Table of Contents
The Utah Consumer Privacy Act (UCPA) is a groundbreaking piece of legislation, aimed at giving consumers in Utah more control over their personal data. This act requires businesses to take proactive steps to protect the privacy of consumers and empowers individuals with the right to know what data is being collected about them, how it's being used, and who it's being shared with.
The UCPA was enacted to help address privacy concerns and provide consumers with a sense of security when it comes to their personal information.
This blog aims to provide an in-depth look at the Utah Consumer Privacy Act and its implications for both businesses and consumers. We'll explore what the act entails, how it affects companies operating in Utah, and what rights it gives to consumers.
What Is the Utah Consumer Privacy Act?
The Utah Consumer Privacy Act (UCPA) is a data privacy regulation enacted to control how businesses handle the data of Utah consumers, giving them specific rights to help control the use of their information.
For instance, consumers can request that their data be deleted or opt out of the processing of their data.
All businesses operating in Utah are obligated to provide consumers with information on how they plan to handle the data, from the purpose of processing to any third parties they share with. They must provide a privacy notice that outlines what they plan to do with consumer information.
Understanding the UCPA and what it takes to become compliant starts with understanding the terms used throughout the regulation. Here are the legal meanings of some of the most common terms it uses:
- Controller: Any person or organization that decides on the means and purpose of processing data, whether they make the decision alone or alongside other actors.
- Processor: Any person or organization that processes personal data in the place of a controller.
- Consumer: Any Utah resident that’s acting in the context of an individual or household. The regulation doesn’t consider people acting in an employment or commercial context as consumers.
- Personal data: Any data that can be reasonably tied back to an identified or identifiable individual. The regulation doesn’t consider publicly available data or de-identified or aggregate data as personal data.
When Did the Utah Consumer Privacy Act Come into Effect?
Utah’s governor signed the UCPA on March 24, 2022, and it will take effect on December 31, 2023. Businesses must be compliant by that time.
Which Businesses Need to Comply With the Utah Consumer Privacy Act?
You’ll be obligated to comply with the Utah Consumer Data Privacy Act (UCPA) if the following applies to your business:
- Have operations in Utah or targets its product or services to Utah residents
- Earn a minimum annual revenue of at least $25 million
- Handle data of at least 100,000 Utah residents. For businesses that earn more than 50% of their revenue from selling personal data, compliance will be necessary if they process the data of at least 25,000 Utah residents
The legislation exempts most small businesses since their data collection practices are typically under the threshold. According to legislators, the amount of data smaller businesses store, process, or control doesn’t justify the compliance cost.
Businesses That Are Exempt From the UCPA
The UCPA lists few businesses/organizations that are exempt from compliance, including:
- Political agencies and bodies
- Business associates and covered entities under the Health Insurance, Portability, and Accountability Act (HIPAA)
- Financial institutions that are under the Gramm-Leach-Bliley Act
- Air carriers
- Institutions of higher education
The data collection limitations that the act imposes also exempt specific data types. The UCPA does not control data that’s necessary for:
- Compliance with local, state or federal law
- Defending yourself against legal claims
- Conducting research or internal analytics to help improve your product, services, or overall security
- Helping you fulfill a consumer’s requests
What Are the Responsibilities of Businesses Under the Utah Consumer Privacy Act?
The UCPA’s two primary objectives are to ensure businesses protect consumers’ data and to give consumers power over how their data is utilized. If you’re obligated to comply with the regulation, you’ll have to take the necessary steps to maintain compliance.
The steps for compliance include the following:
1. Set Necessary Security Measures
You must set physical, administrative and technical security measures to protect any data you handle as a controller or processor. If you already have these security measures in place, the regulation requires you to evaluate them to ensure that they’re strong enough to offer ample protection.
The UCPA doesn’t specify the measures businesses must take to ensure optimum data security. However, when picking reasonable security measures, the regulation requires businesses to consider the size of the business, the types of data it collects or processes, and the volume of the data.
2. Establish a Contract With Data Processors or Controllers
Businesses that share their data with processors must establish a contract that addresses how the data is handled. The UCPA requires contracts to have specific information, such as:
- The purpose and nature of the data processing
- The time it’ll take to process the data
- The type of data being processed
- The obligations and rights of all parties involved, such as the duty of confidentiality
Most importantly, the contract should outline the data protection measures that the processor needs to maintain.
Unlike other regulations, contracts between processors and controllers under the UCPA don’t afford controllers the right to conduct audits on the processor’s security measures.
3. Provide a Privacy Notice
You must provide a privacy notice informing consumers of the processing of their data and their rights under the UCPA. The notice needs to be both clear and reasonably accessible. In most cases, you’ll need to post the notice on your website.
The notice needs to include information like:
- The types of data that you process as a controller
- The type of data you’ll be sharing with third parties
- The types of third parties you’ll be sharing the data with
- The purpose of the data processing
- Insights into how consumers can exercise their rights, such as the right to opt-out
- A conspicuous and clear disclosure of whether the data is going to be used for targeted advertising or sold to any third parties
4. Adhere to Consumer Requests
Under the UCPA, you’re required to provide consumers with a method to make data privacy requests. Try to implement a method that ensures that consumers clearly state what they are seeking. The request can’t be made with the intention to disrupt, harass, or overwhelm your business.
Once a consumer makes the request, you have three options:
- Take action: You have 45 days to either adhere to or deny a consumer’s request. Once you choose the path you’re willing to take, you should notify the consumer of the action you’re taking.
- Request an extension: The UCPA allows controllers to have a one-time extension. The extension allows you 45 more days to structure a response to the request. You’re required to inform the consumer of your decision to take the extension within the initial 45 days after they make their request.
- Pause the response period to authenticate the consumer’s request: In situations where you suspect the request to be fraudulent, the UCPA allows you to pause the response period to authenticate it.
Unlike other U.S. privacy regulations, the UCPA doesn’t include an appeal process for consumer requests that have been denied.
Under normal circumstances, consumers aren’t required to pay to have you handle their requests. However, the UCPA does make exceptions, allowing you to charge consumers a fee to provide the information they’re requesting.
Businesses are allowed to charge a fee if:
- There was at least one other request from the same consumer in the last year
- The request was technically infeasible, repetitive, excessive, or unfounded
- The request disrupts, harasses, or burdens your business resources
Rights of Utah Residents Under the UCPA
The UCPA outlines four rights of consumers. It’s worth noting that these apply to any data that the consumer provides you as the controller. The regulation doesn’t provide consumers with rights to data that you’ve obtained indirectly.
The four rights include:
- Right to access: Consumers have a right to confirm that you’re processing their data. They can also request the data from you.
- Right to deletion: Consumers have a right to request the deletion of any personal data they provide you.
- Right to portability: Consumers have a right to request a portable copy of any data they’ve shared with you. Besides being portable, the data should be practically usable and transmittable to other controllers.
- Right to opt out: Consumers have a right to opt out of the processing of their data for the purpose of selling the data or targeted advertising.
How Does the Utah Consumer Privacy Act Define the “Sale” of Personal Data?
The UCPA considers you to have sold data if you exchange a consumer’s personal data for money with a third party. This means that the law doesn’t consider non-monetary transactions as a sale.
It also doesn’t consider it a sale if you:
- Disclose data to your business affiliates
- Make a disclosure after being directed by the consumer
- Make a disclosure that’s in line with the expectations the consumer had when they handed over their data to you
How Does the Utah Consumer Privacy Act Define Targeted Advertising?
The Utah Consumer Privacy Act interprets target advertising as any ads a consumer receives on websites and apps based on their personal data.
Penalties for Non-compliance With the UCPA
Violators of the UCPA can expect to pay fines of up to $7,500 and actual damages in some cases.
The Utah attorney general is in charge of enforcing UCPA compliance and administering penalties. Additionally, the Division of Consumer Protection administers consumer complaints. It’s also responsible for investigating alleged violations.
If the agency finds that a business has violated the UCPA, it refers the violation to the attorney general for further action. In turn, the attorney general sends the violator a written notice to inform them of their violation.
Any violating business is allowed a 30-day cure period, during which they must fix the violation. Once fixed, they’ll be required to provide the attorney general with a statement detailing the fix they’ve made to ensure that there aren’t any future issues.
The attorney general will only take punitive actions if the violator fails to deal with the violation accordingly or continues to violate the regulation.
UCPA vs. CCPA: What’s Different Between the Two?
The California Consumer Privacy Act (CCPA) was the first privacy law to be enacted in the US. It created a foundation for the other data privacy laws that followed it.
While both laws are quite similar, they do have a couple of key differences, from the compliance requirements to the private right to action.
Let’s take a look at their differences:
Who the Regulation Applies To
Both regulations apply to companies that are located in the respective states (Utah or California) or target their products or services at the residents of the respective states.
For your business to be obligated to comply with Utah’s UCPA, it must have a minimum annual revenue of $25 million. It must also process the data of at least 100,000 Utah consumers or at least 25,000 Utah consumers if 50% of its revenue is generated from the sale of data.
For your business to be obligated to comply with California’s CCPA, it has to meet only one of three thresholds. It must generate an annual revenue of at least 25 million, handle the data of at least 50,000 consumers, or generate over 50% of its annual revenue from selling consumers’ personal data.
The most important difference is that businesses under the CCPA must meet at least one threshold, while those under the UCPA need to meet all requirements.
Fines for Violation
The state’s respective attorney general is in charge of enforcing compliance with both laws. However, unlike the UCPA, the CCPA does allow private lawsuits, meaning that consumers can file lawsuits against businesses.
UCPA violators can find themselves paying fines of up to $7,500 and actual damages, while violators of the CCPA could find themselves paying fines of up to $2,500 per unintentional violation or up to $7,500 per intentional violation.
Both the CCPA and UCPA give violators a 30-day cure period, during which the attorney general allows them to correct the violations. The attorney general only levies fines if the business hasn't corrected the violations or continues violating the privacy acts after the cure period lapses.
Consumer Privacy Rights
Under the UCPA, consumers have a right to opt out of the processing of their personal data, but they don’t have to consent to the processing of their data. Under the CCPA, consumers have to consent to the processing of their sensitive data and have a right to opt out of data processing.
Both regulations allow consumers to opt out of the processing of their data for sale or targeted advertising. However, only the CCPA allows consumers to opt out of the use of their data for profiling. Unlike the UCPA, which only considers monetary transactions as sales, sales can be non-monetary under the CCPA.
While the CCPA allows consumers to correct their data, the UCPA doesn’t give consumers this right. This means that businesses aren’t obligated to change the specifics of a consumer’s data, such as their address, upon their request.
The CCPA allows California residents to appeal the denial of their requests by controllers. On the other hand, Utah residents can’t appeal denials to any of their requests.
Finally, the CCPA has set some strict requirements for the acceptable methods controllers can use to receive consumer requests, while the UCPA allows controllers to pick the most appropriate method.
Contracts Between Controller and Processor
Both the UCPA and CCPA have similar requirements for contracts between processors and controllers. The contracts need to outline the type of data being collected, the purpose of data collection, and the obligations of all parties involved.
One key difference between the two is that the CCPA allows controllers to conduct audits on the processor’s security measures.
Summary & Final Thoughts
If the Utah Consumer Privacy Act applies to your business, you’ll be required to start preparing for compliance before the December 31, 2023 deadline. You’ll need to review your third-party contracts, write an appropriate privacy notice, and review your security practices. In most cases, if you’re compliant with other regulations like the CCPA, complying with the UCPA will be quite easy.
Launching, managing, and scaling your compliance efforts is effortless with Enzuzo. Our platform can help you tick multiple tasks off your checklist, from customizing your legal policy document to helping you create cookie consent banners. Try out our platform today to maintain compliance with the UCPA and other privacy regulations.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.