With the Beehive State joining the roster of state privacy regulations, it’s never been more important to be proactive about privacy.
Build your privacy reputation when you get compliance-ready for the Utah Consumer Privacy Act with Red Clover Advisors.
In 2016, the European Union passed the world’s first comprehensive data privacy law: the General Data Protection Regulation (GDPR), which applies to all businesses that operate in or collect information from EU residents, regardless of where they are located. The GDPR brought to light the lack of transparency and consent in many modern consumer data collection practices, causing a significant shift in how we approach data privacy.
Unlike the EU, there is no federal data privacy law in the United States. Instead, it’s currently up to individual states to pass laws that protect the collection and processing of consumer information—the first of which was the California Consumer Privacy Act (CCPA), followed by similar bills in Virginia, Colorado, Connecticut, and, of course, Utah.
On March 24, 2022, Utah became the fourth state to enact comprehensive privacy legislation, with the Utah Consumer Privacy Act (UCPA). This law—which closely resembles the Virginia Consumer Data Protection Act (VCDPA)—goes into effect on December 31, 2023.
In the meantime, it’s always good practice to be proactive about your company’s privacy program to ensure you can maintain compliance and protect your customers’ data privacy. With Red Clover Advisors, you can meet your legal obligations and customer expectations alike.
Get in touch today to get started.
Here are the key takeaways for businesses looking to prepare for UCPA:
The UCPA applies to entities that conduct business in OR produces a product or service that is targeted to consumers who are residents of Utah. Specifically, the entity must meet the following criteria during the preceding year:
Annual revenue of $25,000,000 or more AND During a calendar year, controls or processes
personal data of 100,000 or more consumers
OR
Derives over 50% of the entity’s gross revenue from the sale of personal data and controls
OR
Processes personal data of 25,000 or more consumers.
Consumers also have the right to avoid discrimination for exercising these rights provided by the UCPA.
(Unlike the CCPA, but similar to the VCDPA, there is no private right of action for consumers)
Privacy laws have the same basic objectives: to increase transparency, to ensure data security, and to enable consumer control over how their data is used online. This goal remains the same with UCPA.
According to the UCPA, businesses must have a clear privacy statement that informs customers of the following:
The UCPA further mandates that any data processing operations carried out by a third party must be governed by a contract between the data controller and data processor that complies with the principles set forth in a privacy policy, in line with comparable obligations in the VCDPA and CCPA.
However, in an effort to be more business-friendly, the UCPA doesn’t mandate that controllers conduct data protection assessments to identify vulnerabilities to the data being processed.
As required by the UCPA, businesses must follow adequate “administrative, technical, and physical data security policies” in order to “limit reasonably foreseeable risks of harm to consumers linked to the processing of personal data.”
Achieving compliance with this criterion won’t place an unreasonable burden on controllers because it is consistent with privacy best practices and other privacy regulations.
Businesses must implement efficient procedures that allow customers to opt out of having their information sold or processed for targeted advertising. Additionally, they must provide customers with a chance to refuse the collection of their sensitive information.
The UCPA also empowers businesses to impose fees if customers make requests that are “excessive, repetitive, technically infeasible, or clearly baseless” or submit requests more than once annually.
If you’re ready to prioritize privacy, drop us a line.
Businesses that are impacted by the UCPA have until December 31, 2023 to prepare. If you’ve already established policies and processes for meeting compliance requirements for other state privacy legislation, you’re already ahead of the game. If you haven’t, there’s no time like the present to find the right solutions for your business.
Compliance doesn’t have to be complicated. But if you wait too long, it will be.
Here are the top recommendations we share with our clients who are putting privacy at the top of their to-do lists.
Also known as a data inventory, a data map follows data records on their entire road trip through your business, from first collection all the way to when the data is deleted.
But data maps do more than providing a glimpse into your data’s journey.
A data map provides invaluable insight into:
Moreover, a data map helps you identify risks and where your processes don’t align with both existing internal policies and regulatory requirements.
We say it all the time—data privacy and data security aren’t the same, but they are closely related. What’s more, you need both to meet statutory requirements for all state privacy laws.
When it comes to UCPA, the guidance is that businesses need to take “reasonable” security measures to protect customer data. “Reasonable” isn’t a clearly defined metric, but businesses can protect both consumer information and their own business interests by following best practices like:
Do your current privacy workflows align with the requirements for UCPA? (Or other privacy laws, for that matter?) When new regulations come into force, they almost always require businesses to recalibrate at least some of their operational practices.
Thankfully, you don’t have to start from scratch if you already meet the requirements for other privacy regulations. US state privacy laws aren’t carbon copies of one another, but they’re more alike than not.
And if you are starting from scratch, you still have over six years of privacy best practices to turn to—and we’re well-versed in all of them. In fact, working with a privacy consultant is the best way to implement optimized processes that are tailored to your business needs.
Your privacy policy and privacy notice are vital documents, but they aren’t the sum total of your privacy program. Your privacy processes need to reflect what your policy and notice lay out. (In short, don’t just talk the talk—walk the walk!)
Make sure you’re doing what you say you’re going to do when it comes to:
While you’re examining your privacy documents, make sure that they themselves meet privacy best practices. In particular, your privacy notice (the external privacy information that you share with consumers) should be accessible to people with disabilities and as clear and easy to understand as possible.
Your employees are essential resources for a smoothly functioning, consumer-friendly privacy program. Make sure they have what they need to successfully implement policies and practices.
A key element to this is a robust privacy training program. Don’t just squeeze an annual privacy training session into your calendar and then leave your team to figure it out the other 364 days of the year. Instead, add privacy tips to monthly staff meetings, create knowledge bases for privacy processes, and identify staff who can act as privacy champions to support and encourage others.
Utah’s privacy legislation represents a new opportunity for businesses looking to set themselves apart from their competitors. When your business keeps pace with privacy laws, you ensure you’re prepared to safeguard your customers’ personal information, your business’s reputation, and consumer trust.
But to achieve those advantages, you need to take a proactive position. At Red Clover Advisors, we can help you do it.
UPCA borrows from the consumer rights and opt-outs that are well-established in other privacy laws. Under the UCPA, consumers have the right to:
However, the UCPA contains notable exceptions to other regulations:
The UPCA defines personal data as “information that is linked or reasonably linkable to an identified individual or identifiable individual.” However, data that is either de-identified or publicly available is exempt from protection. So is information collected from individuals who provide it in “commercial or employment contexts.”
The UCPA allows for special protections for specific categories of sensitive personal information. This includes data such as:
The UCPA defines “sale” of data as “the exchange of personal data for monetary consideration by a controller to a third party.” This focus on monetary compensation puts it in closer alignment with the VCDPA, and contrasts it with the CCPA and CPA, which considered data “sold” if money is exchanged OR if there are “other valuable considerations” as part of the transfer.
Businesses that must comply with UCPA must provide consumers the opportunity to opt out of processing when it involves the sale of personal data or data used for targeted advertising, which is a less substantial requirement than other U.S. data privacy laws. (Although businesses must still provide clear notices!)
The UCPA gives the state attorney general’s office administrative authority, just like its other US counterparts. But in contrast to other legislation, Utah has adopted a distinct tier-based strategy for enforcement.
Under the UCPA, possible infractions are initially reported to and investigated by Utah’s Division of Consumer Protection. The DCP will report the case to the AG’s office if it finds there is good reason to think a violation has taken place.
The controller or processor will have 30 days to cure any violations after the attorney general notifies them. Offenders may be penalized up to $7,500 per violation if they do not remedy the issue.
We can help you understand and satisfy the CPA’s regulatory requirements, but more importantly, we can help you create a data privacy program that goes beyond compliance and makes consumer privacy awareness part of your company culture.
