Utah Consumer Privacy Act | The Complete Guide

The US has created a new privacy act for Utah after California, Virginia, and Colorado. Utah has become the fourth privacy rule in America. These local privacy laws have components for international and domestic laws, according to a particular state. Spencer Cox, the attorney general of Utah, signed the Utah Consumer Privacy Act (UCPA) on March 24, 2022. Utah is the most contemporary state in the US to enforce comprehensive privacy legislation. To defend consumers’ data in the trail of ascending situations about data privacy.

UCPA uses the terminologies “Controller” (a person or firm that decides why and how they can gather data from consumers) and “Processor” (a third-party organization that manages personal consumer data on the controller’s behalf). It covers all aspects of good privacy legislation, ensuring a better and wholesome city environment. This blog will furnish insights and explain the attributes of UCPA.

What is UCPA?

what is ucpa

It is a privacy protection law designed for the residents of Utah. To compile, delete, modify, and have access to their personal information available on the sites of different businesses. The VCDPA, particularly, and other state statutes are quite similar to the UCPA. And on December 31, 2023, all companies operating in or providing compliance will go into effect.

In Utah, all companies must fully inform their customers of their data management plans, including the purpose of processing and any third-party recipients. They must publish a privacy notice outlining their goals in relation to customer data.

Enterprises that compile, process, or sell Utah citizens’ confidential data. And reach specified remuneration or data processing measures are subject to the UCPA. The lawmaking particularly affects organisations that: (1) have a gross annual income of around $25 million; (2) formulate, obtain, vend, or disseminate the personal data of at least 100,000 Utah citizens annually; or (3) yield at least 50% of their annual remuneration from the sale of Utah tenants’ personal information.

What Information and Entities Are Exempt from UCPA?

The law exempts certain types of data and entities, including publicly available data, de-identified data, and data subject to the Health Insurance Portability and Accountability Act (HIPPA), the Driver’s Privacy Protection Act (DPPA), and the Family Education Rights and Privacy Act (FERPA). accumulated details about a job, emergency contacts, and benefit administration. The following are excluded entity-by-entity: non-profits, businesses, institutions of higher learning, governments, tribes, airlines, and personal data processed only for domestic or personal use. 

It’s vital to recognize that not all information and institutions are shielded by these exemptions in all situations. To verify if these exclusions apply to your case, it is always preferable to get a legal recommendation or speak with a familiar privacy practitioner. The exemptions may have certain criteria and limits.

What rights does UCPA give to its residents?

Rights for Residents of Utah

Similar to the VCDPA and CPRA, the Utah CPA gives similar rights as compared to Virginia and Colorado. It gives the residents of Colorado the right to delete, change, and the right to optout.

Moreover, they have the right to know what personal information businesses collect about them, as well as the right to non-discrimination. 

It is not limited to only these rights but has multiple additional features that make it reliable. UCPA complies with the Consumer Privacy Rights Act (CPRA) and the General Data Protection Regulation (GDPR). The controller and processor are the ones who deal with the laws in Utah. 

How Controller and Processor Collaborate?

Controllers are entities that define the objectives and methods of processing personal data, while processors are companies that treat personal data on behalf of controllers.

Controllers and processors are bound to work concurrently under the UCPA. In order to ensure that the law’s prerequisites are obeyed. Especially when processing personal data on their behalf, controllers are obligated to guarantee processors adhere to the UCPA’s obligations. This concerns the setting of appropriate contractual clauses that concede with the UCPA’s norms for data security duties, data infringement registration obligations, and limitations on data processing activities.

On the other hand, processors must help controllers comply with the UCPA’s requirements. Among other things, this means giving the controller the data they need to complete their data safeguard commitments. Verifying the security of personal data, and sustaining the controller’s response and notification to data breaches.

The UCPA gov. commands that clauses stating the following should include in contracts between controllers and processors.

  • The length of the processing actions, the kind of personal data implicated, and the processing’s intent.
  • The classifications of data issues, the types of personal data involved, and the controller’s privileges and tasks.
  • The processor’s obligations with regard to security, reporting of data breaches, and data protection.
  • the authority of the controller to examine and judge whether the processor complies with the UCPA.
  • If the processor disobeys the UCPA’s rules, the controller can conclude the consensus.

The UCPA builds a framework for collaboration between controllers and processors to certify the security of personal data and obedience to legal obligations.

Limitations in UCPA 

On May 5, 2021, the Utah Consumer Privacy Act (UCPA), a data privacy legislation, entered into force. Although the legislation gives Utah consumers particular privacy protections, it also has consequential restrictions. Here are a few of the UCPA’s main liabilities:

  • Exemption for undersized businesses: Only firms that handle substantial amounts of personal data or that fall under certain size requirements are subject to the UCPA. The bill exempts small firms with annual sales under $25 million or those that regulate data on fewer than 100,000 Utah townies.
  • Personal information: Compared to several other data privacy laws, the UCPA’s description of “personal information” is more restrictive. It contains data that determine or can pinpoint to Utah citizens but bans some susceptible data categories like health records or biometric information.
  • Limited right to deletion: The UCPA gives patrons a limited right to seek the erasure of their personal information; however, there are a number of constraints on this right. Businesses could save personal data, for instance, in order to fulfil customer requests or comply with legal requirements.
  • Absence of the private right of action: The UCPA does not provide consumers with a private right of action to convey legal action against companies that violate the law, unlike several other data privacy regulations. The office of the Utah Attorney General is in charge of enforcement instead.
  • Lack of preemption: The UCPA does not substitute other state or national data privacy regulations. Therefore establishments doing business in Utah may need to tolerate many different data privacy regulations. Businesses that operate in various states may encounter adherence difficulties as a result of this.

The UCPA is still very pristine legislation. So, it’s paramount to remember that some of these impediments have ability to resolve it in the next updates or mutations.


The Utah Consumer Privacy Act (UCPA) is emerging due to its specifications and the rights it offers to the citizens of Utah. To maintain confidentiality, the controller and processor must enter into a written contract that sets out the details of the processor. Processors get the responsibility to engage sub-processors via an agreement that flows down the processor’s obligations.

Controllers have to post a privacy notice that contains similar disclosures about their personal practices. In contrast to Virginia, controllers in Colorado have to provide customers with notice and an option to opt-out. Before processing their sensitive data. When company continues to generate profit only then Utah privacy legislation is beneficial. Either through selling data or managing or processing the personal information of 25,000 people.

Seers are now embarking on their journey to the U.S. and are in compliance with the privacy standards of this state. Check out the link to see the features and advanced cookie setup for your business.