State Privacy Laws: Utah

Utah Consumer Privacy Act (UCPA)

Overview

Utah was the fourth state to enact a comprehensive consumer data privacy law. Of the three consumer privacy laws that came before it (California, Virginia and Colorado), the Utah Consumer Privacy Act (UCPA) most closely resembles the Virginia Consumer Data Protection Act. However, the UCPA takes a lighter, more business-friendly approach to consumer privacy than all three of its predecessors.

Key Dates

  • Signed into law: March 24, 2022
  • Effective date: December 31, 2023

Thresholds

The UCPA specifically applies to controllers and processors who either conduct business in the State of Utah or produce a product or service targeted to consumers who are residents of the State of Utah. These controllers and processors must:

  • Have an annual revenue of $25,000,000 or more and either
    • Control or process personal data of 100,000 or more consumers during a calendar year, OR
    • Derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

Consumer Rights

  • The right to confirm whether a controller is processing the consumer’s personal data.
  • The right to access the consumer’s personal data.
  • The right to delete the consumer’s personal data that the consumer provided to the controller. Importantly, the UCPA does not afford consumers the right to delete all personal data that a controller has about them. Under the UCPA, a consumer only has the right to delete the personal data they provided to the controller.
  • The right to data portability: Consumers have “the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that:
    • to the extent technically feasible, is portable;
    • to the extent practicable, is readily usable; and
    • allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.”
  • The right to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising; or the sale of personal data.

Sensitive Data

The UCPA provides a definition for “sensitive data,” but unlike the VCDPA and the CPA, it does not require consumer consent for processing such data. The UCPA defines “sensitive data” as:

  • Any data that reveals an individual’s racial or ethnic origin; religious beliefs; sexual orientation; citizenship or immigration status; or medical history, mental or physical health, medical treatment or diagnosis by a health care professional;
  • Specific geolocation data; and
  • Certain genetic personal data or biometric data.

The UCPA requires that businesses provide notice and an opportunity to opt out of the use of this sensitive data. Under the UCPA, consent is only required in the context of parental consent for processing children’s data.

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for UCPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. UCPA in Utah). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like UCPA in Utah).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Basic
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.