Blog

The new Utah data privacy law: what you need to know

Elena Morin, Director of Marketing
April 25, 2022

Did you have Utah on your US state privacy patchwork bingo card? Probably not! But the Beehive State is indeed the latest state to enact a data privacy law, following Colorado and Virginia, to pass a privacy law. Read on for the main takeaways on UCPA.

What is Utah’s new privacy law? 

In March 2022, the Utah Consumer Privacy Act (UCPA) was signed into law. It’s based very heavily on the Virginia law, providing the core consumer rights of deletion, access, portability, and opt-out of data sale to third parties, including use in targeted ads.

When does the UCPA go into effect? 

It goes into effect almost a year after the Virginia law, on December 31, 2023. 

How is it similar to the California, Virginia, and Colorado privacy laws? 

Like the existing US privacy laws, including the California Consumer Privacy Act (CCPA), it is primarily an opt-out law.

Unlike those other laws, it does not require opt-in consent for the processing of sensitive data – instead requiring a clear notice and opportunity to opt out to be presented before sensitive data is processed. If it concerns a known child, COPPA applies and parental consent is required.

So Utah will require opt-outs for targeted advertising?

Yes, it requires data controllers to provide a means for consumers to request the opt out of processing for purposes of targeted advertising or sale.

How does Utah define targeted advertising? 

It defines targeted advertising as ads based on data about people’s activities across nonaffiliated websites or apps. It specifically excludes ads based on a controller’s own first-party consumer data. 

Does Utah have a provision that requires recognition of global opt-outs? 

Not currently.

How is the Utah privacy law going to impact the advertising industry? 

UCPA will reinforce the need for privacy compliance in the industry, and has reawakened calls for federal law. Since the Utah law is slightly less stringent than some of the other state laws, companies may choose to adjust their practices to the stricter laws, rather than the Utah law.

How will the Utah data privacy law be enforced? What do the penalties look like? 

It will be enforced by the Office of the Attorney General of Utah. Violators must be given notice of violation and a 30-day period to cure. If the violation continues past the cure period, the AG’s office may recover actual damages to the consumer plus $7,500 per violation in fees. 

What types of businesses does UCPA apply to?

UCPA is the narrowest US state privacy law so far: UCPA applies only to for-profit controllers or processors that: 

1) do business in the state (or target products or services to residents in the state); 

2) earn at least $25M in annual revenue and 

3) either a) control or process personal data of 100K+ consumers in calendar year; 

or b) derive more than 50% of gross income from selling personal data and control or process data of 25K or more consumers

How will Sourcepoint and its clients need to adapt to comply with the Utah law?

Compliance with the Utah law should be covered by the same mechanisms as needed for the California laws, but with tweaks in language to make it clear it’s applicable to Utah residents. Potentially, the UCPA requires different geotargeting of opt-out messages.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]