When your company does business on a national or global scale, you’re subject to certain state and national data protection and privacy laws. The Utah privacy law, like that of several other states, has enacted enhanced data privacy laws to protect consumers and businesses alike.

The Utah Consumer Privacy Act (UCPA) was signed into law in March 2022. If your company does business in Utah and meets the Act’s data collection and revenue thresholds, you’ll need to create a compliant privacy policy. While the UCPA has stricter thresholds than those in other states with similar laws, many mid- to large-scale businesses will be affected by the new law.

Here’s how the UCPA could affect your company’s data collection, processing and storage practices.

What is the Utah Consumer Privacy Act?

The UCPA is similar to California, Virginia, and Colorado’s privacy laws. The Act creates obligations for businesses who control or process Utah consumer data. It applies to any entity which:

  • Conducts business in Utah, or produces products or services targeted to Utah residents
  • Has an annual revenue of $25 million or more and
  • Controls or processes the personal data of at least 100,000 Utah residents annually, or controls and processes personal data from at least 25,000 Utah residents, and derives over 50 percent of its gross revenue from selling personal data

The UCPA’s revenue threshold sets it apart from Virginia’s and California’s privacy laws because companies have to meet both the revenue threshold and the processing threshold. Utah also does not require that companies conduct data protection assessments. Utah’s data privacy laws are considered more favorable to business owners than other state privacy laws.

What does the Utah Consumer Privacy Act protect?

The UCPA gives consumers the following rights under Utah privacy law:

  • The right to know whether a controller is storing and processing their consumer data
  • The right to access their personal data on demand
  • The right to delete their own personal data provided to a controller
  • The right to obtain copies of any personal data they previously provided to the controller, in a portable format when feasible
  • The right to opt out of the sale of their personal data
  • The right to opt out of targeted advertising
  • The right to opt in before their sensitive personal data is processed
  • The right to avoid discrimination for exercising any of these rights under the UCPA

Therefore, businesses who qualify under the UCPA will need to create privacy policies and processes to comply with the Act.

Unlike California’s privacy law, the UCPA does not provide a consumer with the right to private action against a company. Only the Utah attorney general may hold businesses responsible.

When will UCPA become effective?

Although the UCPA was signed into law in March 2022, this new Utah privacy law won’t take effect until December 31, 2023. This gives companies over a year to create a compliant data privacy policy and resolution process.

If your company meets or is projected to meet the UCPA thresholds, it’s wise to get a policy in place as soon as possible. Starting the process now will help ensure you won’t risk fines and penalties for non-compliance.

How to comply with Utah’s Consumer Privacy Act

To comply with the UCPA, controllers must provide consumers with a “reasonably accessible and clear” privacy notice. The privacy notice must include the type of personal data processed, why the data is being processed and whether any third parties will have access to the data. Your company must also tell the consumer whether any personal data has been processed or sold to third parties for targeted advertising purposes.

Certain exemptions to the Act apply. For example, political bodies and state agencies, financial institutions subject to the Gramm-Leach-Bliley Act, certain healthcare-related entities, air carriers and higher education institutions are not required to meet the terms of the Act. It’s important to find out as soon as possible whether your company is subject to an exemption.

Finally, your company needs to have a clear resolution process in place. If a consumer wants to exercise their UCPA rights, the controller is required by law to respond within 45 days.

Understanding the UCPA is crucial when you do business in Utah—but researching and creating compliant privacy policies for each new territory is a time-consuming and expensive venture. Fortunately, SixFifty’s data privacy tools can save you time and money. Our legal technology empowers business owners to create comprehensive state privacy policies with just a few clicks. All you need to do is answer a few questions about your company, then have your lawyer review and approve.

For more information about SixFifty’s Utah Privacy and how we can help your company comply with Utah privacy law, reach out to schedule a free demo today!