Utah Consumer Privacy Act (UCPA)
(Utah Code § 13-61-101)
As a Utah consumer, you have the right to protect your personal data under the UCPA, a law that became effective on December 31, 2023. Understanding your rights under the new law and how you can exercise them is essential. Likewise, businesses operating in Utah must understand their responsibilities under this new law.
What are your consumer rights under the UCPA?
The UCPA provides Utah consumers with several essential rights concerning their personal data. You have the right to confirm whether a business is processing your personal data. If a business is processing your data, you have the right to access that data and request it be deleted. You can also obtain a copy of the data you previously provided to the business.
Another critical right that Utah consumers have is the right to opt out from companies selling their data, and from the use of their personal data for targeted advertising.
Which businesses does the UCPA apply to?
The UCPA specifically applies to controllers and processors who either conduct business in the State of Utah or produce a product or service targeted to consumers who are residents of the State of Utah. These controllers and processors must:
- Have an annual revenue of $25,000,000 or more and either
- Control or process personal data of 100,000 or more consumers during a calendar year, OR
- Derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.
What are the responsibilities of businesses under the UCPA?
Under the UCPA, persons who control how personal data is processed (“controllers”) or persons who actually process personal data on behalf of a business (“processors”) must establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to:
- Protect the confidentiality and integrity of a consumer’s personal data, and
- Reduce reasonably foreseeable risks of harm to consumers relating to the processing of their personal data.
A covered business operating in Utah to provide consumers with a reasonably accessible and clear privacy notice. This notice must describe the categories of personal data, the business processes, the purposes for which the data are processed, and how consumers can exercise their rights under the new law. The notice must also specify the categories of personal data that the business shares with third parties, if any, and the categories of third parties with whom the data is shared.
If a business sells personal data or uses it for targeted advertising, it must inform consumers and provide them with a way to opt-out. The UCPA also applies to sensitive data, such as health or financial information.
How can you request access to your personal data?
If you wish to exercise any of these rights mentioned in the UCPA, you can submit a request to a business specifying which right you intend to exercise. The business must respond to your request within 45 days.
What if you have any complaints or need more information?
If you have any complaints or need more information about the UCPA, you can file a complaint with the Division at the provided link or read the UCPA here.
The UCPA is a significant step towards protecting your personal data as a Utah consumer. Ensure you understand your rights under the new law and exercise them if necessary. At the same time, businesses operating in Utah must comply with the law and fulfill their responsibilities. Click any of the “useful links” section on this page for a breakdown of what you need to know about this important new statute.