Blog Post
Countdown to the Utah Consumer Privacy Act: What you must know
On March 24, 2022, Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth state to introduce its consumer privacy law. It was preceded by California, Virginia and Colorado.
Carrie Roberts, Head of Global Sales at Ground Labs, welcomes the enforcement of the new bill.
“As a resident in Utah I am thrilled that the UCPA bill passed in 2022 is now going into effect for residents of Utah. This bill requires companies who collect personal data to be responsible for the protection and privacy of that data. It also empowers the residents of Utah with new data rights that give them greater control of their information. Business must take ownership to protect, manage, and as needed remove, personal data of consumers.”
Time is running out for business to comply with the new legislation, which comes into force on December 31, 2023.
Who needs to comply
The UCPA applies to controllers and processors with an annual revenue of $25m or more who conduct business in the state, targeting their products and services to state residents.
The law only applies if these criteria are met, and entities also handle personal data of more than 100,000 consumers or make over 50% of their revenue by processing personal data.
Controllers are the individuals and organizations who determine the purposes for and methods by which personal data is processed. Processors are individuals or organizations that process personal data on behalf of a controller.
These requirements limit the scope of the UCPA compared to the Virginia Consumer Data Protection Act (VCDPA), which doesn’t include the revenue threshold.
Some important definitions
The law only applies to consumer personal data. Under the UCPA, a consumer is defined as “an individual who is a resident of the state acting in an individual or household context.” It excludes personal data of individuals “acting in an employment or commercial context,” mirroring the VCDPA and the Colorado Privacy Act (CPA).
“Personal data” under the act excludes deidentified data and publicly available information, as well as “aggregated data.” Aggregated data is anonymized information that relates to a group that is not “linked or reasonably linkable to any consumer.”
Unlike its state peers, these definitions mean that more data falls outside the scope of the law.
Consumer data rights
The UCPA aims to protect consumers' right to privacy and grants them four main data rights, following the principles of similar state legislation.
- Right to access — Consumers have the right to access information held about them.
- Right to delete — Consumers can request that their data is deleted.
- Right to portability — Consumers must be able to obtain and/or transfer their personal information to another entity in a readily useable format.
- Right to opt out — Consumers have the right to opt out of data collection for the purposes of targeted advertising or sale, although this excludes the right to opt out of profiling.
How to comply
The new law requires individuals and organizations in scope of the legislation to fulfill several obligations. They must:
- Provide consumers with “reasonably accessible and clear privacy notice,” which should include the categories of data processed, the purpose for processing, how consumers can exercise their rights and any data shared with third parties.
- Comply with the Children’s Online Privacy Protection Act (COPPA) and obtain parental consent when processing the personal data of individuals under the age of 13.
- Ensure that they do not discriminate against consumers who exercise their data rights under the new act.
- Respond to consumer requests to exercise their rights under the UCPA within 45 days. This can be extended by up to an additional 45 days by giving notice to the consumer.
- Implement and maintain data security controls, including administrative, technical and physical measures to protect the data.
- Establish data processing contracts with third parties, however these do not require the data protection risk assessments of similar legislation.
Non-compliance may result in damages and fines of up to $7,500 per violation and enforcement action from the state attorney general.
Where you should start
The most important first step for businesses in scope of the new act is to identify the information they have that relates to residents of Utah. Once they understand the personal data they hold, they can take steps to protect it.
Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and enables rapid identification and remediation of more than 300 personal data types across on-premises and cloud-based systems.
To find out how Enterprise Recon can simplify your compliance efforts, book a call with one of our experts today.