Blog /Privacy

Utah: Another State to Pass a Data Privacy Law, the UCPA

30th May 2022 – Another State to Pass a Data Privacy Law, the UCPA

In March of 2022, Utah Governor Spencer J. Cox signed into law the Senate Bill (SB) 227, also known as the Utah Consumer Privacy Act (UCPA).

The UCPA is a cross-industry privacy law that gives Utah consumers significant privacy rights over their personal information. Any data connected to an identified or identifiable individual is known as personal data. Additional compliance requirements apply to more precisely defined “sensitive data” categories. The law will come into force on December 31, 2023.

The UCPA is similar but not identical to California, Virginia, Nevada, and Colorado consumer privacy statutes. It’s heavily inspired by the Virginia Consumer Data Protection Act (VCDPA), and some VCDPA-like elements can also be found in the Colorado Privacy Act.

At first glance, certain features of the UCPA appear similar to the California Consumer Privacy Act (CCPA). In practice, however, it’s a softer, more business-friendly approach to consumer privacy than its predecessors.

How Is UCPA Different From Other State Privacy Laws

Here’s a high-level comparison of the UCPA provisions with those of

Key Provisions Utah UCPA Colorado CPA Nevada SB220 Virginia CDPA
Europe GDPR
Ability to Process
Data Minimisation Yes Yes Yes No Yes
Permissible Purpose Yes Yes Yes No Yes
Individual Rights
Right to receive notice of processing activities Yes Yes Yes Yes Yes Yes
Right to access personal data Yes Yes Yes Yes Yes
Right to data portability. Data should be available in an easily usable format for transfer from one entity/platform to another. Yes Yes . Yes Yes Yes
Right to correct errors in personal data No Yes Yes No Yes
Right to delete personal data Yes Yes Yes Yes Yes
Right to opt-out of behavioral advertising Yes No Yes No Yes
Right to object to automated profiling and decision making Yes No Yes No Yes
Right to non-discrimination for the exercise of these rights Yes Yes Yes Yes Yes
Right to opt-out of sales of personal information Yes Yes Yes Yes Yes No
Opt in or opt out for processing of sensitive information Opt-out Opt-in Opt-in Opt-out Opt-in
Right to appeal denial of requests No No Yes No No
Data Protection Assessments No Yes Yes No Yes
Appropriate Data Security to protect information No Yes Yes Yes Yes
Breach Notification Yes Yes Yes Yes Yes
Data Transfers Outside European Economic Area (EEA)
Additional measures for international transfers Yes Yes No No Yes
Transfers to Third Parties
Contractual Requirements in Service Provider Agreements No Yes Yes Yes Yes
Consent for Adtech cookies No No Yes Yes Yes
Consent obtained prior to direct marketing No Yes No No Yes
Enforcement Agencies
Utah Department of Commerce Attorney General Attorney General Attorney General, CPPA DPA
Operative date
31 December 2023 1 July 2023 1 October 2019 1 January 2023 1 January 2020/ 1 January 2023 25 May 2018

Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.

As evident from the table above, companies that comply with the CCPA, CPRA, VCDPA, and CPA will likely have no trouble meeting UCPA’s criteria.

The UCPA uses the GDPR’s “controller” and “processor” nomenclature and doesn’t offer consumers a private right of action for alleged violations. Like all other government regulations, it puts consumers in control of their personal information.

However, it also makes certain vital distinctions.

For example, UCPA doesn’t give consumers the right to have errors in their personal data corrected, nor does it require controllers to conduct data protection impact assessments (DPIAs) of specific processing operations.

UCPA mandates covered businesses to provide consumers with notices and an opportunity to opt out before processing their sensitive data.

This contrasts with the VCDPA and CPA, requiring opt-in permission to collect and process sensitive data. Furthermore, instead of going directly to the Attorney General (AG), consumer complaints are routed through the Utah Department of Commerce, which can submit concerns to the AG.

Key Provisions of the UCPA

Here are some key provisions of the UCPA.

Broad Definition of Personal Data and Sensitive Data

According to the UCPA, personal data is any information that relates to, or can reasonably be linked to, an identified or identifiable individual. It classifies specified types of data as “sensitive data,” which is subject to additional standards and limitations not applicable to other types of personal data.

Less Data Subject Rights

Consumers have four basic rights under the UCPA:

  1. Right to access: The right to know whether or not a controller is processing the consumer’s personal data and have access to that data.
  2. Right to deletion: The consumer’s right to have personal data given to the controller deleted.
  3. Right to portability: The right to obtain a copy of the consumer’s personal data previously provided to the controller in a portable and easily accessible format, allowing consumers to transmit the data to another controller without restrictions.
  4. Right to opt out: The right to refuse the processing of personal data for “targeted advertising” and “sale”.

Despite all of these important rights, the UCPA, unlike other state laws, doesn’t offer consumers the ability to have inaccurate personal information corrected.

Accessible and Clear Privacy Notices

UCPA also requires controllers to provide consumers with a notice that should contain at least the following information:

  • The types of personal data the controller processes
  • The purposes for which the different data categories are handled
  • How customers can exercise their rights
  • The types of personal data that the controller, if any, shares with third parties
  • Third parties with whom the controller exchanges personal data, if applicable

Lighter Data Processing Agreements (DPAs)

The UCPA includes lighter Data processing Agreements and requires a controller to tie up with a processor. This processor manages and processes personal data for the controller.

The terms that the controller and the processor enter into should specify:

  • The agreement’s nature and purpose
  • Processing duration
  • The type of data subject
  • Each party’s rights and obligations

Processors should also oblige any subcontractors to maintain confidentiality and commission them only through a documented contract. This contract considers the subcontractor to be a processor if it takes care of the data on a processor’s behalf.

Unlike other privacy laws, the UCPA doesn’t require data processing terms to audit processors or allow controllers to opt-out of subcontracting a processor.

Familiar Security Requirements

The UCPA has a section on security. It specifies that controllers employ appropriate administrative, technical, and physical data security practices to secure personal data and eliminate foreseeable risks of harm to consumers based on the size, scope, volume, and nature of the processing.

Convert’s UCPA Compliance Checklist

Organizations operating in Utah should consider the UCPA in the same manner as other state laws. However, it can be challenging to check every box when it comes to compliance.

To help organizations navigate the intricacies of the UCPA, we have compiled this handy compliance checklist.

Here’s what you need to keep in mind:

  1. Make sure your business is covered by the UCPA. Organizations must assess whether they meet the UCPA’s jurisdictional threshold, including the financial and data volume threshold.
  2. Reconsider your privacy policy. Revise your privacy policy to reflect the processing of personal data, communicating additional consumer rights, and identifying means for consumers to exercise those rights.
  3. Use reasonable data security practices to protect your data. Examine your cybersecurity policies, practices, and controls to ensure they meet industry standards.
  4. Allow visitors to opt out of having their personal data processed (if applicable). Provide a way for Utah residents to exercise their right to opt out if a company sells or uses their personal information for targeted advertising.
  5. Implement a sensitive data collection mechanism. Businesses must not collect sensitive data without giving consumers a warning and an opportunity to opt out. To comply with this obligation, companies should implement suitable opt-out systems.
  6. Receive and respond to consumer inquiries promptly. Develop procedures for accepting, tracking, acknowledging, and fulfilling consumer requests to exercise their UCPA access and erasure rights.

Convert Respects All Privacy Laws (EU + US)

Compliance with Utah’s laws should be handled in the same way as other state laws, with minor language changes for clarity that they apply only to residents of Utah. The UCPA may require different geo-targeting of opt-out messages, which must be explicitly stated.

Convert keeps a close eye on state privacy and cybersecurity legislation. For more information on “how to prepare for the UCPA” and other new U.S. privacy laws, see our GDPR roadmap.

CRO Master
CRO Master
Originally published May 30, 2022 - Updated November 11, 2022

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
Managing Marketing Team
Managing Tech Team
Hypothesizing Experiments
Coding and QA of Experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!