Utah Consumer Privacy Act (UCPA)

What is Utah’s UCPA Law?

Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act into law on 24th of March making Utah the 4th state after California, Virginia and Colorado to enact a comprehensive consumer privacy act. The law will be in effect from 31.12.2023. UCPA is largely based on the Virginia Consumer Protection Act, but uses a more business-friendly approach to consumer privacy than all three of its predecessors.

Who must comply with Utah Consumer Privacy Act (the “UCPA”)?

This chapter applies to any controller or processor who:

  • conducts business in the state; or produces a product or service that is targeted to consumers who are residents of the state;
  • has annual revenue of $25,000,000 or more; and
  • satisfies one or more of the following thresholds:
    • during a calendar year, controls, or processes personal data of 100,000 or more consumers; or
    • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

The Utah Consumer Privacy Act (UCPA) emerges as a significant legal framework, influencing how businesses handle consumer data within the state. Enacted to enhance individual privacy rights, the UCPA sets forth guidelines that organizations must adhere to, impacting a wide range of industries.

Who enforces Utah Consumer Privacy Act (the “UCPA”)?

Consumers cannot bring a private action under the UCPA (Utah Consumer Privacy Act) or use a violation of the law to support another lawsuit under Utah privacy law.

An attorney general can enact enforcement action and impose fines up to $7,500 per violation if a controller or processor both fails to cure the violation and continues to violate the law.

Comply with Utah Consumer Privacy Act (UCPA) with Mandatly Privacy Compliance Software Solutions. Comply with CCPA, CPRA. CPA, CDPA - Mandatly Inc.

Key highlights of Utah's UCPA:

Personal Data"Personal data" means information that is linked or reasonably linkable to an identified individual or an identifiable individual. It does not include de-identified data, aggregated data, or publicly available information.
Consumer RightsThe UCPA provides the consumer rights, which largely mirror those provided by the CPRA.
SecurityA controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data, and reduce reasonably foreseeable risks of harm to consumers.
ConsentUnder UCPA, consent means “an affirmative act by a consumer that unambiguously indicates the consumer’s voluntary and informed agreement to allow a person to process personal data related to the consumer.”

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Consumer Rights under Utah's UCPA

The Utah Consumer Privacy Act safeguards individuals’ data privacy with a complete set of regulations that one must comply with.

  1. Right to Information
    A consumer has the right to:

    • confirm whether a controller is processing the consumer’s personal data; and
    • access the consumer’s personal data.
  2. Right to Deletion
    A consumer has the right to delete the consumer’s personal data that the consumer provided to the controller.
  3. Right to Data Portability
    A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that:

    • to the extent technically feasible, is portable;
    • to the extent practicable, is readily usable; and
    • allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.
  4. Right to Opt-Out
    A consumer has the right to opt out of the processing of the consumer’s personal data for purposes of:

    • targeted advertising; or
    • the sale of personal data.

Obligations of Controllers

  1. Transparency
    A controller shall provide consumers with a reasonably accessible and clear privacy notice.
  2. Security
    A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data, and reduce reasonably foreseeable risks of harm to consumers.
  3. Nondiscrimination
    A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.
  4. Responding to consumer requests
    Responding to consumer requests. Unless an exception applies, controllers are obligated to respond to a consumer’s request within 45 days.

How Mandatly helps you achieve Utah's UCPA compliance?

Mandatly’s UCPA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the UCPA "Lookback" requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

The American Privacy Rights Act of 2024 (APRA) - Mandatly Inc.

The American Privacy Rights Act of 2024 (APRA)

The American Privacy Rights Act of 2024 (APRA)IntroductionIn today's digital age, privacy is paramount, and to achieve a comp...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more
Employee Privacy Rights: CPRA's Impact on Workplace Data Protection - Mandatly Inc.

PIA Software: Streamlining Privacy Impact Assessments

Conducting Privacy Impact Assessments with PIA Software: Benefits and Best PracticesAbout Privacy Impact AnalysisIn today's d...
Read more