Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (UCPA) into law in March 2022. It has since become only the fourth US state to have its own data protection law after Colorado, Virginia, and California.
Comparatively, it is considered a lot more similar to Virginia’s VCDPA than California’s CCPA, owing to it being more business-friendly. This is primarily down to the fact that there are no requirements for data protection assessments, cybersecurity audits, or risk assessments.
However, that does not mean it compromises consumers’ data privacy or their rights. Strict obligations are placed on all data processors and controllers to ensure users’ rights are respected at all times.
Compliance with the UCPA should not prove too difficult for organizations willing to ensure appropriate data protection mechanisms to guarantee consumers’ data is safe without compromising their browsing experience.
Consumer Rights Under UCPA
Like the GDPR and every other major US data protection law, the UCPA affords consumers certain rights over their data and how they interact with websites, known as consumer rights.
These rights, as prescribed by the UCPA, include the following:
- Right to Access Their Data – All consumers have the right to access all the data that has been collected on them by a data processor or controller;
- Right to Delete Their Data – All consumers have the right to delete all the data that may have been collected on them by a data processor or controller;
- Right to Copy Their Data – All consumers have the right to make a copy of all data collected on them by a data processor or controller in a feasible, portable, practical, and usable manner;
- Right to Opt-Out of Data Processing – All consumers have a right to request opting out of any future data processing activities carried out by a data processor or controller meant for targeted advertising.
All data processors and controllers must respond to a consumer exercising any of these rights within 45 days, with an additional 45 days allowed if the completion of a consumer’s request may take more time than usual.
A data processor or controller cannot charge a fee from a consumer for seeking information about any of their data. However, they may charge a fee if second or repeated requests are made.
Who Needs To Comply With Utah Consumer Privacy Act?
The UCPA mentions both data controllers and data processors handling data collection on behalf of controllers as subject to the UCPA.
The UCPA applies to data processors and controllers that have annual gross revenue in excess of $25 million and either:
- Process the data of at least 100,000 consumers annually;
- Make 25% of their annual gross revenue from selling/sharing consumer data.
However, there are various exemptions for organizations. Any organization that falls under the following categories is exempt from having to adhere to the UCPA:
- Financial institutes subject to GLBA;
- Higher education institutions;
- Entities and business associates covered by the HIPAA;
- Government organizations;
- Data regulated by the Fair Credit Reporting Act (FCRA);
- Data regulated by the Driver’s Privacy Protection Act (DPPA);
- Data regulated by the Farm Credit Act (FCA);
- Data regulated by the Family Educational Rights and Privacy Act (FERPA).
Obligations Under Utah Consumer Privacy Act!
Like most other data protection laws, the UCPA also thoroughly lays down all data processors and controllers’ responsibilities and obligations. The duty to ensure these obligations are met is necessary to achieve UCPA compliance and ensure that an organization has its data processing activities in order.
Some of the most important obligations for organizations under the UCPA include the following:
- Potent Security Measures in Place
The data processors or controllers must indicate that they have undertaken reasonable administrative, technical and physical data security measures to protect consumers’ data. These measures should ensure the sanctity of any data collected.
Moreover, an organization’s security measures should be appropriate, considering the size, scope, and scale of activities being carried out by the data processor and controller.
- Purpose Specification
Data processors and controllers cannot go about collecting any data they wish. There has to be an unambiguous rationale behind the collection of specific data. This rationale must be explained to the consumers via a detailed privacy policy that should contain the following:
- Categories of data collected.
- The purpose of their collection.
- How consumers can exercise their rights.
- Potential third parties consumers’ data is shared.
- Categories of third parties consumers’ data may be shared with.
- Non-Discriminatory Performance of Services
This is one thing that differentiates the modern browsing experience from the one that existed before data protection laws. No website can deny consumers a service online if they choose to exercise one of their rights or refuse to have their data collected.
However, websites can offer special discounts or prices to elicit this consent from consumers out of their own free will.
- Notifications Related to Sensitive Personal Information
Similar to other data protection laws in the United States, sensitive personal information has to be handled differently to ensure it is only collected when necessary and with the consumer’s explicit consent.
Since the UCPA employs an opt-out consent model, the data processor or controller must duly inform the user about collecting such data and allow them to opt-out of sharing this data with them.
Who Enforces the Utah Consumer Privacy Act?
This may very well be the most important and peculiar aspect of the UCPA. Unlike the other data privacy laws in the US or anywhere else globally, the UCPA’s enforcement responsibilities are “shared”.
They are shared in the sense that the Utah Attorney General’s Office enforces the law when it comes to investigating and fining potential violations of the law by organizations. However, the Utah Department of Commerce Division of Consumer Protection (the Division) is responsible for actually receiving and responding to customer complaints related to their UCPA-mandated rights being violated.
When a customer launches a complaint, the Division investigates to find out whether there is a “reasonable cause to believe that substantial evidence exists” supporting the fact that an organization has violated the UCPA. It will then refer the matter to the Utah Attorney General’s office.
The Attorney General’s office can then notify the data processor or controller of the violation and provide them with a 30-day period to rectify the matter to the complainant’s satisfaction. However, the Attorney General’s office can still fine an organization found in violation of the statute up to $7,500 during these 30 days.
Both the Division and the Attorney General’s office are required to submit a detailed enforcement report to the Business and Labor Interim Committee by July 1, 2025, indicating how they wish to share future enforcement responsibilities and details on their past collaborative efforts.