Stay Compliant: How Utah’s Privacy Regulation Affects Targeted Advertising

The Utah Consumer Privacy Act (UCDPA) goes into effect December 31, 2023. The first determination an organization must make is does the UCDPA apply to you? Here are the general requirements:

A company that conducts business in Utah or produces a product or service that is targeted to consumers in Utah and that:

1. has annual revenue of $25,000,000 or more;
2. and satisfies one or more of the following thresholds:
   • during a calendar year, controls or processes personal data of 100,000 or more consumers; or
   • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

If your org meets these thresholds, then you will have disclosure and opt-out requirements. Let’s explore the opt-out right from targeted advertising, as most of us marketers engage in these activities on our digital properties.

Users have the right to opt out of targeted advertising

Per the regulation, targeted advertising is defined this way:

“Targeted advertising” means displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

“Targeted advertising” does not include advertising:

• based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application;
• based on the context of a consumer’s current search query or visit to a website or online application;
• directed to a consumer in response to the consumer’s request for information, product, a service, or feedback; or
• processing personal data solely to measure or report advertising:
• • performance;
  • reach; or
  • frequency.”

As you can see, Utah is carving out an exception for measurement—think Analytics—and any contextual ads delivered on your own properties. The line in the sand is sending an ad to a user on say a news and media website based on the visit to your organization’s website and others. Consider your tech stack, what actions they perform, and how can they be configured or controlled to meet the above requirements. Per Utah’s regulation:

“A consumer has the right to opt out of the processing of the consumer’s personal data for purposes of:

• targeted advertising; or
• the sale of personal data.”

Unlike California and Colorado (two other state privacy laws in effect), Utah is not prescriptive in the mechanism in which users should be able to opt out or the language surrounding it. They plainly state users must be able to per the regulation:

“If a controller sells a consumer’s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the:

• sale of the consumer’s personal data;
• or processing for targeted advertising.”

What should my organization do about it?

Always consult with your legal team first before making decisions about the law. Some helpful actions to take when gathering necessary information for that conversation:

1. Audit your tech stack if you have not already! Knowing what platforms are loading on your website, understanding the data they collect, and how they are used is a paramount first understanding which will help your legal team make decisions. If you have not yet gone through this process, it will apply to a multitude of state regulations and those abroad. Did you know the Tag Inspector team offers a Data Governance Audit which helps orgs answer these very questions?
2. The best path forward to meet various state opt-out requirements would be a Consent Management Platform, like OneTrust. Note that Utah mentions nothing about “cookies.” While CMPs control and classify cookies, cookies are the only mechanism in which most tags operate to facilitate “targeted advertising.” Keep in mind the law wants users to have a clear way to specifically opt out of “targeted advertising.” So any such system should be custom configured to only restrict/alter those specific tags defined as “targeted advertising” by Utah, and be clear to the user. Bottom line: your tool to address this should include the language specifically regarding “targeted advertising,” and not generic language surrounding cookies or cookie controls. InfoTrust is experienced in both tag management and CMP configuration for large organizations; we can help!
3. Privacy is not something you achieve one day and it ends there. New laws come and go, platforms can be accidentally misconfigured, and new tags may be added to your website in the future which may fall into the “targeted advertising” category. In this case, the Tag Inspector Governance module can constantly test what platforms are loading on your digital properties, and if they are loading correctly based on user consent. Getting compliant is step 1 (Tag Inspector is here to help with that), and the all-important step 2, staying compliant!