main UCPA Compliance Steps for Businesses?

For companies determining they are subject to the UCPA, what should they do to comply before the law takes effect? Here are some of the major areas businesses need to focus on:

Review Data Collection and Usage Practices

To facilitate consumer rights requests under the UCPA, companies will first need to thoroughly understand what personal data they collect and how it flows through their business:

  • What types of consumer personal information do we gather?

  • How and why do we collect this data?

  • How long do we retain personal data?

  • With whom do we share or sell this data and for what purposes?

Answering these questions will require an audit of all data collection points, transfers to third parties, data retention policies, and usage practices. Understanding your data landscape is crucial.

Update Privacy Policies and Disclosure

Businesses must be transparent with consumers about personal data practices and their rights under UCPA. Key steps include:

  • Update privacy policies to accurately reflect data collection, use, disclosure and retention.

  • Explain consumer rights under UCPA like data access, deletion and opt-out.

  • Disclose with whom data is shared and purposes of sharing.

  • Make privacy policies conspicuous and accessible on websites/apps. Summarize key points.

  • When selling data or using it for targeted advertising, provide clear notice and choice to opt-out.

Build Internal Processes for Managing Consumer Requests

The UCPA requires companies to facilitate consumer rights requests within 45 days, including:

  • Verifying identity of those making requests

  • Providing data access: confirm what data you have and how it‘s used

  • Honoring data deletion requests

  • Processing opt-out of sale/advertising requests

This will require implementing internal processes, employee training, and possibly customer management software. Dedicated staff may be needed to handle requests.

Limit Data Sales and Targeted Advertising

Businesses will need to examine when they sell consumer data or use it for targeted ads. Processes must be implemented to identify Utah consumers who opt-out and ensure their data is not sold or used for these purposes.

This may require changes to data infrastructure and advertising systems. Companies reliant on data monetization will need to assess financial impacts.

Strengthen Data Security Safeguards

The UCPA mandates companies implement reasonable administrative, technical and physical safeguards to protect collected consumer data. Steps may involve:

  • Conducting security risk assessments

  • Deploying data encryption and access controls

  • Establishing policies restricting data access to approved purposes

  • Implementing data breach response plans

Register with the State Annually (If Required)

Companies controlling/processing data of over 250,000 consumers or households annually, or selling data, must register with the Utah Division of Consumer Protection by January 31, 2024 and annually thereafter.

Train Employees

Staff interacting with consumer personal data or requests will need training on the company‘s policies and procedures to comply with the law‘s requirements.

While not exhaustive, this gives a sense of the major areas of focus for UCPA compliance based on the experiences of companies preparing for similar laws in other states.

How Much Could UCPA Compliance Cost Businesses?

An important question businesses have is how much investment could be required to implement the consumer privacy protections and rights mandated by the UCPA.

Of course costs will vary significantly based on the size of company, amount of consumer data collected, and complexity of systems. But based on estimates for implementing other state privacy laws, expenditures could reach into the millions for larger organizations.

For example, one economic analysis of the California Consumer Privacy Act estimated:

  • Initial compliance costs ranging from $467,000 for small firms up to $2.8 million for Fortune 500 companies.

  • Ongoing annual costs between $173,000 and $1 million per year.

Major costs encompass IT investments, legal assistance, employee training, and implementing consumer request systems. Costs are incurred assessing data practices, updating systems and policies, and sustaining compliance.

While compliance requires real investment, this can pay dividends by strengthening consumer trust and preventing far larger costs from data breaches and enforcement actions.

Key Differences Between the UCPA and Other State Privacy Laws

While the UCPA was influenced by earlier privacy laws in states like California and Virginia, there are some unique differences. Understanding how the UCPA differs can help businesses apply lessons from other states.

Here are some of the key differences:

  • Enforcement solely by the Attorney General – Unlike laws like the CCPA which allow for civil suits by consumers immediately, private rights of action do not commence until 2025 under the UCPA.

  • No opt-in consent required for data collection – The UCPA does not require companies obtain affirmative consent before collecting consumer data, only for processing sensitive categories of data.

  • Fewer employee obligations – The UCPA does not impose training requirements or place restrictions on employee data access.

  • Data deletion requirements differ – Businesses must delete consumer data upon request under the UCPA, a stronger mandate than the CCPA requirement to render data inaccessible.

  • No special rules for household data – CCPA has specific requirements around household data whereas household data is treated the same as individual consumer data under the UCPA.

While similar in many aspects, studying how other state laws differ can help focus compliance efforts.

What Should Consumers Know About Exercising New Rights Under UCPA?

For Utah residents, it is important to understand the new data privacy rights you will gain under UCPA as of January 1, 2024. These rights empower consumers to have more control over their personal information held by businesses.

Here are some tips on exercising your rights:

  • Review updated privacy policies – Stay alert for changes in how companies describe their data practices and your rights. Look for easy to find privacy notices on homepages and apps.

  • Identify priority companies – Focus first on submitting requests to companies with sensitive data like financial firms, health providers, and retailers where you shop frequently.

  • Request a copy of your data – Ask businesses what specific information they collect and how it is used. This builds your awareness.

  • Seek data deletion – If you are no longer an active customer, request deletion of your personal data rather than having it retained indefinitely.

  • Opt-out of sales/targeting – Where companies rely on selling your data or targeted advertising, exercise choices to limit these uses if you are uncomfortable.

  • Be patient – Know that it may take up to 45 days for companies to respond, and wait times could be longer once requests increase.

  • Understand the limitations – There are justified reasons a company may not be able to fully delete or provide all your data. But push for transparency.

  • Provide feedback to policymakers – If exercising your rights proves difficult, let state leaders know so requirements can be strengthened.

Consumers play a key role in making privacy laws impactful and should inform themselves how to best leverage new rights under the UCPA.

Key Takeaways on the Utah Consumer Privacy Act

Utah‘s new consumer data privacy law grants significant rights to residents and places major obligations on companies conducting business in the state or handling Utah consumer data. Here are some of the key takeaways:

  • The UCPA takes effect on December 31, 2023, giving businesses just over a year to prepare.

  • Consumers gain rights to access, delete, and opt-out of the sale or use of their personal data.

  • Affected businesses must be transparent about data practices, facilitate rights requests, meet security standards, and limit data sales/targeted advertising if consumers opt-out.

  • Most medium to large companies serving Utah residents will likely need to comply based on revenue and volume of consumer data processed.

  • Businesses should start compliance efforts now by auditing data practices, updating policies and training staff. Significant time and investment will be required.

  • Consumers should watch for new opt-out choices and expanded rights they can exercise starting January 2024 as the law takes effect.

The UCPA may take time for businesses to fully adapt to and present implementation costs. But over the long-term, the law‘s consumer privacy protections can benefit both Utah residents and businesses aiming to build trust and loyalty.

With the effective date fast approaching, companies should urgently prioritize understanding the law‘s requirements and implications. Wise investment now in compliance will pay dividends down the road as consumer privacy concerns continue growing.


Streamr Go

StreamrGo is always about privacy, specifically protecting your privacy online by increasing security and better standard privacy practices.