The Utah Consumer Privacy Act (UCPA) is considered the most business-friendly state privacy law yet. Learn about the main facets of the law to be ready to comply in the future
Utah passed its consumer privacy legislation – the Utah Consumer Privacy Act (UCPA) – on March 24, 2022. Thus it has become the fourth state to adopt such a law, following California, Virginia, and Colorado. UCPA, in many points, bears a resemblance to the California Consumer Privacy Act (CCPA), which is described in detail in one of our previous posts Core Aspects of CCPA, as well as with other American counterparts. However, in practice, UCPA’s substance takes a lighter, more business-friendly approach to consumer privacy. Although the law will not take effect until December 31, 2023, companies doing business in Utah should start reassessing how they collect and use consumer personal information to modify their business practices, if necessary, and comply with the law in the future.
In this article, we highlight the main facets of the UCPA while comparing it to the existing U.S. state data privacy laws.
UCPA covers private companies operating in Utah. At the same time, the law creates different responsibilities for data “controllers” — those doing business in the state, and “processors”— those who process personal data on behalf of a controller. The UCPA applies to any controller and processor that conduct business in Utah or make transactions with data of the residents of the state, have annual revenues of at least $25 million, and meet one of two threshold requirements:
By including multiple threshold requirements, the scope of the UCPA is narrower compared to other state privacy laws like CCPA and, especially, its successor California Consumers Rights Act CPRA, which will amend CCPA in 2023. Thus, the annual revenue threshold requirement means smaller entities will be outside the UCPA even if the other threshold requirements will be satisfied. Likewise, larger businesses that meet the revenue threshold will not fall under the law unless they meet an additional threshold.
“Personal data” under UCPA is defined as “information linked or reasonably linkable to an identified or identifiable individual.” The UCPA mirrors the definition of “personal data” provided by the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA). However, unlike the CCPA/CPRA, the UCPA applies only to consumer data and excludes personal data collected in employment or business-to-business contexts.
At the same time, UCPA does not apply to information that cannot be linked to a consumer – de-identified and aggregate data and publicly available information. In addition, UCPA does not cover certain information already regulated by federal laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, etc. The UCPA also includes broad entity-based exemptions for entities and businesses covered by the Gramm-Leach-Bliley Act (GLBA), as well as non-profit entities, colleges and universities, and government bodies.
Under UCPA, “consumer” is any person who is a resident of the state acting in an individual or household context, but does not include individuals acting in an employment or commercial capacity. As in other state laws, the UCPA grants consumers rights related to their personal data. These include:
Right to access. Consumers have the right to access the personal data processed about them along with the right to confirm whether the controller is processing their personal data;
Right to delete. Consumers have the right to delete their personal data provided to the controller. It is important to note that UCPA, like its Virginian and Colorado counterparts, does not award consumers the right to delete all their personal data except for data they personally provided to the controller.
Right to data portability. UCPA grants consumers the right to obtain a copy of their personal data in a “portable” format. Portable means technically feasible, practicable, and readily usable. Consumers also have the right to transmit data they provide to another controller, where the processing is carried out by automated means.
The right to opt-out. Consumers can also opt out of processing their personal information for two purposes – targeted advertising and “sale,” whereas “sale” means the exchange of personal data for monetary consideration by a controller to a third party. Unlike its counterparts, UCPA does not grant the right to opt-out of profiling.
The right to non-discrimination. Consumers may not be discriminated against exercising their data privacy rights. Thus, data processors cannot deny goods or services, charge different prices, or provide different levels of quality when handling customers’ requests. Different prices, quality, or selections of a good or service may be applied only if the consumer has opted out of targeted advertising or if the offer is related to participation in a loyalty or rewards program.
To exercise the above rights, controllers should specify the means for consumers to submit a request. However, UCPA contains no additional requirements for controllers to consider when prescribing these means, such as the reliability of how consumers interact with the controller.
Based on the above-discussed rights and exploring the UCPA requirements, controllers can highlight several important conditions for staying UCPA-compliant. Specifically, UCPA contains several requirements:
Privacy notice. Controllers must provide consumers with accessible and clear privacy notices. The notice should include the categories of personal data processed, the purposes for data processing, a clear explanation of how consumers may exercise their rights, the types of personal data shared with third parties, and the categories of those third parties.
Informing about the right to opt-out. In case of selling consumers’ personal data to a third party or using it for targeted advertising, the controller must clearly disclose how consumers may exercise their opt-out rights.
Practices for handling consumers’ requests. Like its analogs, the UCPA requires controllers to handle consumers’ requests within 45 days after receiving a request. When reasonably necessary, there may be one 45-day extension due to the complexity of the request or the volume of requests received. The 45-day window does not apply if the request is reasonably suspected as fraudulent or cannot be authenticated by a controller. Upon the consumer’s request, the information must be provided free of charge, up to one time annually per consumer.
Maintaining data security practices. Controllers must also establish and maintain “reasonable administrative, technical, and physical data security practices” to protect the confidentiality and integrity of personal data. They also must constantly work on reducing foreseeable risks when processing personal data.
Limiting the use and collection of personal data. Similar to those subjected to CCPA/CPRA, CPA, and VCDPA, UCPA-covered entities must “use data security practices that are appropriate for the volume and nature of the personal data at issue,” taking into consideration the controller’s size, scope, and type, and complexity. They also must limit the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
Rules for protecting sensitive categories. The UCPA has specific requirements for processing “sensitive” data, which include: (1) personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental or physical health condition, or medical treatment or diagnosis; (2) genetic or biometric data processed to identify a specific individual; or (3) precise geolocation data. To process such data, the controller must first present the consumer with “clear notice and an opportunity to opt-out,” or proceed in accordance with the federal Children’s Online Privacy Protection Act if the data subject is under the age of 13.
It is important to note that, unlike other state consumer privacy laws, UCPA does not require that businesses conduct privacy impact assessments. Businesses may be glad to have such a “bonus”; however, they must understand that the absence of the assessments presents a heightened risk of harm to consumers.
Enforcement of the provisions will be solely at the discretion of Utah’s attorney general, with no private right of action available. This enforcement process will be under a novel, multi-layered system, which will give data controllers and processors a 30-day period to fix the violation. If the issue is not resolved in that timeframe, organizations can face fines of up to $7500 per violation.
Although the UCPA grants Utah consumers and businesses rights, the law is not likely to add special considerations to an entity’s existing privacy compliance obligations. Facially, the law is narrower and more lenient than its counterparts in California, Virginia, and Colorado.
The Utah privacy landscape is about to change in 2023. Thus, many businesses will be striving to take an integrated approach to compliance with Utah Consumer Privacy Act. The UCPA will provide Utah consumers with rights regarding collecting and using their personal information. These include the right to access, delete and obtain a copy of their personal data in a portable manner. In addition, they can choose to opt-out of the sale of their personal data and targeted advertising.
For more information about data privacy laws and regulations, consult the Planet 9 team. We’ll be happy to assist: