The Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox on March 24th, 2022, joining a growing list of U.S. states with comprehensive consumer privacy laws.

California, Colorado, and Virginia have all passed similar privacy laws, and several other states are in the process of passing privacy legislation.

This article takes a closer look at the UCPA, discussing what it is, who it applies to, who is exempt from the law, and how your business can ensure compliance in order to avoid penalties and fees.

What is the Utah Consumer Privacy Act (UCPA)?

The UCPA was created to protect consumers' privacy rights by giving Utah residents the right to access, change, or delete their personal data at will.

It also grants consumers the right to data portability, the right to opt out of some types of processing, and the right to opt out of the sale of their personal data.

What is Data Portability?

Data portability is the ability to move data from one platform to another. In order to move data freely, it must be saved in a secure and common format, and must be easily accessible.

The right to data portability means that if a consumer requests access to their personal data from a business that has collected it, then the business must provide the information in a safe and accessible format.

Who Does the Utah Consumer Privacy Act (UCPA) Apply to?

The UCPA applies to any data controller or processor that either does business within the state of Utah or produces a product or service that is designed to be used by residents of Utah and has an annual revenue of over $25,000,000.

Businesses must also control or process the personal data of 100,000 or more consumers each year or get more than half of their gross revenue from selling personal data and control or process the personal data of at least 25,000 consumers.

What is Personal Data?

Personal data is any information that can be used on its own, or combined with other pieces of data to identify an individual. It can include but is not limited to names, addresses, ID numbers such as Social Security or driver's license numbers, geolocation, and biometric information such as fingerprints, voice patterns, or iris scans.

Personal data does not include deidentified data, aggregated data, or information that is publicly available.

Deidentified data is information that has been altered to remove characteristics that can be used to identify an individual.

Aggregated data is data from a group of consumers that does not include the identities of any of the consumers and cannot be linked to any individual consumer.

What is Data Processing?

Data processing is the act of collecting, storing, using, transmitting, disseminating, or destroying personal data.

What is a Data Controller or Processor?

A data controller is any individual or organization that decides why and how to collect personal data from consumers.

A data processor is any third-party entity that processes consumer's personal data on the behalf of a data controller. Data processors might include larger companies such as Google Analytics, smaller marketing research agencies, or individuals who collect, manage, use, disclose, or delete personal data.

Exceptions to the Law

The Utah Consumer Privacy Act does not apply to the following entities:

• Any government entities or third party entities working on behalf of the government to manage employee data
• Tribes
• Air carriers
• Nonprofits
• Higher education institutions
• HIPAA covered entities and business associates
• Financial institutions
• Data under the rule of the Gramm-Leach-Bliley Act (define)
• Information regulated by the Family Educational Rights and Privacy Act (define)

The UCPA defines the sale of personal data as an exchange made for money. Any data exchanged for anything other than monetary consideration does not count as a sale and does not fall under the authority of this law.

Disclosing personal data to third parties is not considered a sale, as long as the purpose of the disclosure is in line with the consumer's expectations of how their data is to be used.

The law requires data controllers to give consumers the right to opt-out of having their sensitive data processed, unless that data reveals a person's racial or ethnic origin and is processed by a video communication service, or if the information is being processed by a licensed health care provider.

What the Utah Consumer Privacy Act (UCPA) Requires

The UCPA requires that data controllers inform consumers when they are processing sensitive information and give them the chance to opt out. Under this law, data controllers are required to allow consumers to opt out of the sale of their personal information or targeted advertising based on the collection of their data. It calls for businesses to keep the personal data they collect secure, and tell consumers how they plan to use the data they collect.

The Utah Consumer Privacy Act gives consumers the right to know what personal data a business collects from them, how the business uses that data, and if the business sells the data. The law also requires businesses to respond to consumer requests to delete or stop selling their personal data.

How to Comply With the Utah Consumer Privacy Act (UCPA)

The UCPA goes into effect on December 31st, 2023. If you are a data controller or processor who falls under the jurisdiction of the UCPA, then you should take steps to make sure that you are in compliance with the law no later than December 31st, 2023.

As a data controller, if you receive communication from a consumer asking for information about their data or requesting that an action concerning their data be taken, you have 45 days from the time that you receive the request to take action and inform the consumer what kind of action has been taken.

You can extend the 45 day period by another 45 day period as needed as long as you inform the consumer about the length of and reasons for the extension.

You can charge a fee if the consumer makes more than one request within a 12-month time period, or if the request causes undue burden on your business.

Responsibilities for Data Processors

Data processors should help data controllers keep the personal information they collect secure and confidential, and should enter a contract with data controllers that outlines the instructions for, purpose of, and type of data being processed, as well as each party's rights and obligations.

Responsibilities for Data Collectors

A data controller should provide a privacy notice to consumers that describes:

• The types of data being processed
• Why the data is being processed
• How consumers can exercise their rights
• What kind of personal data is shared with third parties

The data controller should also inform consumers if the information being collected will be sold to third parties or used for targeted advertising, in which case consumers need to be given the ability to opt out.

Data controllers need to have effective security practices in place in order to keep the data they process confidential. They must first give consumers the option to opt out before processing sensitive data. Sensitive data includes an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, immigration status, biometric data, geolocation data, and medical history information.

The following are a few simple steps you can take to stay in compliance with the Utah Consumer Privacy Act.

Check if Your Business is Subject to the Utah Consumer Privacy Act

If your business processes personal data from residents of Utah, or if it provides services or products marketed to residents of Utah and makes over $25,000,000 annually, then the UCPA applies to you.

Create a Comprehensive Privacy Policy

You may need to revise your Privacy Policy so that it reflects the changes required by the Utah Consumer Privacy Act. You will want to make sure that your Privacy Policy clearly outlines what kind of personal data you collect and what you do with it, as well as inform consumers whether you share any of the data you process with third parties.

Consumers should also be made aware of how they can exercise their rights. It's a good idea to include specific contact information and directions for how to make requests concerning consumer's personal data within your Privacy Policy.

Facebook's Privacy Policy lets consumers know that it is collecting personal information in order to provide products to its consumers. Facebook provides a link to consumers who want to learn how to access or delete their data, and describes the types of information it collects:

You will also want to make sure that you have security measures in place to ensure that the personal data you process is properly protected.

Make Sure Your Security Practices are Up to Date

You should have physical and digital security measures in place to protect the personal data you process. Employees should be trained to keep information secure and have signed confidentiality agreements.

The Data Privacy and Platform Security clause of Tinder's Safety and Policy Center informs consumers that it uses encryption and other tools to keep user communications and data safe. Tinder lets consumers know that it doesn't sell any data to third parties. It also includes a link that consumers can follow to request access to their data, and lets them know that it does not share the specifics of its security process.

An important part of staying in compliance with the Utah Consumer Privacy Act is making sure that consumers are given a simple and direct method for opting out of data processing, which we will go over next.

Give Consumers the Ability to Opt Out of Data Processing

Any time your business sells the personal data you collect to a third party, uses the data for targeted advertising, or processes sensitive information, you need to provide consumers with a clear and easily accessible opportunity to opt-out of data processing.

AAA's Privacy Policy for the state of Utah includes a clause that lets consumers know that they have the right to opt out of the sale of their personal information. It instructs consumers how to exercise that right, and further informs them of how they can opt back in if they so desire:

You will also want to make sure that you create a process for responding to consumer requests pertaining to their data.

Have a System in Place for Responding to Consumer Requests

You may need to train existing employees, hire new employees, or employ a secure automated system for tracking and responding to all consumer requests for information about or access to their personal data, as well as any requests to delete their stored information.

Intuit provides several links for consumers who have questions about its Privacy Statement and practices, as well as a link to a dispute resolution provider and international communication channels:

It's important to take the necessary steps to stay in compliance with the UCPA before December 31st, 2023. Otherwise, you run the risk of amassing fines.

Penalties For Non-Compliance with the Utah Consumer Privacy Act (UCPA)

Utah's Attorney General has the power to enforce the Utah Consumer Privacy Act. If a data controller or processor is suspected to be in violation of the UCPA, then the law calls for the Attorney General to provide the business with a written notice to give it the opportunity to cure the violation.

The business then has 30 days within receiving the notice to make sure that it is in compliance with the law. If the violation is not cured, the business may be fined up to $7,500 per violation, and will be held responsible for any damages incurred by the consumer due to the violation(s).

Summary

The Utah Consumer Privacy Act was created to protect Utah residents' privacy rights. It applies to any businesses that process personal data belonging to consumers in Utah, or to businesses that target consumers in Utah and make over $25,000,000 annually, and who either process data from over 100,000 consumers each year or make more than half of their annual revenue from selling personal data from at least 25,000 consumers.

The UCPA does not apply to certain entities, such as nonprofits, and financial and higher education institutions.

The law requires data controllers and processors to give consumers the choice to opt-out of the sale of their personal data to third parties, and to disclose how they use the personal data that they collect.

In order to guarantee compliance with the Utah Consumer Privacy Act, you should follow these steps:

• Make sure your business meets the jurisdictional threshold of the UCPA
• Maintain a comprehensive Privacy Policy
• Keep the data you process secure
• Let consumers know how they can opt out
• Create a system for responding to consumer requests

Penalties for non-compliance include fines of up to $7,500 per violation.

All US Privacy Laws

Want to read more about privacy laws in the USA? Start here: