Which Businesses Must Comply with Utah's Privacy Law?

Compared to the other data privacy laws, the Utah Consumer Privacy Act (UCPA) is narrower in scope. A for-profit business must comply with the Utah Consumer Privacy Act if it meets the following three criteria:

  1. It does business in the state of Utah, and
  2. It has at least $25 million in annual revenue, and
  3. Either of the following applies:
    1. It processes the personal data of 100,000 or more UT residents, OR 
    2. It processes the personal data of at least 25,000 UT residents and derives 50% or more of its revenue from the sale of personal data

Doing Business in the State of Utah

This is the most basic requirement. Having a physical presence in the state counts as doing business there, but so does selling goods or services online to Utah residents.

At Least $25 Million in Annual Revenue

This requirement is unique to the UCPA. It’s worth noting that the $25 million figure refers to all gross revenue, not just revenue from Utah.

Processing Requirements

For businesses that operate online, the 100K-consumer threshold is easier to meet than they may realize. Websites are processing personal data (IP address, cookies, etc.) from each of their visitors. Getting just 8,400 unique visitors from Utah per month will put them over 100,000 for the year.

Exemptions

The UCPA lists several exemptions for certain types of organizations and personal data. These include:

  • Governmental entities
  • Nonprofit corporations
  • Institutes of higher education
  • Native American tribes
  • Covered entities and business associates, as defined by HIPAA
  • Financial institutions regulated by the Gramm-Leach-Bliley Act