Clym Logo
US flag

US

Utah Consumer Privacy Act (UCPA)

Overview

The Utah Consumer Privacy Act (UCPA), enacted in 2022 and effective as of December 31, 2023, is a comprehensive data privacy law that grants consumers rights over their personal data and imposes responsibilities on businesses to safeguard and responsibly process that data. The UCPA aims to promote transparency in data usage, allowing consumers to access, delete, and opt out of the sale or processing of their data for targeted advertising.

Regulation Summary

  • March 24, 2022: UCPA signed into law by Governor Spencer Cox.
  • December 31, 2023: UCPA becomes effective.

  • Businesses that conduct operations in Utah or target Utah residents and meet the following criteria:
    • Generate $25 million or more in annual revenue; and
    • Either:
      • Process data of 100,000 or more consumers annually, or
      • Derive 50% or more of gross revenue from selling data of at least 25,000 consumers.

  • Government entities and nonprofits.
  • Entities governed by HIPAA, GLBA, or other federal regulations.
  • Personal data used for employment or publicly available purposes.

  • Transparency: Provide a clear privacy notice detailing data collection and sharing practices.
  • Consumer Rights: Allow consumers to access, delete, or obtain copies of their data and opt out of targeted advertising and data sales.
  • Data Security: Implement safeguards to protect personal data.
  • Sensitive Data: Obtain explicit consent before processing sensitive personal data.

  • Establish a designated request address for consumer inquiries.
  • Respond to consumer requests within 45 days, extendable by an additional 45 days if necessary.
  • Clearly disclose opt-out options and data practices.

  • Controllers and processors must:
    • Maintain contracts specifying data processing terms.
    • Ensure data protection for shared or processed information.

  • Access: Request a copy of personal data.
  • Deletion: Request deletion of data provided by the consumer.
  • Portability: Receive data in a portable format.
  • Opt-Out: Refuse data sales or targeted advertising.

  • Enforced by the Utah Attorney General.
  • Cure Period: 30 days to address violations.
  • Penalties: Up to $7,500 per violation, including actual damages.
  • No private right of action.