Utah is the latest state to approve a statewide data privacy law. On March 24, 2022, Utah governor Spencer Cox signed into law the Utah Consumer Privacy Act (UCPA), which takes effect December 31, 2023. The new law applies to Utah residents and any company collecting, processing, and storing the data of those residents. Just as in Colorado and other states that have passed data privacy legislation, companies doing business in Utah need to take note of the state’s new data privacy requirements.
The UCPA is similar to the Colorado Privacy Act, with a few exceptions. The UCPA
- does not cover certain categories of data that are already regulated by other laws, such as the Health Insurance Portability and Accountability Act (HIPAA); and
- does not allow for any private right of action, and all enforcement actions must come directly from the Office of the Attorney General; and
- does not require the controller to conduct a data protection assessment of each of its processing activities involving personal data.
In two of its most important provisions, the UCPA
- gives consumers the right to have their data deleted or erased from company records entirely and
- requires that the consumer be given the option to opt out of processing for the purposes of targeted advertising or the sale of their personal data.
Utah consumers also have the right to:
- Submit a request to the controller, specifying the right the consumer is intending to exercise.
- Complete access to any of their personal data stored by an organization and its processing purpose.
- Take their data from one company to another without obstruction, or data portability. This must be technically feasible, practicable, and reasonable for the controller to provide.
- Restrictions regarding how the consumer data can be processed.
Which Organizations Will Be Subject to the New Law?
The UCPA applies to any organization, domiciled in Utah or not, that conducts business within the state or produces a product or service within the state, has an annual revenue of $25 million or more, and satisfies one of the two following criteria:
- Controls or processes personal data of 100,000 or more consumers
- Derives over 50% of its gross revenue from the sale of personal data while also processing or controlling the personal data of 25,000 or more consumers.
In order for the UCPA to apply to the organization, certain requirement thresholds must be met. These requirements specify that:
- A privacy notice, issued by the controller, must include the categories of data being processed, the purpose for the collection and processing of data, how consumer rights may be executed, what data is shared with third parties, and what categories of the third parties the controller shares personal data with.
- A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. These practices should be reasonable and based on the volume and nature of the relevant personal data.
- A controller must present a clear notice, and opportunity to opt out of processing, to a consumer before collecting, processing, and storing personal consumer data.
- A controller must not discriminate against a consumer exercising their rights by denying a good or service, charging a different price for a good or service to the consumer, or providing the consumer with a different level of quality of a good or service.
- A controller must take action on a consumer request to exercise their rights within 45 days after receiving the request. If the controller must extend the threshold to respond, they must inform the consumer, along with reasonably necessary reasons for the extension.
How to Prepare for Compliance
Organizations that are proactive in their approach to privacy should find that their resources and business procedures won’t be hindered when consumer requests begin coming in.
The first step in complying with the new regulation is to designate a new or existing employee as the company’s Data Controller to be responsible for ensuring the safety of collected consumer data and handle data requests from consumers.
Just like CPA, CCPA, and CDPA, implementing compliance activities for a new regulation can sometimes be a headache. Here are some question to consider as you review your organization’s options for UCPA compliance:
- What kind of data does our organization need to be successful? How does the organization use it?
- Would any of the data we collect be considered personally identifiable information (PII), such as a person’s name, home address, or phone number?
- In what capacity does our organization conduct business with Utah residents?
- Where do we store consumer data if we collect it? Is it secured appropriately?
- If we don’t have a Data Privacy Officer or Data Controller, do we have the resources available to fill that role?
- Does our organization currently perform any type of data protection activities? If so, how are those being leveraged to protect consumer data?
- Of the data we collect, which is already regulated by active federal laws like Health Insurance Portability and Accountability Act (HIPAA) or the Children’s Online Privacy Protection Act (COPPA)?
- If our organization is a non-profit, does the UCPA apply to us?
Definitions of Key Terms
Some key words could have a material impact on the interpretation of certain areas of the regulation. These key words and their definitions, summarized from the UCPA, are:
- Biometric Data: Data generated by automatic measurements of an individual’s unique biological characteristics.
- Consent: Affirmative action by a consumer that unambiguously indicates the consumer’s voluntary and informed agreement to allow a person to process personal data related to the consumer.
- Consumer: An individual who is a resident of the state acting in an individual or household context (this does not include acting in an employment or commercial context).
- Controller: A person doing business in the state who determined the purposes for which and the means by which personal data is processed, regardless of them making the determination alone or by committee.
- De-identified Data: Data that cannot reasonably be linked to or associated with an identifiable individual.
- Personal Data: Any information that is linked, or reasonably linked, to an identified or identifiable individual. This does not include data such as aggregated data, or publicly available information.
- Processor: A person who processes personal data on behalf of a controller.
- Sale: The exchange of personal data for monetary consideration by a controller or third-party.
- Sensitive Data: Typically personal data that reveals an individual’s racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, biometric information, data of a child, or specific geolocation information.
- Targeted Advertising: Displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.
For more information about the UCPA and how it may apply to your business, contact us. We are here to help.
Authored by Hunter Sundbeck, CDPSE.
Executive Resource Center
As federal lawmakers struggle to pass a nationwide data privacy law, states are beginning to enact their own legislation.…