The Utah Consumer Privacy Act (UCPA): How to Stay Compliant
As of March 24, 2022, Utah became the 4th state to pass a comprehensive state privacy law regarding users’ data privacy. The three other states who previously passed the privacy act are California, Colorado, and Virginia. The UCPA will take effect on December 31, 2023, giving organizations doing business in the state some time to comply. The act includes a set of provisions that will affect businesses. Read on to learn more about the UCPA.
The UCPA explained
The Utah Consumer Privacy Act is a 22-page bill that contains requirements for how businesses must handle personal data and gives Utah citizens some consumer rights. The goal of the UCPA is to protect the data privacy of Utah data subjects by giving them consumer rights to control how data controllers use their personal information. Companies that process personal data are expected to comply with the demands laid out by this bill.
Scope of the UCPA
The UCPA has a narrower scope than other states, primarily because it has several requirements that are not found in other states’ user privacy acts. It applies to professional and commercial businesses that:
- Conduct business in Utah or target their products or services towards Utah residents.
- Has at least $25 million in annual revenue.
- Control or process personal information of at least 100,000 data users or, at the minimum, 25,000 consumers if 50% of their revenue comes from the sale of personal data.
The UCPA exempts certain entities like organizations regulated by the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). Higher education institutions, nonprofit organizations, and agencies under the Fair Credit Reporting Act (FCRA) are not subject to the Utah Consumer Privacy Act.
Consumers under the UCPA
Under the regulation, not everybody is considered a consumer. Instead, consumers are data users who are Utah residents and act in an individual or household context. The UDPA excludes people who are acting in a commercial or employment context.
Data subject rights under the UCPA
The UCPA grants the following rights to consumers:
Right to access
Data users have the right to request access to their personal information possessed by data controllers or processors.
Right to delete
The UCPA creates a framework for data subject requests (DSRs), so consumers can request data controllers to delete their personal data. The regulation stands out compared to other state privacy laws because it only allows data subjects to delete information they provided themselves.
Right to data portability
Consumers can get a copy of their personal information in a portable format and also transmit the data to another data controller.
Right to opt-out
Data users have the right to opt-out of the processing of sensitive personal information, the sale of personal data, and targeted advertising.
Response time to DSRs
Controllers must act according to the data subject requests within 45 days following the day it was received. Requests shall be fulfilled by controllers, and they must also inform consumers about any measures taken.
If a controller can't process it in 45 days due to the volume of requests they receive or due to the intricacy of the DSR, a 45-day extension can be granted. In cases where the time period gets extended, the controller must notify the consumer about the extension and let them know the reason for it.
Users’ consent under the UCPA
The UCPA is different from the CPA and VCDPA in that an individual's consent is automatically assumed through an opt-out consent logic, as opposed to needing to opt-in to consent. Consent is implicitly granted under this privacy legislation. Entities can collect consumers’ personal data legally till they actively opt-out.
The UCPA requires controllers to notify consumers and an opt-out consent banner so those who don't want their sensitive data processed can choose to opt out. They must allow consumers to opt out of the processing, selling, or sharing of their personal data.
However, if an entity is looking to collect data from minors, the UCPA requires an opt-in before any data collection. If a child's data is also being processed, consent should be properly obtained from their parent or guardian.
The UCPA will be enforced by the state's attorney general with a 30-day cure period after violation notice.
The UCPA gives the Utah Division of Consumer Protection (DCP) permission to set up a system that can receive complaints from consumers, and they can also investigate these complaints if needed. If the Division of Consumer Protection investigates and finds an entity at fault, it may refer the case to the attorney general for prosecution.
Individuals are not legally entitled to enforce their consumer protection rights as the UCPA has no private right of action.
Penalties for non-compliance with the UCPA
If a controller violates the law, the business will be given a 30-day cure period to comply with the regulation.
The company risks a penalty of up to $7,500 per violation and will be liable for any damages incurred by the data subject due to them breaching the law.
What businesses should consider
The Utah Consumer Privacy Act demands that businesses establish security practices to protect personal consumer data. It requires controllers to provide their customers with information about how they process their personal data and present them with the option to opt-out. Additionally, consumers can submit requests to see who has their personal information.
If your business is subject to the Utah Consumer Privacy Act, you’ll need to take a few crucial steps before the law goes into effect.
Provide your customers with the relevant information they need to exercise their rights. <hl>The following information must be included in the updated privacy notice:<hl>
- ~The reason for which the data is processed
- ~The types of personal information processed
- ~How data subjects can opt-out of using their data for targeted advertising or of transferring their personal information to a third party
- ~Third parties who may receive user data if they don’t opt out
- Self-serve options are a key part of the customer experience
These should be provided in your policy. Incorporate links that connect customers to your privacy request center and your consent manager. In case you don’t currently have a privacy center for consumers to make privacy requests (DSRs), consider getting one, and make sure to provide information on how data subjects can access their personal information and an overview of what will take place afterward.
- Check your contracts involving consumer data processing to ensure they comply with the law
- Make sure you have the proper security practices in place to protect user data
- Include a process to authenticate and respond to consumer requests about how their data is used
- Implement data privacy management technologies like Mine PrivacyOps to automate and manage your privacy workflow
With Mine PrivacyOps, you can avoid data privacy issues and reputation damage and ensure compliance with the UCPA and other regulations.