On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth US state to pass comprehensive privacy legislation after California, Virginia, and Colorado. The new privacy law empowers Utah citizens with greater personal data rights and safeguards.
The Utah Consumer Privacy Act will go into effect on December 31, 2023, less than two years from now. In particular, the UCPA is substantially influenced by the Virginia Consumer Data Protection Act (VCDPA). The UCPA takes an easier, more business-friendly stance on consumer privacy than the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act (“CPA”), and the California Privacy Rights Act ("CPRA").
2. Who Needs to Comply with the Law?
a. Material Scope
The UCPA applies to any organization that:
- Conducts business in the state of Utah or creates a product or service aimed toward Utah residents; and
- Has an annual revenue of $25,000,000 or more; and
- Satisfies one or more of the following additional thresholds:
- Controls or processes the personal data of 100,000 or more customers during a calendar year; or
- Derives over 50% of the organization's gross revenue from the sale of personal data.
Notably, the UCPA also provides for certain exceptions, for example, the UCPA does not apply to:
- It’s tribes and carriers;
- Institutions of higher education and nonprofits; and
- A governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity;
- Certain types of data used by credit and consumer reporting agencies;
- Information of financial institutions or affiliates governed by the Gramm-Leach-Bliley Act;
- Any personal information of consumers collected or used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
- Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
- Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA) and related regulations;
- Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;
- Any health information, records, data, and documents protected and covered under HIPAA, other federal or state medical laws including patient information, identifiable private information for purposes of the Federal Policy for the protection of Human Subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research under HIPAA or any other medical law or policy, information maintained by a healthcare facility/provider, or information used only for public health activities and purposes;
- Protection of Human Subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research under HIPAA or any other medical law or policy, information maintained by a healthcare facility/provider, or information used only for public health activities and purposes;
- Personal data maintained for employment records.
b. Territorial Scope
The UCPA applies only to for-profit businesses that conduct business in the state of Utah or sell products and services there. It only protects consumers who are residents of the state of Utah.
3. Definitions of Key Terms
Under the UCPA, the scope of the law is also determined by some key definitions:
Under the UCPA, a consumer is a resident of the state of Utah, acting in either an individual or household capacity.
Under UCPA, a sale is the interchange of personal data by a controller to a third party for monetary consideration. The law explicitly excludes certain types of disclosure from the definition of sale, for instance:
- Disclosing personal data to a processor who processes the personal data on behalf of the controller;
- Disclosing personal data to an affiliate of the controller;
- Release of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations;
- Transferring or disclosing personal data when a consumer directly instructs the controller to disclose the personal data or allow for its interaction with third parties;
- Disclosure of personal data to a third party for the purpose of providing a product or service sought for by the consumer or a parent/legal guardian of a child;
- Disclosing information that the consumer intentionally has made available to the general public via a channel of mass media and is not restricted to a specific audience;
- Transfer of personal data to a third party as an asset part of a proposed or actual merger, an acquisition, or bankruptcy in which the third party assumes control of all or part of the controller's assets.
c. Personal Data
Under UCPA, personal data is information that can be linked to or reasonably related to an identified or identifiable person. However, de-identified data, aggregated data, and publicly available data are expressly excluded under the law.
d. Deidentified Data
Under UCPA, de-identified data is such data possessed by a controller who takes reasonable measures to ensure that it cannot reasonably be linked to an identified individual or an identifiable individual, The controller in this case also publicly commits to maintain and use the data only in de-identified form and not attempt to reidentify the data and contractually obligates any recipients of the data to adhere to the requirements laid down under the law.
e. Pseudonymous data
Under UCPA, pseudonymous data is such that cannot be attributed to a specific individual without the use of additional information, and if the additional information is from the consumer's personal data subject to appropriate technical and organizational measures.
f. Sensitive Data
UCPA defines sensitive data as personal data that reveals:
- An individual's race or ethnic origin (not including data processed through a video communication service);
- Religious beliefs;
- Sexual orientation;
- Citizenship or immigration status; or
- Information regarding medical history, mental or physical health conditions, or medical treatment or diagnosis by a healthcare professional.
4. Obligations for Organizations Under UCPA
Under the UCPA, data controllers have multiple obligations, such as:
Data controllers are prohibited from discriminating against consumers who exercise their rights by:
- denying a consumer a good or service;
- charging a varied price or rate to a consumer for a good or service; or
- offering a different level of quality of a product or service to the consumer.
- The law however does not prevent a controller from offering a distinct rate (including discounts or product/service at zero fee), quality, or selection of a product or service to the consumer if: the consumer has opted out of targeted advertising; or
- the offer relates to the consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
b. Consent Requirements
The UCPA lays significant guidelines pertaining to processing the personal data of children. Data controllers processing the personal data of children under the age of 13 must get verified parental consent before processing their personal data. Additionally, the personal data must be processed in compliance with the Children's Online Privacy Protection Act (COPPA).
The UCPA does not require opt-in consent to process a consumer’s sensitive data. But rather it lays down mandatory notice requirements, outlining that in case of processing sensitive data collected from a consumer, it should first present the consumer with a clear notice along with a method and opportunity to opt-out of processing of its sensitive data.
Moreover, in the case of the processing of personal data concerning a known child, the consumer should process the data in accordance with the federal Children's Online Privacy Protection Act, and the act's implementing regulations and exemptions.
Under the UCPA, consumers must be given a reasonably accessible, conspicuously, and unambiguous privacy notice by the controller. Privacy notices must include the following information:
- The types of personal data that the controller processes;
- The purpose for data processing;
- How consumers can exercise their opt-out rights if personal data is transferred to a third party or used for targeted advertising of personal data that the data controller shares with third parties (if any);
- The types of third parties with whom the controller may share personal data (if any).
d. Security Requirements
Data controllers must establish, implement, and maintain acceptable administrative, technological, and physical data security practices to preserve confidentiality and integrity of personal data, as well as reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. A controller should use data security practices that are in line with its business size, scope, and type, and are appropriate for the volume and nature of the personal data that it deals with.
e. Non Waiver of Consumer Rights
Under UCPA, it is also stated that any provision of a contract that purports to waive or limit a consumer's right is void.
f. Processing Deidentified Data or Pseudonymous Data
UCPA does not require a controller or processor to reidentify deidentified data or pseudonymous data, or obtain, maintain or access data in identifiable form, for the purpose of allowing the controller or processor to associate a consumer request with personal data. The controller is also not required to comply with an authenticated consumer request to exercise a right under the law, if:
- Either the controller does not have the reasonable capacity of associating the request with the personal data or it would be unreasonably burdensome for it to associate the request with the personal data;
- personal data is not being used by the controller to recognize or respond to the consumer who is the subject of the personal data; and
- personal data is not being sold or disclosed to any third party other than a processor.
Moreover, data subject rights do not apply to pseudonymous data.
g. Processor/Service Provider Agreements
The UCPA requires data controllers to engage in contracts with data processors that govern the nature, purpose, and duration of the processing of personal data, the type of data subject to processing, and the rights and obligations of parties. Also, these contracts should also bind the processor to a duty of confidentiality pertaining to the processing of personal data.
Moreover, any subcontractor pursuant to a written contract engaged by a processor is also bound by the same obligations. Processors must follow the controller's instructions and assist the controller in fulfilling his or her obligations, including those relating to the security of personal data processing and security breach notifications.
5. Data Subject Rights Fulfillment
Under the UCPA, consumers have the following rights:
a. Right to Access
Consumers have the right to determine whether a controller is processing the consumer’s personal data and to access that data.
b. Right to Delete
Consumers have the right to request the deletion of the personal data they have provided to the controller. However, the UCPA does not give consumers the right to have all their personal data held by a controller deleted - only personal data provided to the controller by the consumers themselves can be requested to be deleted.
c. Right to Data Portability
Consumers have the right to obtain a copy of their personal data previously given to the controller. The data should be portable and readily usable to the extent that is technically feasible and practical. Moreover, the copy should allow the consumer to send data without hindrance to another controller, where the processing is done automatically.
d. Right to Opt-out of Processing
Consumers have the right to opt-out of the processing of their personal data to evade targeted advertising. Consumers can also opt-out of the sale of their personal data. Finally, as previously mentioned, consumers can opt-out of the collection of their sensitive personal data.
- Means to submit DSR request: A consumer may exercise a right by submitting an authenticated request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise. In the instance of processing personal data concerning a child, the parent or legal guardian of the child can exercise a right on the child's behalf. In the case of processing personal data concerning a consumer subject to guardianship, conservatorship, or other protective arrangements under Title 75, Chapter 5, Protection of Persons Under Disability and Their Property, the guardian or the conservator of the consumer shall exercise a right on the consumer's behalf.
- Time period to fulfill DSR request: A controller shall comply with a consumer's request to exercise a right within 45 days after the day on which a controller had received that particular request. The controller then shall take action on the consumer's request; and inform the consumer of any action taken on the consumer's request.
- Extension in the time period: An additional 45 days can be granted if it is reasonably necessary to comply with the request, keeping in mind the complexity of the request or the volume of the requests received by the controller. In such cases, the controller is to inform the consumer of the extension and provide reasons for the extension.
- Charges: Controllers are not allowed to charge a fee for responding to a request under the law apart from certain situations. If the request is a consumer's second or subsequent request within the same 12-month period, a controller may charge a reasonable fee. A controller may also charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request if:
- the request is excessive, repetitive, technically infeasible as per the law; or
- the controller considers that the primary goal for the submitted request was something other than exercising a right; or
- the request disrupts or imposes an undue burden on the resources of the controller’s business.
- Appeal against refusal: The data controller may choose to not to take action on a consumer’s DSR request. It must provide the consumer the reasons for which it did not take the action within the 45 days time period of receiving the DSR request. The data controller may also choose to not honor the request if it cannot authenticate it using commercially reasonable efforts. It is also significant to note that there exists no right of appeal for the consumer in case the controller denies the consumer's requests under UCPA however the burden of proof to prove the reason for refusal of the consumer’s request will lie with the data controller.
The UCPA contains important substantive exemptions including:
- Data processed for legal obligations: This law does not prevent a controller or processor from complying with other applicable laws, asserting or defending legal claims, or cooperating with government authorities or investigations.
- Data processed to perform contractual obligations: Nothing in this law restricts a controller or processor from complying with contractual obligations with the consumer.
- Data processed to protect life and physical safety: Nothing in this legislation prevents a controller or processor from taking prompt action to defend an interest that is vital to the consumer's or another natural person's life or physical safety, and if the processing cannot be justified by another legal basis.
- Data processed for security purposes: Nothing in this law prevents a controller or processor from processing data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; maintain the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
- Data processed for internal purposes: Nothing in this law restricts a controller or processor from processing personal data to conduct internal research to identify, improve or repair products, services, or technology including technical errors that impair existing or intended functionality, or undertake internal operations reasonably aligned with the consumer’s expectations for the performance of a service or provision of a product.
7. Regulatory Authority
Utah’s Attorney General has exclusive enforcement authority of Utah’s Consumer Privacy Act. However, the enforcement method employs a new multi-layered strategy. The UCPA tasks Utah’s Consumer Protection Division to manage a system to accept consumer complaints and investigate whether a claimed infringement is valid.
If the Director of the Division has reasonable cause to think that extensive evidence (of a violation) exists, they must refer the case to the state Attorney General. Once a referral from the division is received, the Attorney General may initiate proceedings against a controller or processor for a violation.
8. Penalties for Non-compliance
The UCPA empowers the Attorney General's Office to pursue enforcement action and impose penalties. All alleged violations of the UCPA have a 30-day cure period, during which the Attorney General will provide the controller or processor a written notice identifying each alleged violation and an explanation of the basis for each allegation.
Following this, the controller or processor can provide the attorney general an express written statement, detailing that the violation has been cured and that no further violation of the cured violation will occur, thereby curing the violation.
In the event of a controller failing to cure the violation or after curing a noticed violation continues to violate the sections under the law, the UCPA also allows the attorney general to recover actual damages to the consumer on their behalf (there is no private right of action within the law) and a civil penalty of up to $7,500 for each violation.
9. How an Organization Can Operationalize the Law
To comply with UCPA, organizations must:
- Determine whether they meet the jurisdictional threshold of UCPA including whether they hold personal data of Utah residents and whether they meet the data volume threshold;
- Determine their data inventories and classify data stores containing personal data of Utah residents;
- Using official policies and privacy notices, make it clear how personal data is processed;
- Develop formal policies and procedures for data collection (specifically for sensitive data) processing;
- Establish a robust framework for data subject requests;
- Develop a robust consent framework that swiftly processes consent obligations;
- Allow Utah residents to exercise their opt-out rights in cases where the organization sells their personal data or uses it for targeted advertising;
- Have technical and organizational security measures in place to protect their processing activities; and
- Conduct a rigorous analysis of their data handling capabilities and third-party processor agreements.
10. How can Securiti Help
The worldwide fundamentals of accessing, protecting, and sharing personal data are constantly advancing, necessitating businesses to become even more privacy-conscious of their practices and conscientious custodians of their users' data, all while automating privacy and security processes for rapid action.
With an ever-growing network of users and potential users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind. While several providers provide software to help businesses comply with worldwide privacy requirements, those solutions only go so far as to impose various restrictions or provide basic data-driven functionalities.
Securiti binds reliability, intelligence, and simplicity by working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Utah’s Consumer Privacy Act (UCPA) and other privacy and security regulations worldwide. See how it works. Request a demo today.