Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) is legislation unanimously passed in the Utah Legislature. The final version of this Utah privacy law now awaits the signature of Governor Spencer Cox. If, as expected, the Governor signs the legislation by March 24, 2022, Utah will become the fourth state in the nation with a comprehensive consumer privacy law. The details of the Utah Consumer Privacy Act are discussed below.

Utah Consumer Privacy Act: Who is Regulated?

The Utah Consumer Privacy Act protects Utah residents’ personal information privacy. The Utah Privacy Law defines “personal information” as information “linked or reasonably linkable” to an identified individual or an identifiable individual. This definition is similar to the HIPAA definition of protected health information; however, the Utah Consumer Privacy Act is broader, covering non-health-related information as well as health-related information.

The Utah Consumer Privacy Act applies to data controllers and data processors. Under the Utah privacy law, a data controller is a person or entity doing business in Utah who plays a part in determining the purposes and means by which personal data is processed. In contrast, a data processor is a person or entity who processes personal data on behalf of a controller. The data controller and data processor relationship is akin to the HIPAA relationship between a covered entity and a business associate. In each case, the latter entity processes information on behalf of the former.

The Utah Consumer Privacy Act applies to controllers and processors that conduct business in the state of Utah or produce a product or service that is targeted to Utah residents, have annual revenue amounts of $25,000,000 or more, and:

  • Control or process personal data of more than 100,000 consumers per calendar year; or
  • Derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Utah Consumer Privacy Act: What’s In It for Me?

Under the new Utah privacy law, consumers have the right to:

  • Confirm whether a controller is processing their personal data
  • Obtain a copy of their personal data in a format that is portable and readily usable
  • Delete data that the consumer has previously provided to the controller
  • Opt-out of the “sale” of personal data (“sale” is defined by the UPCA as disclosure by a controller to a third party for money), or processing of personal data for targeted advertising

The UCPA also requires covered businesses to publish privacy notices that provide the following:

  • The categories of personal data processed
  • The purpose for the processing of the personal data
  • How consumers may exercise their rights under the UPCA (controllers have 45 days to respond to a request by a consumer to exercise their rights)

The Utah privacy law’s consumer protections, while significant, are less robust than those afforded by other recently enacted st