Utah Consumer Privacy Act (UCPA) Explained
The Utah Consumer Privacy Act is the 4th U.S. comprehensive state privacy law. On March 2, after only five session days of discussion, the Utah Senate and House unanimously passed the law. The bill was signed by Gov. Spencer Cox, R-Utah, on March 24, 2022. The law will go into effect on December 31, 2023.
The UCPA is a business friendly law that closely resembles the Virginia Consumer Data Privacy Act. Senator Kirk Cullimore, R-Utah, said “the bill accomplishes a balancing act by focusing directly on Utah consumers and their guaranteed rights, not the red tape that confuses businesses and consumers alike. It creates a workable standard for businesses and clarity for Utah consumers.” The Senator goes on to say “The Utah bill does not make the life of a business or privacy professional a lot more difficult in trying to comply with multiple bills across states,” Braithwaite said. “I don’t think there’s anything in this bill that makes it an outlier or something that requires special consideration.”
Applicability: The law applies to controllers or processors that do business in the state, or produce a product or service that is targeted to consumers who are Utah residents with:
- Annual revenue of $25M or more; and either
- Control or process personal data of 100,000 or more consumers during a calendar year or
- Derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
Exemptions: The bill includes exemptions for employee data, non-profits, higher education institutions, covered entities and business associates, personal health information, and GLBA-regulated entities.
Consumer Rights: The UCPA provides many familiar rights to consumers.
- Confirm whether a controller is processing their personal data
- Access their personal data
- Deletion of personal data
- Opt out of targeting advertising or the sale of personal data
- The bill does not allow for the right to opt out of profiling
Notice: Controllers must provide a privacy notice with the following information:
- Categories of personal data processed
- Purposes for which the categories of personal data are processed
- Categories of personal data the controller shares with third parties
- Categories of third parties the controller shares personal data with
- How consumers can exercise their rights
Definition of Sale: The Utah definition of “sale,” “sell,” or “sold” means the exchange of personal data for monetary consideration by a controller to a third party. Notably, it does not include the words “other valuable consideration.”
Controllers are exempt from the disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations. This exemption is not found in the California, Colorado or Virginia laws.
Consent: Consent is only required (by a parent) for the processing of children’s data.
Consent is not required for processing sensitive data as it is in CO and VA. Utah only requires presenting the consumer with clear notice and an opportunity to opt out of the processing of sensitive data.
Processing Agreements: Controllers are required to enter into data processing agreements with processors processing personal information.
Assessments: The bill does not require privacy impact assessments.
Enforcement: The law is enforceable by the Utah AG’s office.
- It has damages up to $7,500 for each violation
- A 30 day cure period
- No private right of action
The UCPA has a unique enforcement process. To file claims Utah consumers must first reach out to the Utah Department of Commerce’s Division of Consumer Protection and the Utah attorney general’s office. If a claim is determined to be legitimate, it then goes before the for further review.
What should you do to get ready for this new law?
While Utah may be the next state to enact a data privacy law, it won’t be the last. Most likely, complying with this law (as currently written) will in many ways be consistent with what you are doing in California, Virginia and Colorado.
If you’ve mapped to those requirements you’re pointed in the right direction to comply with UCPA. There is however still work to be done including: updating your policies, vendor agreements and subject request mechanisms.
The WireWheel platform is built with the flexibility to accommodate these changes with ease and efficiency and can help your company with managing the rights requests and the data protection assessments.