Last updated on 12 August 2022 by Cara Hartley (Legal writer at TermsFeed)
The Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox on March 24th, 2022, joining a growing list of U.S. states with comprehensive consumer privacy laws.
This article takes a closer look at the UCPA, discussing what it is, who it applies to, who is exempt from the law, and how your business can ensure compliance in order to avoid penalties and fees.
The UCPA was created to protect consumers' privacy rights by giving Utah residents the right to access, change, or delete their personal data at will.
It also grants consumers the right to data portability, the right to opt out of some types of processing, and the right to opt out of the sale of their personal data.
Data portability is the ability to move data from one platform to another. In order to move data freely, it must be saved in a secure and common format, and must be easily accessible.
The right to data portability means that if a consumer requests access to their personal data from a business that has collected it, then the business must provide the information in a safe and accessible format.
The UCPA applies to any data controller or processor that either does business within the state of Utah or produces a product or service that is designed to be used by residents of Utah and has an annual revenue of over $25,000,000.
Businesses must also control or process the personal data of 100,000 or more consumers each year or get more than half of their gross revenue from selling personal data and control or process the personal data of at least 25,000 consumers.
Personal data is any information that can be used on its own, or combined with other pieces of data to identify an individual. It can include but is not limited to names, addresses, ID numbers such as Social Security or driver's license numbers, geolocation, and biometric information such as fingerprints, voice patterns, or iris scans.
Personal data does not include deidentified data, aggregated data, or information that is publicly available.
Deidentified data is information that has been altered to remove characteristics that can be used to identify an individual.
Aggregated data is data from a group of consumers that does not include the identities of any of the consumers and cannot be linked to any individual consumer.
Data processing is the act of collecting, storing, using, transmitting, disseminating, or destroying personal data.
A data controller is any individual or organization that decides why and how to collect personal data from consumers.
A data processor is any third-party entity that processes consumer's personal data on the behalf of a data controller. Data processors might include larger companies such as Google Analytics, smaller marketing research agencies, or individuals who collect, manage, use, disclose, or delete personal data.
The Utah Consumer Privacy Act does not apply to the following entities:
The UCPA defines the sale of personal data as an exchange made for money. Any data exchanged for anything other than monetary consideration does not count as a sale and does not fall under the authority of this law.
Disclosing personal data to third parties is not considered a sale, as long as the purpose of the disclosure is in line with the consumer's expectations of how their data is to be used.
The law requires data controllers to give consumers the right to opt-out of having their sensitive data processed, unless that data reveals a person's racial or ethnic origin and is processed by a video communication service, or if the information is being processed by a licensed health care provider.
The UCPA requires that data controllers inform consumers when they are processing sensitive information and give them the chance to opt out. Under this law, data controllers are required to allow consumers to opt out of the sale of their personal information or targeted advertising based on the collection of their data. It calls for businesses to keep the personal data they collect secure, and tell consumers how they plan to use the data they collect.
The Utah Consumer Privacy Act gives consumers the right to know what personal data a business collects from them, how the business uses that data, and if the business sells the data. The law also requires businesses to respond to consumer requests to delete or stop selling their personal data.
The UCPA goes into effect on December 31st, 2023. If you are a data controller or processor who falls under the jurisdiction of the UCPA, then you should take steps to make sure that you are in compliance with the law no later than December 31st, 2023.
As a data controller, if you receive communication from a consumer asking for information about their data or requesting that an action concerning their data be taken, you have 45 days from the time that you receive the request to take action and inform the consumer what kind of action has been taken.
You can extend the 45 day period by another 45 day period as needed as long as you inform the consumer about the length of and reasons for the extension.
You can charge a fee if the consumer makes more than one request within a 12-month time period, or if the request causes undue burden on your business.
Data processors should help data controllers keep the personal information they collect secure and confidential, and should enter a contract with data controllers that outlines the instructions for, purpose of, and type of data being processed, as well as each party's rights and obligations.
A data controller should provide a privacy notice to consumers that describes:
The data controller should also inform consumers if the information being collected will be sold to third parties or used for targeted advertising, in which case consumers need to be given the ability to opt out.
Data controllers need to have effective security practices in place in order to keep the data they process confidential. They must first give consumers the option to opt out before processing sensitive data. Sensitive data includes an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, immigration status, biometric data, geolocation data, and medical history information.
The following are a few simple steps you can take to stay in compliance with the Utah Consumer Privacy Act.
If your business processes personal data from residents of Utah, or if it provides services or products marketed to residents of Utah and makes over $25,000,000 annually, then the UCPA applies to you.
You will also want to make sure that you have security measures in place to ensure that the personal data you process is properly protected.
You should have physical and digital security measures in place to protect the personal data you process. Employees should be trained to keep information secure and have signed confidentiality agreements.
The Data Privacy and Platform Security clause of Tinder's Safety and Policy Center informs consumers that it uses encryption and other tools to keep user communications and data safe. Tinder lets consumers know that it doesn't sell any data to third parties. It also includes a link that consumers can follow to request access to their data, and lets them know that it does not share the specifics of its security process.
An important part of staying in compliance with the Utah Consumer Privacy Act is making sure that consumers are given a simple and direct method for opting out of data processing, which we will go over next.
Any time your business sells the personal data you collect to a third party, uses the data for targeted advertising, or processes sensitive information, you need to provide consumers with a clear and easily accessible opportunity to opt-out of data processing.
You will also want to make sure that you create a process for responding to consumer requests pertaining to their data.
You may need to train existing employees, hire new employees, or employ a secure automated system for tracking and responding to all consumer requests for information about or access to their personal data, as well as any requests to delete their stored information.
Intuit provides several links for consumers who have questions about its Privacy Statement and practices, as well as a link to a dispute resolution provider and international communication channels:
It's important to take the necessary steps to stay in compliance with the UCPA before December 31st, 2023. Otherwise, you run the risk of amassing fines.
Utah's Attorney General has the power to enforce the Utah Consumer Privacy Act. If a data controller or processor is suspected to be in violation of the UCPA, then the law calls for the Attorney General to provide the business with a written notice to give it the opportunity to cure the violation.
The business then has 30 days within receiving the notice to make sure that it is in compliance with the law. If the violation is not cured, the business may be fined up to $7,500 per violation, and will be held responsible for any damages incurred by the consumer due to the violation(s).
The Utah Consumer Privacy Act was created to protect Utah residents' privacy rights. It applies to any businesses that process personal data belonging to consumers in Utah, or to businesses that target consumers in Utah and make over $25,000,000 annually, and who either process data from over 100,000 consumers each year or make more than half of their annual revenue from selling personal data from at least 25,000 consumers.
The UCPA does not apply to certain entities, such as nonprofits, and financial and higher education institutions.
The law requires data controllers and processors to give consumers the choice to opt-out of the sale of their personal data to third parties, and to disclose how they use the personal data that they collect.
In order to guarantee compliance with the Utah Consumer Privacy Act, you should follow these steps:
Penalties for non-compliance include fines of up to $7,500 per violation.
Want to read more about privacy laws in the USA? Start here:
|COPPA: Children's Online Privacy Protection Act||Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.|
|HIPAA: Health Insurance Portability and Accountability Act||Federal law that protects the privacy of health information of individuals.|
|California CCPA: California's Consumer Privacy Act||California law that gives consumers many privacy rights while putting transparency obligations on businesses.|
|California CPRA: California's Privacy Rights Act||California law that expands the CCPA and gives consumers additional rights.|
|Virginia CDPA: Virginia's Consumer Data Protection Act||Virginia law that allows users to opt out of the sale of their personal data.|
|Maryland PIPA: Maryland's Personal Information Protection Act||Maryland law that requires businesses to keep personal information private and secured.|
|Utah UCPA: Utah's Consumer Privacy Act||Utah law that provides a range of consumer privacy rights, including the right to data portability.|
|Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring||Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.|
|Colorado CPA: Colorado's Privacy Act||Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.|
|Florida FPPA: Florida's Privacy Protection Act||Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.|
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
12 August 2022