Utah has taken a significant step in the world of consumer privacy by becoming the fourth state in the United States to introduce an innovative privacy law, which will take effect on December 31, 2023.
The Utah Consumer Privacy Act shares similarities with Colorado’s Consumer Privacy Act and takes inspiration from Virginia’s Consumer Data Protection Act. However, it distinguishes itself as a more business-friendly and streamlined approach to consumer privacy regulation.
This guide will offer a comprehensive look at Utah’s consumer privacy provisions and principles, how they affect businesses, and how to effectively and safely navigate the new compliance standards.
- The UCPA offers robust data privacy protection, taking inspiration from other state laws.
- UCPA grants consumers data control rights and obliges businesses to safeguard data and respect consumer requests.
- UCPA sets unique criteria for businesses, which makes it more business-friendly compared to other data privacy laws in the US and GDPR globally.
Table of Contents
What Is the Utah Consumer Privacy Act (UCPA)?
The Utah Consumer Privacy Act (UCPA), signed into law on March 24, 2022, safeguards the data privacy of Utah residents by granting them certain rights to manage how their data is handled in specific scenarios.
Under this new privacy legislation, consumers can determine if their data is being processed, opt out of data processing, obtain copies, and instruct you to stop using their data. Granting them these essential rights to control their data aligns with the growing demand for individual data privacy and protection.
The UCPA also sets clear data privacy obligations for businesses operating within the state, particularly those handling the data of its residents. If you fall under the UCPA, you must ensure data protection, provide transparent information about how personal data is utilized, accept and act upon consumer requests about their rights under the law, and maintain data protection assessments.
What Are the General Definitions of the UCPA?
Some of the general definitions of the UCPA are as follows:
- Consumer: A resident in Utah acting in an individual or household context.
- Personal data: Any information linked or reasonably linkable to an identified or identifiable consumer or any data the consumer provided.
- Sensitive personal data: Personal data under the UCPA that reveals racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data, mental or physical health information, sexual orientation, citizenship or immigration status, and precise geolocation.
- Deidentified data: Personal data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
- Consent: This is the consumer’s clear and straightforward agreement to let their personal data be processed, which they express freely and knowingly through a statement or by taking a clear action that shows their approval.
- Controller: A business determining the purposes and means of processing personal data.
- Process: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means.
- Processor: A business that processes personal data on behalf of a controller.
- Targeted advertising: Sending ads or marketing stuff to a consumer by using their personal data gathered from their online actions across different websites or apps to guess what the consumer might like or be interested in.
Who Does the UCPA Apply To?
The UCPA applies to you if you are engaged in business activities within Utah or offering products or services targeted at Utah residents. To fall under the UCPA’s scope, you must meet specific criteria, including having an annual revenue of $25,000,000 or more, along with one of the following conditions:
- You control or process the personal data of 100,000 or more consumers annually.
- You are getting over 50% of your gross revenue from the sale of personal data while controlling or processing the personal data of 25,000 or more consumers.
Even if you are not physically based in Utah, if you meet the specified revenue and data processing criteria while engaging with consumers from this state, consider complying with this law.
Key Principles and Provisions of UCPA
The UCPA introduces rules and guidelines to protect the privacy of Utah residents’ personal data in the digital age. Here are some of the key principles and provisions of this important law:
The UCPA allows Utah residents the right to access, correct, and delete certain personal data. It also gives them the right to opt out of collecting and using personal data for certain purposes.
Under Utah’s Consumer Privacy Act, you are required to safeguard personal data, provide clear information to consumers regarding how their personal data are used, accept consumer requests to exercise their rights under this bill, and comply with a consumer’s request to exercise their rights.
As a controller, your responsibilities include transparency, purpose specification, and data minimization. Additionally, you must secure proper consent for secondary use, ensure robust security measures, avoid discrimination and retaliation, and uphold the nonwaiver of consumer rights.
Controller’s Response to Requests
A controller that handles data must follow a consumer’s request to exercise their rights as long as it aligns with the law. If you are a controller, within 45 days of getting a request, you should:
- Take action based on the request.
- Let the consumer know what you did in response to the request.
If the request is complicated or there are many similar requests, you can take up to 90 days (45 days plus another 45 days) to respond. However, you must tell the consumer about the extension and explain why it’s needed.
If you suspect the request is fake and can’t confirm it within 45 days, the 45-day time limit doesn’t apply.
If you are handling data for another company, you must follow their (the controller or the one that owns the data) instructions. You should use appropriate technical and organizational measures to help the controller meet their data protection duties, like keeping data secure and reporting security breaches.
You both need to sign a contract before you work with the controller’s data. This contract must mention how data will be handled, why it’s being processed, what kind of data it is, how long it will be processed, and what each party is responsible for.
In addition, you must also make sure that anyone handling the data keeps it confidential. If you hire another company to help, that company must also follow these rules in a written contract.
PRO TIP: Consider developing a comprehensive incident response plan that outlines steps to take in case of a data breach. A well-prepared response can minimize damage and demonstrate commitment to data security.
The UCPA provides exemptions for certain types of data and organizations. For example, it does not apply to personal data collected from job applicants, employees, contractors, or agents of a business for employment purposes.
It also does not apply to personal data regulated by certain federal laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).
What Are the Data Subject Rights Under the UCPA?
Let’s discuss the essential rights granted to individuals under the UCPA. These rights give your consumers significant control over how you handle their personal information.
Right to Access
This right allows your consumers to request comprehensive information about the personal data you have collected concerning them. It means they can ask for details on the types of data gathered and the specific pieces of information held.
This means that you must be prepared to provide customers with a clear breakdown of the data you’ve collected, including purchase histories, contact information, or browsing habits.
For example, you are an e-commerce platform that receives an access request from a long-time customer. The customer requests a copy of their personal data and wants to know what product categories they have frequently browsed and purchased in the past. Being able to promptly and accurately fulfill this request demonstrates your transparency and respect for your customer’s data rights.
Right to Deletion
The right to deletion enables consumers to request the removal of their data from your records, with some exceptions. You should have processes in place to honor these requests promptly.
Imagine a situation where an online subscription service user decides to cancel their account. The user invokes their right to deletion, requesting that all their personal data, including account details and preferences, be permanently deleted.
Complying with such a request ensures that the user’s data is not retained unnecessarily and aligns with data privacy principles.
PRO TIP: To prevent unauthorized requests, consider implementing verification procedures to confirm the identity of the individual processing any kind of request.
Right to Portability
Portability means consumers can request their personal data in a format that allows them to transfer it to another controller or service provider. You must be capable of providing data in a structured, commonly used, and machine-readable format.
For example, if your customer using your online cloud storage service decides to switch to a different provider. They exercise their portability right to receive their stored data in a format compatible with the new service, helping to facilitate a seamless transition for the user.
Right to Opt-Out of Certain Processing
Consumers can opt out of having their personal data used for specific purposes, such as targeted advertising or the sale of their data. If you are engaged in data-driven marketing, you must respect these opt-out preferences.
If you are an online retail website, and a visitor might prefer not to receive personalized product recommendations based on their browsing history, then you should offer a clear and easily accessible option for them to opt out of such personalized recommendations. This gives your users control over how their data is used for marketing purposes.
When you respect these data subject rights, you’re safeguarding consumer privacy and setting the standard for responsible data handling, which is all helping you to build trust and credibility.
How Can Businesses Comply With the UCPA?
If you want to effectively meet your obligations with the UCPA, here are some practical steps to consider:
- Provide Transparent Notices: Ensure that your communications with consumers about your privacy practices are straightforward and brief. People should be able to grasp how their data is handled without confusion through a clear privacy notice.
- Handling Consumer Requests: Implement processes for addressing requests related to consumers’ personal data. This includes requests for access to data, corrections, deletions, or data transfer to another service. Be ready to respond promptly and efficiently to any or service the consumer requests.
- Regular Data Safeguard Reviews: Regularly assess your data protection procedures and physical data security practices. This involves identifying and minimizing any potential risks connected to personal data processed and handled in your company.
- Employee Training: Train your employees on managing personal data and control or process supervision in alignment with the UCPA. Your team must understand and comply with the requirements of this state privacy law for data handling and privacy.
- Data Minimization: You should only collect and process personal data necessary for your legitimate business purposes. You should avoid collecting sensitive data unless necessary for a specific purpose.
- Security Measures: You should implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, or destruction. These measures may include encryption, access controls, and regular security assessments.
- Third-party Contracts: If you share personal data with third-party service providers, you should ensure that these providers are contractually obligated to comply with the UCPA.
- Record Keeping: Maintain records of your data protection assessments, consumer requests, and other compliance activities. This can help you avoid penalties and ensure trust with your customers.
Who Enforces the UCPA?
The UCPA is enforced by the Utah Attorney General, who has the exclusive authority to ensure you follow the UCPA rules. When you don’t follow the law, the Attorney General will notify you in writing and allow you 30 days to fix the problem.
If there are consumer complaints about the UCPA, the Utah Division of Consumer Protection can look into them and pass them on to the Attorney General. However, the Attorney General is the only one who can enforce the law.
What Are the Penalties for Violating the UCPA?
If you fail to address alleged violations of the UCPA within the 30-day cure period, the Attorney General can step in. They have the power to seek compensation for the affected consumers. This compensation might cover the actual damages to the consumer and could lead to fines going up to $7,500 per violation.
Now, what happens to the money from these actions? It goes into a special Consumer Privacy Account, and there are rules on how this money can be used. The funds in this account can be used for a few specific things, including:
- Paying for the expenses linked to investigations when the division looks into complaints from consumers who think the UCPA has been violated.
- Getting back the money spent on lawyers by the Attorney General when they make sure this comprehensive privacy legislation is followed.
- Supporting programs that educate you and your consumers about your rights and duties under the UCPA. These programs teach what consumers can do under the UCPA and how they can stick to this consumer privacy legislation.
How Does the UCPA Compare to Other Data Privacy Laws?
The UCPA shares some similarities with other US data privacy laws like the Colorado Privacy Act (CPA), California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act (VCDPA). All of these laws give your consumers certain rights over their personal information. However, there are some differences between them.
However, there are a few unique differences in the requirements:
- The UCPA applies to you if you make over $25 million annually.
- You must follow it if you do business in Utah or cater to Utah residents.
- You must handle the personal data of at least 100,000 Utah consumers annually, or half your money must come from selling personal data while holding the data of 25,000 Utah citizens.
The UCPA is slightly more relaxed than the CPA, CCPA, and CDPA. Unlike those three, the UCPA doesn’t make businesses do a risk assessment for certain data processing tasks to be more business-friendly.
Looking at it globally, the UCPA shares some similarities with the European Union’s General Data Protection Regulation (GDPR). Both require businesses to give consumers rights over their info.
However, the GDPR applies to any business dealing with the personal data of EU residents, no matter where they are. In contrast, the UCPA only covers businesses that operate in Utah or offer stuff to Utah residents.
Frequently Asked Questions
What is the Utah Consumer Privacy Act (UCPA)?
The UCPA protects consumers’ data privacy rights from Utah, allowing them to manage how their data is used.
Who does the UCPA apply to?
It applies to businesses operating in Utah or serving Utah residents if specific criteria are met.
What are the key principles of UCPA?
UCPA emphasizes consumer rights and business responsibilities, like data protection, transparency, and avoiding discrimination.
What are data subject rights under UCPA?
Under the UCPA, consumer privacy law gives users rights like access to their data, deletion, portability, and opting out of certain processing.
How can businesses comply with UCPA?
Who enforces UCPA?
The Utah Attorney General enforces UCPA and gives a 30-day cure period for violations.
What are the penalties for UCPA violations?
Fines can reach $7,500 per violation for any subject to the UCPA, and funds go to the Consumer Privacy Account.