Feature
The Gist
- Business-friendly rules. UCPA provides businesses with more time to comply.
- Data usage. Aggregated, de-identified, and public data can be freely used.
- Consent not required. UCPA doesn't mandate consumer consent for sensitive data processing.
The Utah Consumer Privacy Act (UCPA), signed into law at the end of March 2022, gives businesses more time to ensure that they are complying with the new law and is regarded as among the most business-friendly of consumer data privacy laws going into effect around the country.
The law has given companies doing business in the state nearly two years to comply, taking effect on Dec. 31, 2023.
As with each state privacy law put into place, specific threshold requirements make companies subject to the UCPA.
Businesses Benefit from UCPA Compliance & IT Adaptation
"Businesses now have the luxury of reading all the stipulations of the law and setting up their operations to meet the standards correctly and adjust their IT systems to address the requirements," said Jeff Sizemore, chief governance officer at Egnyte.
The Act's protection does not include de-identified, aggregated or publicly available information. Aggregated data refers to information only viewable as part of a summary — without information about individual consumers. The raw information is not available.
De-identifying removes personal details from data, so the data becomes generalized and cannot be used to identify an individual. Publicly available information is from open sources, such as a social media profile.
"While the first two approaches retain some privacy for individuals, they are not foolproof. If you put enough of that information together, it might be possible to single out individuals' information, including their sexual orientation, religious affiliation, or political party preference," Sizemore explained. "However, it is harder for processors to read such data."
Related Article: The State of Consumer Data Privacy Legislation in 2023
UCPA Enables Marketers to Share Anonymized Consumer Data
He said the UCPA does give marketers the ability to share information gathered from consumers in an anonymous form. He uses the example of aggregating information from a survey: "X percent of individuals in IT roles believe XYZ."
"Publicly available data is sometimes used by marketers to personalize outreach efforts," he said. "For example, they reference an alma mater, hobbies, or location in a cold email."
Sizemore advised marketers to use this information cautiously and still provide the consumer with details on how they gathered it — allowing them to opt out of being included in such lists.
The UCPA also provides a definition for "sensitive data" but unlike other data privacy laws, it does not require consumer consent for processing such data, which he calls the "big difference" between the UCPA and other data privacy laws.
This means marketers do not need consumers' consent to use their information for targeted advertising or the sale of personal data.
"Marketers can keep to 'business as usual' in a certain sense," Sizemore explained. "While under the law, there still needs to be an opt-out capability in processing the data, there doesn't need to be an active action taken on the consumer's side to approve the use of this data in the forms listed above."
Related Article: 10 Potential Data Privacy Pitfalls for Marketers
Marketers Navigate UCPA Guidelines for Sensitive Data
Theoretically, this makes it easier for marketers to obtain consumers' information, which can be valuable for campaigns utilizing sensitive data.
Chris Hauk, consumer privacy champion at Pixel Privacy, said marketers will need to be careful in how they handle the processing of "sensitive data," as well as how they use it in their marketing activities.
"Such usage could still be viewed as privacy infringement, resulting in possible legal action," he cautioned.
To Whom Does UCPA Apply?
He added the UCPA is particularly friendly to businesses making less than $25 million per year, as they are exempt from the Act, as are those that process the personal data of less than 100,000 consumers per year.
"This means that there are several organizations that will not be required to deal with many of the regulations," Hauk explained.
In all, the law applies to businesses that:
- Conducts business in the state
or ...
- Produces a product or service that is targeted to consumers who are residents of the state
- Has annual revenue of $25,000,000 or more
- Satisfies one or more of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 or more consumers
- Derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
UCPA's Data Exceptions: A Concern for Privacy Advocates
Paul Bischoff, consumer privacy advocate at Comparitech, points out the UCPA carves out a lot of exceptions if the purpose of data disclosure is consistent with a user's reasonable expectations.
"The UCPA also doesn't require data controllers to correct data upon request of users, so that's one fewer job for the data controller," he said.
He added by the time the Act comes into effect, there might be a federal data privacy law that preempts Utah's, which means Utah businesses will be ahead of the curve if a federal privacy law is passed.
Webinar
Sep
25
CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms
Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.
Register
Webinar
Sep
25
Call Spoofing Trends Financial Institutions Can't Afford to Ignore
Don't let robocalls sabotage your customer relationships. Learn how to secure your voice channel.
Register
Webinar
Oct
16
Agentic AI Playbook: Real-World Customer Service Use Cases You Can Deploy Now
Boost self-service by 30% and slash call volume by 63% with agentic AI.
Register
Webinar
On demand
Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential
Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.
Watch Now
Webinar
On demand
CX Reality Check: What Your Customers Are Really Thinking
Register now and get the insights you need to not just meet rising expectations, but exceed them.
Watch Now
Webinar
On demand
Content Leaders Collective: What a Good CCMS Actually Looks Like
Discover how content leaders transform clunky systems into growth engines — and why your competitors are ahead.
Watch Now
"Marketers will have to ensure they comply with users' data requests in a timely manner," he said. "Businesses that collect personal data should assign a data controller to manage these requests."
Sizemore explained an easy first step for marketers is to review where all of their customer data lies.
"Map your data so you know how it’s used, who in your organization can access it, and any associated risks. Identify potential compliance gaps," he said. "Consider all the personal and sensitive data your organization collects so you truly understand where all this information lies within your ecosystem."
Advised Proactive Steps for UCPA Data Privacy Compliance
He also recommended setting up opt-out provisions for processing sensitive data in any place where consumers might provide you with such information.
"Be prepared with an action plan to respond to consumers’ requests promptly to prevent being hit with hefty fines," he said. "Consistently review your company’s privacy policy to ensure there is content that the UCPA requires."
He added this is not just a job for marketing — customer care, compliance, IT, operations, legal and other teams will need to get involved to ensure that your business is adequately prepared.
Sizemore said businesses need to read the law to understand its impact and the rights that fall to controllers and processors.
"By developing data privacy programs aligned with the strictest of standards like GDPR, UK GDPR, and the CPRA, compliance with 'pro-business' data privacy policies like Utah’s becomes more straightforward," he noted.
