The new Utah data privacy law: what you need to know
April 25, 2022
Did you have Utah on your US state privacy patchwork bingo card? Probably not! But the Beehive State is indeed the latest state to enact a data privacy law, following Colorado and Virginia, to pass a privacy law. Read on for the main takeaways on UCPA.
What is Utah’s new privacy law?
In March 2022, the Utah Consumer Privacy Act (UCPA) was signed into law. It’s based very heavily on the Virginia law, providing the core consumer rights of deletion, access, portability, and opt-out of data sale to third parties, including use in targeted ads.
When does the UCPA go into effect?
It goes into effect almost a year after the Virginia law, on December 31, 2023.
How is it similar to the California, Virginia, and Colorado privacy laws?
Like the existing US privacy laws, including the California Consumer Privacy Act (CCPA), it is primarily an opt-out law.
Unlike those other laws, it does not require opt-in consent for the processing of sensitive data – instead requiring a clear notice and opportunity to opt out to be presented before sensitive data is processed. If it concerns a known child, COPPA applies and parental consent is required.
So Utah will require opt-outs for targeted advertising?
Yes, it requires data controllers to provide a means for consumers to request the opt out of processing for purposes of targeted advertising or sale.
How does Utah define targeted advertising?
It defines targeted advertising as ads based on data about people’s activities across nonaffiliated websites or apps. It specifically excludes ads based on a controller’s own first-party consumer data.
Does Utah have a provision that requires recognition of global opt-outs?
How is the Utah privacy law going to impact the advertising industry?
UCPA will reinforce the need for privacy compliance in the industry, and has reawakened calls for federal law. Since the Utah law is slightly less stringent than some of the other state laws, companies may choose to adjust their practices to the stricter laws, rather than the Utah law.
How will the Utah data privacy law be enforced? What do the penalties look like?
It will be enforced by the Office of the Attorney General of Utah. Violators must be given notice of violation and a 30-day period to cure. If the violation continues past the cure period, the AG’s office may recover actual damages to the consumer plus $7,500 per violation in fees.
What types of businesses does UCPA apply to?
UCPA is the narrowest US state privacy law so far: UCPA applies only to for-profit controllers or processors that:
1) do business in the state (or target products or services to residents in the state);
2) earn at least $25M in annual revenue and
3) either a) control or process personal data of 100K+ consumers in calendar year;
or b) derive more than 50% of gross income from selling personal data and control or process data of 25K or more consumers
How will Sourcepoint and its clients need to adapt to comply with the Utah law?
Compliance with the Utah law should be covered by the same mechanisms as needed for the California laws, but with tweaks in language to make it clear it’s applicable to Utah residents. Potentially, the UCPA requires different geotargeting of opt-out messages.
Latest Blog Posts
A memorandum from the California Privacy Protection Agency (CPPA) staff proposes...
The ICO previously made an announcement on its website warning that...
Publisher Collective recognised the importance of collecting consent in...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.