Published:

Updated:

Utah Consumer Privacy Act Compliance Guide

Privacy Policy

Utah Consumer Privacy Act

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Utah Consumer Privacy Act Compliance Guide

On March 25, 2022 Utah became the sixth state to enact a comprehensive privacy law, the Utah Consumer Privacy Act. This law provides new consumer privacy rights to residents of Utah and imposes various privacy obligations upon certain businesses, such as the requirement to have a comprehensive Privacy Policy. This law went into effect on December 31, 2023.

In this compliance guide, we will discuss the following things that you need to know about this new law:

  • Who needs to comply with the Utah Consumer Privacy Act;
  • How the law defines personal data;
  • The privacy rights provided by this law;
  • The Privacy Policy requirements of the Utah Consumer Privacy Act; and
  • Penalties for failure to comply.

Who needs to comply with the Utah Consumer Privacy Act

Privacy laws are created to protect individuals and not businesses and thus can have a very broad application, applying to businesses located outside of the state or country in which the laws were enacted. The Utah Consumer Privacy Act is no exception as it applies to anyone collecting the personal data of Utah residents that does business in Utah or that produces a product or service that is targeted to consumers that are located in Utah and that meet one or more of the following criteria:

  • Has annual revenue of $25,000,000 or more; and
  • Meets one of the following thresholds:
    • During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
    • Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.

It is important to note that the Utah Consumer Privacy Act exempts nonprofits, meaning that only for-profit businesses will need to comply with this law.

How does the Utah Consumer Privacy Act define personal data?

Since the Utah Consumer Privacy Act applies only to businesses that collect personal data, it is important to define what personal data means under this law. The law defines “personal data” as any information that is linked or reasonably linkable to an identified individual or an identifiable individual. This means that the information commonly collected by business websites such as names, emails, phone numbers, IP addresses or physical addresses would all be considered personal data under this law. If your website collects personal data as defined by this law and meets the criteria above, you will need to comply with this new privacy law.

The privacy rights provided by this new law

The purpose of the Utah Consumer Privacy Act is to protect the privacy of residents of Utah. The law achieves this purpose by providing the following privacy rights to individuals residing in Utah:

  • The right to confirm whether a controller is processing the consumer’s personal data;
  • The right to access the personal data that a controller holds about an individual;
  • The right to delete the personal data;
  • The right to obtain a copy of the personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without impediment (where technically feasible);
  • The right to opt out of the processing of personal data for the purpose of targeted advertising;
  • The right to opt out of the sale of their personal data.

Upon receipt of a consumer request to exercise their privacy rights, the business must respond to the consumer within 45 days, though this period can be extended by an additional 45 days if needed.

Privacy Policy requirements of the Utah Consumer Privacy Act

If this law applies to you, you will be required to post a Privacy Policy that includes the following disclosures:

  • The categories of personal data that you process;
  • The purposes for which you process that personal data;
  • How consumers can exercise their privacy rights;
  • The categories of personal data that you share with third parties, if any;
  • The categories of third parties, if any, with whom you share personal data;
  • If you sell personal data or engage in targeted advertising, the manner in which consumers may opt out of such use or sales.

If the Utah Consumer Privacy Act applies to you, consider using Termageddon’s Privacy Policy generator, which will automatically update your Privacy Policy with newly required disclosures under this law.

Penalties for failure to comply

The Utah Consumer Privacy Act went into effect on December 31, 2023 and is enforced by the Utah Attorney General. Like other privacy laws, this law imposes heavy penalties for non-compliance, up to $7,500 per violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that the penalties can compound to a hefty fine.

How Termageddon can help

If you do not currently have a Privacy Policy or do not have a strategy to keep it up to date with changes such as this one, make sure to check out Termageddon’s Privacy Policy generator.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.