Utah became the fourth US state to enact comprehensive consumer privacy legislation when Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022. This significant step in data privacy regulation marked Utah’s commitment to protecting the privacy of its residents’ personal data. The UCPA introduced measures similar to and distinct from the consumer privacy laws of California, Virginia, and other states.
The UCPA set an effective date of December 31, 2023, providing businesses with time to prepare for compliance with its provisions, which include giving consumers greater control over their personal data, restrictions on targeted advertising processes personal data used, and mechanisms to investigate and address consumer complaints related to data privacy violations.
What are consumer rights under the UCPA?
Consumer rights under the Utah Consumer Privacy Act (UCPA) encompass several key provisions aimed at safeguarding the privacy of Utah residents’ personal data:
Right to know: Consumers have the right to know what personal information businesses are collecting about them.
Right to access: Consumers can request access to their personal data held by businesses, allowing them to review and verify the accuracy of their information.
Right to deletion: Consumers have the right to request the deletion of their personal data by businesses, subject to certain exceptions.
Right to opt-out: Under the UCPA, consumers can opt out of the sale of their personal information, and businesses are prohibited from selling personal data without consent.
Right to non-discrimination: Businesses cannot discriminate against consumers who exercise their privacy rights under the UCPA. This means consumers should not face adverse treatment for asserting their privacy rights.
Right to data portability: Utah residents can request their personal data in a portable format, allowing them to transfer it to other services or entities as needed.
Right to rectification: Consumers can request corrections to inaccuracies in their personal data held by businesses.
Right to limit data processing: Consumers can limit the processing of their personal data in certain circumstances, such as when the data is inaccurate or unlawfully processed.
Right to express written statement: Businesses must provide consumers with a clear and express written statement of their data processing practices.
Who does the UCPA impact?
The Utah Consumer Privacy Act (UCPA) impacts various entities involved in data processing and business operations in the state of Utah.
Companies doing business in Utah
The UCPA applies to businesses that conduct business in Utah or produce products or services targeted to Utah residents. This means that both in-state and out-of-state businesses that interact with Utah residents are subject to the UCPA’s provisions.
Companies collecting and processing personal data
The UCPA places obligations on companies that control or process consumers’ personal data. This includes businesses that collect, store, use, or share personal information of Utah residents.
The UCPA is designed to protect the data privacy and rights of Utah residents acting in an individual or household context. It grants consumers rights and control over their personal data, including the right to know, access, delete, and opt-out of the sale of their information, among other rights.
Covered entities refer to businesses or organizations that handle consumers’ personal data, and they are mandated to safeguard that data and provide clear information about data processing practices.
Entities with consumer data
Entities that derive over 50% of their annual revenue from the sale of personal data and have data on 25,000 or more consumers fall under the UCPA’s scope. These entities are subject to specific requirements and regulations regarding data privacy.
What are the UCPA requirements for businesses?
The Utah Consumer Privacy Act (UCPA) imposes several requirements on businesses operating in the state of Utah to ensure the protection of consumer privacy and data. Here are the key UCPA requirements for businesses:
Data transparency: Businesses must provide clear and accessible information about their data processing practices, including what personal information they collect, the purposes for which it is used, and how consumers can exercise their rights under the UCPA.
Consumer rights: Businesses must respect consumers’ rights, which include the right to know what personal information is collected, the right to access and correct their data, and the right to opt-out of the sale of their personal information.
Data security: Businesses must implement reasonable security measures to protect the personal information they collect and maintain. This includes safeguards against data breaches and unauthorized access.
Consumer consent: The UCPA requires businesses to obtain consumer consent before collecting and processing sensitive personal information. This consent should be informed and obtained through clear and transparent methods.
Data portability: Upon request, businesses must provide consumers with their personal data in a format that is readily usable and transferable to other services, promoting data portability.
Data deletion: Businesses should honor consumer requests to delete their personal information unless certain exceptions apply. Data deletion should be done in a secure and complete manner.
Compliance planning: Companies need to develop a compliance plan to ensure they meet the UCPA’s requirements. This may involve appointing a designated person responsible for compliance and conducting regular assessments.
Effective date: The UCPA goes into effect on December 31, 2023, giving businesses time to prepare for compliance and ensure they meet the necessary requirements.
Obligations of controllers and processors
Under the Utah Consumer Privacy Act (UCPA), both controllers and processors have specific obligations to ensure the protection of consumers’ personal data.
Obligations of controllers
Compliance with UCPA: Controllers, defined as individuals or entities doing business in the state of Utah that determine the purposes and means of processing personal data, must comply with the provisions of the UCPA.
Consumer rights: Controllers are responsible for ensuring that the rights of Utah consumers, as outlined in the UCPA, are respected and upheld. These rights include the right to access, delete, and port their personal data.
Data protection assessments: Controllers may be required to conduct data protection assessments, especially when processing personal data that involves higher risks to consumers. These assessments are designed to evaluate and mitigate potential risks associated with data processing activities.
Contracts with processors: Controllers are obligated to have contracts in place with processors when sharing personal data. These contracts should include specific provisions regarding data protection and security, ensuring that processors handle personal data in compliance with UCPA requirements.
Obligations of processors
Compliance with UCPA: Processors, which are entities that process personal data on behalf of controllers, are also subject to the UCPA’s requirements and must comply with its provisions.
Data security: Processors have an obligation to implement and maintain reasonable administrative, technical, and physical measures to protect personal data from unauthorized access or disclosure. This includes measures to safeguard the confidentiality, integrity, and availability of the data.
Assisting controllers: Processors must assist controllers in meeting their obligations under UCPA. This includes responding to consumer requests, cooperating in data protection assessments, and complying with contractual obligations regarding data processing.
Contracts with controllers: Processors must have contracts in place with controllers that outline the terms and conditions of data processing and specify the security measures to be implemented. These contracts help ensure compliance with UCPA requirements.
Why is the UCPA considered relatively business-friendly?
The Utah Consumer Privacy Act (UCPA) is business-friendly compared to other data privacy laws due to several key factors. Firstly, it has a narrower scope than laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), excluding smaller businesses and those in commercial or employment contexts. This reduces compliance burdens for smaller entities. Secondly, the UCPA includes an annual revenue threshold, applying primarily to larger businesses. Small businesses are generally exempt, reducing the compliance impact on them.
Thirdly, the UCPA provides exemptions for entities like higher education institutions, nonprofits, and covered entities, further reducing the number of organizations subject to its provisions. Overall, the UCPA strikes a balance between consumer protection and business interests, avoiding excessive compliance burdens and providing a transitional period for businesses to prepare. Its effective date is set for December 31, 2023, allowing organizations time to understand and adjust to the requirements, making compliance smoother.
Regulatory enforcement under the Utah Consumer Privacy Act (UCPA) primarily begins with complaints and reports from individuals or consumers who believe their privacy rights have been violated by businesses covered by the UCPA. These complaints trigger investigations by the Utah Attorney General’s office to determine if businesses are complying with the UCPA. Investigations encompass a review of privacy policies, data handling practices, and relevant documentation to assess if consumer data is being protected in accordance with the law.
When violations are detected during these investigations, the Utah Attorney General’s office has the authority to impose penalties and remedies, including fines, sanctions, or orders for non-compliant entities to rectify their practices. Notably, the UCPA allows penalties of up to $7,500 per violation, emphasizing the importance of compliance for businesses. In some cases, businesses found in violation may collaborate with the Utah Attorney General’s office to address issues and achieve compliance. This cooperative approach may involve implementing corrective actions and adjusting data handling practices to meet UCPA standards.
Continual monitoring is another aspect of regulatory enforcement, ensuring that businesses maintain UCPA compliance even after corrective measures have been taken. This may involve periodic audits or assessments to verify ongoing privacy protections and data handling in line with the law.
Furthermore, regulatory authorities, including the Utah Attorney General’s office, actively promote awareness of the UCPA among consumers and businesses. They educate stakeholders about their rights and responsibilities under the law, fostering a culture of privacy compliance and emphasizing the significance of data protection.
Differences between UCPA and other state privacy laws
The Utah Consumer Privacy Act (UCPA) has several differences compared to other state privacy laws, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).
Scope and applicability: UCPA has a narrower scope in terms of which businesses it applies to. It applies to businesses with an annual revenue of $25 million or more, those that collect or process personal data of 100,000 or more consumers, or those that derive 50% or more of their revenue from selling personal data. In contrast, CCPA applies to businesses with annual gross revenue of $25 million or more, while VCDPA applies to entities that process personal data of at least 100,000 consumers or derive 50% of their revenue from selling personal data.
Definition of “consumer”: UCPA defines a “consumer” more narrowly by excluding individuals acting in a commercial or employment context from the definition. This exclusion is not present in CCPA or VCDPA.
Exemptions: UCPA includes exemptions for institutions of higher education and nonprofits, which are not present in CCPA or VCDPA.
Consumer rights: While all these laws grant consumers rights over their personal data, the specific rights and mechanisms may vary. UCPA, CCPA, and VCDPA provide rights such as access, deletion, and data portability, but the details and requirements may differ.
Enforcement and penalties: Each state’s privacy law has its own enforcement mechanisms and penalties. UCPA grants the Utah Attorney General exclusive enforcement authority, while CCPA and VCDPA allow for a private right of action in certain cases. Penalties for non-compliance may also differ.
The Utah Consumer Privacy Act (UCPA) represents a significant step forward in safeguarding the privacy rights of Utah residents. Enacted on March 24, 2022, the UCPA focuses on empowering individuals to control their personal data and holds businesses accountable for data protection. Notably, it strikes a balance between consumer privacy and business interests, distinguishing itself from more comprehensive privacy laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
With its effective date set for December 31, 2023, the UCPA allows businesses a transitional period to prepare for compliance. Overall, the UCPA serves as a model for data privacy legislation that seeks to protect consumer privacy while considering the impact on businesses, promoting a culture of responsible data handling in the digital age.