Utah Consumer Privacy Act (UCPA): A Quick Guide

Utah Consumer Privacy Act (UCPA)  is comprehensive privacy legislation enacted by the State of Utah in the United States of America. It is the fourth state to pass privacy legislation following California, Virginia, and Colorado. UCPA is a very light, extensive, and business-friendly piece of legislation. It is similar to the Virginia Consumer Data Protection Act (VCDPA) and some extent the Colorado Privacy Act. Utah was signed into law on 24th March 2022.

Effective date: December 31, 2023

Law text: Utah-2022-SB0227

UCPA is privacy legislation that intends to protect consumers’ personal data. It aims for substantial control over data privacy and gives the consumer, tools to protect their privacy and control the usage of their personal data.

Like any other privacy legislation, UCPA also provides consumers with several rights concerning their personal data being used in the data processing. 

UCPA defines the term “Consumer” as an individual who is a resident of the state acting as an individual or on behalf of a household. However, it is clear-cut stated in the UCPA that the persons belonging to a commercial or an employment context do not come under the definition of a ‘Consumer”. UCPA seeks to make the contract between the controllers and processors also mandatory. It is required that there should be a contract establishing a relationship that includes details, instructions, and steps as to data processing. 

Furthermore, UCPA aims at protecting children’s data (consumers under the age of 13). It makes parental consent mandatory for such data and the consent so obtained is required to be verifiable.

Who does UCPA apply to? 

It is to be noted that every business that processes personal data are not covered under the UCPA. A small business will not come under the purview of this legislation. This legislation makes the “Controllers” and “Processors” liable if their business falls into these criteria cited below:

• The business operates in or deals with consumers from Utah. That is the product and services of the business target the consumers of Utah.
• The business has an actual revenue of $25 Million.
• It should also meet one of the following additional thresholds:
  • it processes the personal data of more than 100,000 consumers in Utah, or
  • 50% of the business’s gross revenue is generated through the selling of personal data of consumers in Utah.

UCPA creates both financial thresholds as well as thresholds relating to the volume of the data processed. Thus, making it have a narrow scope than the other State Privacy Laws. Further, entities exempted from UCPA  include non-profits, institutions imparting higher education, covered entities under HIPAA and so on.

“Personal data” is defined as “information that is linked or reasonably linkable to an identified or identifiable individual”. Further, UCPA explicitly holds that personal data does not contain de-identified data or data available to the public. 

Personal data also does not include “aggregated data” as per UCPA. Aggregated data means that data belongs to a group of consumers and from such data, an individual consumer’s identity cannot be linked or the consumer’s identity has been removed.

Other excluded data and entities consist of

• Institutions of higher education
• Health Insurance Portability and Accountability Act (HIPAA) Data
• Financial institutions and data subject to Gramm-Leach-Bliley Act (“GLBA”)
• Data subject to the Fair Credit Reporting Act (FCRA)
• Non-Profits

What are the data subject rights in UCPA? 

• Right to know and access the personal data that is being processed
• Right to obtain copies of personal data in a technically feasible and portable format and 
• Right to delete personal data
• Right to opt-out of the sale of personal data (if a third party is involved) and targeted ads,

However, these rights are not limitless. There are certain exemptions to various categories of data, data- processors, and controllers. 

UCPA mandates a quick response system to aid consumers. The controllers are obliged to respond to consumer requests within the set period of 45 days. 

Let’s look at a few key points under the Act:

Privacy notice 

UCPA requires the controllers and processors to adopt transparency in their data processing activities. It makes the controllers and processors accountable to provide privacy notices. These privacy notices are to be made in a clear, unambiguous and are to be made available to the consumers. The contents of the privacy notice include

• Categories of the personal data involved in the data processing
• Purpose of the data processing
• Rights of the consumers and ways to exercise and implement them.
• The information relating to third-party involvement is to be made available. If any third parties are involved, the same must be clearly expressed.
• A clear notice and opportunity for the consumers to opt-out.

Security

The controllers and processors must ensure security on all levels of data processing activities. It must implement and practice administrative, physical and technical data security practices. 

Responsiveness

The UCPA requires the controller to act quickly and respond to consumer requests within a span of 45 days if no exemptions apply. If required, the controller may reasonably extend the response period and gather additional 45 days. The consumer must be given notice as to such extension and it must state the reasons for the extension.

Non-discrimination

The UCPA holds that  “ a controller” or “a processor” must not discriminate against any consumer by neglecting any kind of goods and services, or charge a different price, or providing the consumer with a product or service different in its quality.

Consent

UCPA requires the controllers to acquire parental consent in case the personal data involve children below the age of 13. This parental consent must be verifiable. Children’s personal data is the only data that require affirmative consent and is to be obtained by the controllers and processors before the processing.

Consent for sensitive data is not needed. The controllers can process sensitive data without the consent of the consumers but the consumers can opt-out if they don’t want their personal data to be processed. 

• Create awareness in the workplace and implement data security on all levels including technical, administrative, and physical.
• Update Privacy Notice and promote transparency and accessibility.
• A proper consent management system is to be adopted.

• Provide consumers with the choice of opting out
• Ensure that procedures are adopted to protect the consumer’s rights.
• Ensure that the consumer requests are acknowledged and completed within a reasonable time. Create a system that engages in responding to consumer requests in a feasible manner.
• Review if any children’s personal data is involved and acquire verifiable parental consent. 
• Implement proper mechanisms for collecting sensitive information and informing the same to the consumers. Further, providing an option for opting out from processing sensitive data must also be introduced

As per UCPA, the enforcement mechanism takes place on several levels. This law does not provide an individual, with his right of action. As per the UCPA, the Division of Consumer Protection has been allotted the task of managing a system to collect consumer complaints. The Division is also empowered to investigate and if the alleged data privacy violation has merit, a referral is forwarded to the Attorney General. If the attorney general decides on taking action then the office must send a notice to that effect to the controller or processor. The controller and processor need to correct or cure the violation and provide an express written statement stating that this will not occur again. 

What happens if the controller continues to violate the provisions of UCPA?

If the controller continues to violate the provisions of UCPA, even after giving an express written statement, the attorney general may proceed in taking enforcement action against the controller. This may include fines up to $7,500.

Here is a quick look at comparisons between Utah privacy law and its counterparts in California and Virginia:

Does Utah Consumer Privacy Act apply to employees? 

No, Utah privacy law does not apply to employees. UCPA is only applicable to consumers. A Consumer means an individual who is a resident of the state acting as an individual or on behalf of a household.

What are the penalties for violating UCPA?

The controller and processor need to correct or cure the violation and provide an express written statement stating that this will not occur again. If the controller continues to violate the provisions of UCPA, even after giving an express written statement, he will be fined up to $7,500 by the Attorney General.

Who is a controller under the UCPA?

Controllers are defined as entities involved in the business that determine the means and purpose of the data processing.

Does Utah have privacy laws?

Yes. Utah is the fourth state in the United States to pass a comprehensive privacy law protecting consumers. This data privacy law for consumers was passed on 24th March 2022 and will come into force by 31st December 2022

What is the Utah consumer Privacy Act?

Utah Consumer Privacy Act or UCPA is privacy legislation that intends to protect consumers’ personal data. It aims for substantial control over data privacy and gives the consumer, tools to protect their privacy and control the usage of their personal data.

What states have their own privacy laws?

California, Colorado, Connecticut, Utah, and Virginia are the states which have enacted comprehensive consumer data privacy laws.

What states have cookie laws?

There is no specific cookie law enacted anywhere in the United States. But, state laws like California Consumer Protection Act, Virginia Consumer Data Protection Act, and so on consider cookies as personal data. Therefore, their regulations on using personal data apply to cookie usage as well.