Utah Consumer Privacy Act to take effect December 31, 2023
Just over a year ago, Utah joined the ranks of California, Virginia, and Colorado by becoming the fourth U.S. state to enact comprehensive data protection legislation with the signing of the Utah Consumer Privacy Act, or UCPA, into law. Now, applicable businesses must comply with its provisions before the start of the New Year, as it takes effect Dec. 31, 2023. This article serves as a brief overview of the UCPA's requirements, shedding light on how businesses can navigate and comply with this significant privacy legislation.
Applicability of the UCPA
The UCPA applies to for-profit entities, known as "controllers" or "processors," that meet specific criteria outlined in the UCPA. The familiar controller and processor framework is adopted from the EU's General Data Protection Regulation, GDPR. Controllers determine the purpose and means of data processing, while processors handle data on their behalf. Both parties must establish a written contract outlining processing details, and processors must follow the instructions of controllers.
To fall under the jurisdiction of the UCPA, these business entities must meet certain threshold requirements including:
1. Conducting business in Utah or targeting Utah residents;
2. Generating an annual revenue of $25 million or more; and either
3. Controlling or processing personal data of 100,000 or more Utah consumers or deriving more than 50% of gross revenue from the sale of personal data and processing the data of 25,000 or more Utah consumers.
Key provisions for controllers and processors
A controller is defined as a person that "determines the purposes for which and means by which personal data are processed regardless of whether the person makes the determination alone or with others.” Controllers must provide a privacy notice disclosing their data practices, and they are obligated to implement security mechanisms. Notably, the UCPA requires notice and an opportunity to opt out only before processing sensitive data, rather than obtaining opt-in consent.
Under the UCPA, controllers, must adhere to the following specific obligations:
1. Provide a clear and accessible privacy notice to consumers.
2. Disclose any sale of consumer data or engagement in targeted advertising.
3. Implement and maintain reasonable data security practices.
4. Offer consumers the right to opt out of the processing of sensitive data, excluding certain racial or ethnic information processed by video communication services.
Processors, entities processing personal data on behalf of controllers, are required to follow the instructions of controllers, assist in compliance with the UCPA, and ensure data security through contractual agreements with controllers.
Consumer rights and protections
The UCPA grants Utah residents specific rights regarding their personal data, allowing them to:
1. Confirm if a controller processes their personal data.
2. Access and delete personal data provided to the controller.
3. Obtain a portable copy of their data if technically feasible.
4. Opt-out of the processing of personal data for targeted advertising or sale.
Unlike various other consumer state privacy legislation, the UCPA does not afford consumers the right to rectify inaccuracies in their data. Controllers must respond to consumer requests within 45 days, with a possible 45-day extension if necessary. Further, businesses may charge fees for a second consumer request in a 12-month period, and for requests that are excessive, repetitive, technically infeasible or manifestly unfounded.
While the UCPA shares similarities with existing state laws, it includes notable exemptions for certain data and entities. Publicly available data, de-identified data, and information covered by specific federal acts, such as the Health Insurance Portability and Accountability Act or HIPAA, the Driver's Privacy Protection Act, and the Family Education Rights and Privacy Act, are exempt. Non-profit entities, higher education institutions, tribes, and government bodies also enjoy entity-based exemptions.
Enforcement of the UCPA falls under the jurisdiction of the Utah Division of Consumer Protection and the Utah attorney general. Under the UCPA, the Utah Division of Consumer Protection is empowered to investigate consumer complaints, subsequently referring such cases to the attorney general. The attorney general, holding exclusive enforcement authority, must issue written notice of an alleged violation, affording entities a 30-day window to rectify the violation. Failure to address these issues within the stipulated timeframe may prompt the attorney general to initiate legal action, enabling recovery of actual damages to consumers and imposing civil penalties of $7,500 per violation. The law preempts state and local privacy laws, and there is no private right of action.
Businesses subject to the UCPA will find that their compliance efforts for other state privacy laws provide a foundation for UCPA implementation. With the effective date approaching on December 31, 2023, companies operating in Utah should proactively assess their data practices, update privacy policies, and establish mechanisms for responding to consumer rights requests to ensure compliance with this new and evolving landscape of consumer privacy legislation.
With cybersecurity threats at an all-time high, businesses should always remain watchful for security updates to harden their environment against malicious actors. If you have any concerns about vulnerability to attacks or other breaches, questions about your company’s compliance with cyber regulations, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.