The Utah Consumer Privacy Act (UCPA)
The UCPA took effect in December 2023 and is a variation of the stalled Washington Privacy Act model. Compared to other state consumer privacy laws, the UCPA leans toward business friendly.
What You Need to Know About Utah’s Privacy Law
The UCPA applies to you if your business:
- Is for-profit and conducts business in or provides commercial products or services that are targeted to residents (“consumers”) in Utah, and
- Has an annual revenue of at least $25 million, and
- Annually either:
- Controls or processes personal information of 100,000 residents; or
- Controls or processes personal information of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal information.
Similar to other state consumer privacy laws, the UCPA exempts both certain data types and certain entities entirely and does not apply to individuals acting in an employment or commercial (B2B) context.
Exempt Data: The UCPA exempts many different types of data from coverage under the law, including but not limited to Protected Health Information (PHI) under HIPAA.
- Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more.
- Various forms of credit reporting data regulated by the Fair Credit Reporting Act.
- Data covered by a variety of other federal laws including FERPA, Farm Credit Act, DPPA, and the Gramm-Leach Bliley Act.
Exempt Entities: The UCPA also exempts many different types of entities from coverage, including but not limited to:
- Non-profits;
- The state government and its various entities;
- Higher Education Institutions;
- Air Carriers;
- GLBA covered entities;
- HIPAA covered entities and business associates
- Tribal nation governments;
-
- Update their privacy notices to reflect the data collection purposes.
- Assess and, if necessary, obtain consent for processing sensitive personal data.
- Establish processes to respond to consumer rights requests effectively.
- Ensure that vendor contracts align with VCDPA requirements.
Note that since the UCPA does not require that entities conduct Data Protection Assessments for certain types of data processing activities.
- Provide consumers with an accurate and up-to-date privacy notice that reflects the business’s privacy practices and consumer rights.
- Assess and, if necessary, obtain consent for processing sensitive personal information.
- Establish processes to respond to consumer rights requests effectively.
- Conduct data protection assessments for certain types of data processing activities.
- Ensure vendor contracts align with CPA requirements.
Key Components of Utah’s Data Privacy Law
Personal information, called “personal data” in the UCPA, is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data, aggregated data, or publicly available information.
Where a controller processes de-identified data, the UCPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the UCPA.
Utah also exempts pseudonymous data where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its access for use for re-identification.
Utah’s definition of sensitive personal information consists of:
- Racial or ethnic origin (with exceptions);
- Religious beliefs;
- information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional
- Sexual orientation;
- Citizenship or immigration status
- specific geolocation data (with exceptions);
- Genetic or biometric data.
In a word: No! The UCPA grants Utah consumers the right to opt out of the processing of their sensitive personal information, as opposed to requiring consent. However, the law also requires that the controller provide the consumer with clear notice and an opportunity to opt out prior to processing the information.
Parental consent is required to process personal information from a known child (under 13) in accordance with COPPA.
Under the UCPA, a privacy notice must include:
- The categories of personal data processed;
- The purpose for processing personal data;
- The categories of third parties with which personal data is shared;
- The categories of personal data that are shared with third parties;
- The methods for a consumer to exercise their rights (see below)
Utah defines “sale” as: Exchange of personal data for monetary consideration by the controller to a third party.
There are limits on “Sale” of personal information to ensure that certain business functions are not unintentionally impeded by this law. Activities deemed not to be a sale include: the disclosure of personal information to a processor, as directed by the consumer, as part of a merger or bankruptcy, to provide a product or service requested by the consumer, or the disclosure of personal data that has been intentionally made available to the public.
The Attorney General (AG) is the sole enforcement authority for UCPA. Under the UCPA the AG may bring an enforcement action after providing a 30-day notice and an opportunity for the business to cure the alleged violation(s). Actions can be brought that seek civil penalties, with fines up to $7,500 for each violation.
Privacy Rights
The UCPA provides Utah residents privacy rights similar to those provided under most state laws, including:
- Right to know whether a business is processing your personal information;
- Right to access personal information;
- Right to delete personal information collected from the consumer;
- Right to obtain a copy of personal information (data portability); and
- Right to opt out of the sale of personal or processing for targeted advertising.
The UCPA requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once per 12 months. Businesses may deny a rights request in certain circumstances. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial.
Privacy Impact Assessments
Unlike many other state laws, the UCPA does not require Privacy Impact Assessments.
Vendor Contracts
Like most other state consumer privacy laws, Utah requires a contract that dictates how processors (also called service providers or vendors) may process personal information. Contracts must have instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing, the duration of processing and specify the rights and obligations of both parties. In addition, the contract must require that the processor:
- Employs appropriate security measures;
- Ensures that each person who processes personal data is subject to a duty of confidentiality; and
- Passes along the same obligations to any subcontractors in a written contract.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.
