Recently signed into law by Governor Spencer Cox, the Utah Consumer Privacy Act (UCPA) is now the nation’s fourth data privacy law to go on the books. While it does not go into effect until December 31, 2023, it’s never too early to learn about the new law and how it compares to privacy legislation in other states.

The new law is closely modeled on Virginia’s Consumer Data Privacy Act (VCDPA), as opposed to the California Consumer Privacy Act (CCPA). It grants similar privacy rights to consumers as the VCDPA, permanently exempts employment and B2B data, and creates no private right of action. Considering all the similarities, it’s worth taking a look at how the UCPA is different from its Virginia counterpart.

Who Does the Utah Consumer Privacy Act Apply To?

The UCPA’s most striking feature in comparison to other data privacy laws is its narrower focus on larger businesses. Specifically, the Utah Consumer Privacy Act only applies to businesses that have at least $25 million in annual revenue. This minimum-revenue threshold is unique to the UCPA, and will result in far fewer small and medium-sized businesses being required to comply.

For those businesses that do have at least $25 million in annual revenue, the UCPA applies to them if they conduct business in Utah and meet one of these two thresholds:

1. They control or process the personal data of at least 100,000 Utah residents in a year, OR
2. They control or process the personal data of at least 25,000 Utah residents in a year and derive 50% or more of their gross annual revenue from the sale of personal data

The UCPA also contains a long list of categories of organizations that are exempt, so that it is largely restricted to for-profit entities. The exemptions include:

• Governmental entities
• Nonprofit corporations
• Institutes of higher education
• Native American tribes
• Covered entities and business associates, as defined by HIPAA
• Financial institutions regulated by the Gramm-Leach-Bliley Act

Regarding enforcement, though Utah’s Division of Consumer Protection may investigate claims of noncompliance, the attorney general has exclusive authority to pursue an enforcement action. Businesses will generally have 30 days to cure any violations, but after that they can be fined up to $7500 per violation.

Privacy Rights Under the UCPA

The UCPA creates four rights for consumers with regard to their personal data. These rights are:

• Right to access personal data processed about the consumer
• Right to portability, i.e., to receive a copy of personal data in a portable and readily usable format

• Right to delete personal data provided by the consumer

• Right to opt out of targeted advertising and the sale of the consumer’s personal data

These might seem standard—they are quite similar to data privacy rights in Virginia, Colorado and California—but there are a few notable differences. First, Utah lawmakers have curiously left out the right to correct inaccurate personal data, which exists in those other three states. There is also a subtle difference in the UCPA’s right to delete: It only applies to personal data provided by the consumer, as opposed to applying to all personal data provided by and obtained about the consumer (as is the case with the Virginia law). At the least, this appears to exempt personal data received from data brokers from deletion, and potentially data from other sources as well.

Once received, consumer requests must be resolved within 45 days, with the option to extend for another 45 days when reasonably necessary.

Sensitive Data

As with Virgnia’s privacy law, the UCPA has special rules about the processing of “sensitive data,” though it handles the issue a bit differently. Sensitive data is defined as:

• Personal data that reveals an individual's racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status
• Information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
• The processing of genetic personal data or biometric data for the purpose of identifying a specific individual
• Specific geolocation data

This sticks pretty closely to Virginia’s definition of sensitive data, but while Virginia requires a consumer’s consent before processing such data, the UCPA only requires that consumers be informed and have the opportunity to opt out of the processing.

On a related note, while the VCDPA requires businesses to complete a data protection assessment before processing sensitive data—or using targeted advertising, selling personal data, profiling consumers, and any other processing that presents a heightened risk to consumers—the Utah privacy law has no such requirement.

‍