IDC Names Securiti a Worldwide Leader in Data PrivacyView
On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth US state to pass comprehensive privacy legislation after California, Virginia, and Colorado. The new privacy law empowers Utah citizens with greater personal data rights and safeguards.
The Utah Consumer Privacy Act will go into effect on December 31, 2023, less than two years from now. In particular, the UCPA is substantially influenced by the Virginia Consumer Data Protection Act (VCDPA). The UCPA takes an easier, more business-friendly stance on consumer privacy than the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act (“CPA”), and the California Privacy Rights Act ("CPRA").
The UCPA applies to any organization that:
Notably, the UCPA also provides for certain exceptions, for example, the UCPA does not apply to:
The UCPA applies only to for-profit businesses that conduct business in the state of Utah or sell products and services there. It only protects consumers who are residents of the state of Utah.
Under the UCPA, the scope of the law is also determined by some key definitions:
Under the UCPA, a consumer is a resident of the state of Utah, acting in either an individual or household capacity.
Under UCPA, a sale is the interchange of personal data by a controller to a third party for monetary consideration. The law explicitly excludes certain types of disclosure from the definition of sale, for instance:
Under UCPA, personal data is information that can be linked to or reasonably related to an identified or identifiable person. However, de-identified data, aggregated data, and publicly available data are expressly excluded under the law.
Under UCPA, de-identified data is such data possessed by a controller who takes reasonable measures to ensure that it cannot reasonably be linked to an identified individual or an identifiable individual, The controller in this case also publicly commits to maintain and use the data only in de-identified form and not attempt to reidentify the data and contractually obligates any recipients of the data to adhere to the requirements laid down under the law.
Under UCPA, pseudonymous data is such that cannot be attributed to a specific individual without the use of additional information, and if the additional information is from the consumer's personal data subject to appropriate technical and organizational measures.
UCPA defines sensitive data as personal data that reveals:
Under the UCPA, data controllers have multiple obligations, such as:
Data controllers are prohibited from discriminating against consumers who exercise their rights by:
The UCPA lays significant guidelines pertaining to processing the personal data of children. Data controllers processing the personal data of children under the age of 13 must get verified parental consent before processing their personal data. Additionally, the personal data must be processed in compliance with the Children's Online Privacy Protection Act (COPPA).
The UCPA does not require opt-in consent to process a consumer’s sensitive data. But rather it lays down mandatory notice requirements, outlining that in case of processing sensitive data collected from a consumer, it should first present the consumer with a clear notice along with a method and opportunity to opt-out of processing of its sensitive data.
Moreover, in the case of the processing of personal data concerning a known child, the consumer should process the data in accordance with the federal Children's Online Privacy Protection Act, and the act's implementing regulations and exemptions.
Under the UCPA, consumers must be given a reasonably accessible, conspicuously, and unambiguous privacy notice by the controller. Privacy notices must include the following information:
Data controllers must establish, implement, and maintain acceptable administrative, technological, and physical data security practices to preserve confidentiality and integrity of personal data, as well as reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. A controller should use data security practices that are in line with its business size, scope, and type, and are appropriate for the volume and nature of the personal data that it deals with.
Under UCPA, it is also stated that any provision of a contract that purports to waive or limit a consumer's right is void.
UCPA does not require a controller or processor to reidentify deidentified data or pseudonymous data, or obtain, maintain or access data in identifiable form, for the purpose of allowing the controller or processor to associate a consumer request with personal data. The controller is also not required to comply with an authenticated consumer request to exercise a right under the law, if:
Moreover, data subject rights do not apply to pseudonymous data.
The UCPA requires data controllers to engage in contracts with data processors that govern the nature, purpose, and duration of the processing of personal data, the type of data subject to processing, and the rights and obligations of parties. Also, these contracts should also bind the processor to a duty of confidentiality pertaining to the processing of personal data.
Moreover, any subcontractor pursuant to a written contract engaged by a processor is also bound by the same obligations. Processors must follow the controller's instructions and assist the controller in fulfilling his or her obligations, including those relating to the security of personal data processing and security breach notifications.
Under the UCPA, consumers have the following rights:
Consumers have the right to determine whether a controller is processing the consumer’s personal data and to access that data.
Consumers have the right to request the deletion of the personal data they have provided to the controller. However, the UCPA does not give consumers the right to have all their personal data held by a controller deleted - only personal data provided to the controller by the consumers themselves can be requested to be deleted.
Consumers have the right to obtain a copy of their personal data previously given to the controller. The data should be portable and readily usable to the extent that is technically feasible and practical. Moreover, the copy should allow the consumer to send data without hindrance to another controller, where the processing is done automatically.
Consumers have the right to opt-out of the processing of their personal data to evade targeted advertising. Consumers can also opt-out of the sale of their personal data. Finally, as previously mentioned, consumers can opt-out of the collection of their sensitive personal data.
The UCPA contains important substantive exemptions including:
Utah’s Attorney General has exclusive enforcement authority of Utah’s Consumer Privacy Act. However, the enforcement method employs a new multi-layered strategy. The UCPA tasks Utah’s Consumer Protection Division to manage a system to accept consumer complaints and investigate whether a claimed infringement is valid.
If the Director of the Division has reasonable cause to think that extensive evidence (of a violation) exists, they must refer the case to the state Attorney General. Once a referral from the division is received, the Attorney General may initiate proceedings against a controller or processor for a violation.
The UCPA empowers the Attorney General's Office to pursue enforcement action and impose penalties. All alleged violations of the UCPA have a 30-day cure period, during which the Attorney General will provide the controller or processor a written notice identifying each alleged violation and an explanation of the basis for each allegation.
Following this, the controller or processor can provide the attorney general an express written statement, detailing that the violation has been cured and that no further violation of the cured violation will occur, thereby curing the violation.
In the event of a controller failing to cure the violation or after curing a noticed violation continues to violate the sections under the law, the UCPA also allows the attorney general to recover actual damages to the consumer on their behalf (there is no private right of action within the law) and a civil penalty of up to $7,500 for each violation.
To comply with UCPA, organizations must:
The worldwide fundamentals of accessing, protecting, and sharing personal data are constantly advancing, necessitating businesses to become even more privacy-conscious of their practices and conscientious custodians of their users' data, all while automating privacy and security processes for rapid action.
With an ever-growing network of users and potential users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind. While several providers provide software to help businesses comply with worldwide privacy requirements, those solutions only go so far as to impose various restrictions or provide basic data-driven functionalities.
Securiti binds reliability, intelligence, and simplicity by working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Utah’s Consumer Privacy Act (UCPA) and other privacy and security regulations worldwide. See how it works. Request a demo today.
The Utah Consumer Privacy Act (UCPA) is a privacy law in Utah that provides certain rights to consumers regarding the collection and sale of their personal information by businesses. It applies to data controllers or processors conducting business in the state or providing products or services to its residents.
The UCPA applies to any organization that conducts business in the state of Utah or creates a product or service aimed towards Utah residents, has an annual revenue of $25,000,000 or more, and meets one or more of these thresholds: controls or processes the personal data of 100,000 or more customers during a calendar year; or derives over 50% of the organization's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more customers.
Utah has a Consumer Privacy Act that protects consumers in various areas, including unfair and deceptive trade practices. Moreover, it grants certain rights to the residents of the state and obliges controllers to fulfill certain requirements.
Utah has not introduced specific biometric data protection legislation. However, privacy laws like the Utah Consumer Privacy Act may cover certain aspects of biometric data.
Yes, Utah has the Consumer Privacy Act (UCPA), which is a state privacy law regulating the collection and use of personal information by controllers doing business in the state.