The Utah Consumer Privacy Act (UCPA) is a significant piece of legislation that will have a major impact on businesses that handle the personal data of Utah residents. Businesses should take steps to review their data handling practices and ensure compliance with the law.
Various states in the United States have enacted privacy laws to protect their residents. Following the footsteps of states like California, Virginia and Colorado, Utah has also enacted comprehensive privacy law with the UCPA. UCPA is a comprehensive piece of legislation aimed at safeguarding the privacy rights of Utah residents by regulating how controllers and processors collect, use, and disclose consumers’ personal data, providing Utah residents with control over their personal information. The UCPA will be enforced by the Utah Attorney General’s Office, which also provides guidance on compliance. This piece of legislature is set to come into force on December 31, 2023. It is recommended for businesses and consumers alike to familiarize themselves with the UCPA’s provisions to understand their rights, responsibilities, and the protections it offers.
The UCPA clearly defines the circumstances under which the legislation would apply, as well as several exceptions.
The UCPA applies to any controller or processor that conducts business in Utah or produces products or services that are intentionally targeted to residents of Utah. These businesses must: have annual gross revenues exceeding $25 million and fall under one or more of the following criteria: during a calendar year buy, receive, sell, or share the personal data of 100,000 or more consumers; derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers. The UCPA includes a number of both institutional and data based exemptions. This includes entities such as tribes, nonprofits, air carriers, financial institutions or affiliates of financial institutions governed by the Gramm-Leach-Bliley Act (GLBA) – a U.S. law that allows financial institutions to engage in a variety of financial activities, including banking, securities, and insurance, by repealing certain regulations and promoting the consolidation of the financial industry. Institutions of higher education, as well as “covered entities” and “business associates” as defined under Health Insurance Portability and Accountability Act (HIPAA) are also exempt.
The UCPA also doesn’t apply to governmental entities or to third parties under contract with a governmental entity when acting on their behalf. Certain types of data used by credit and consumer reporting agencies are exempt, along with information of financial institutions or affiliates governed by the GLBA and personal information collected or used for consumer credit scoring and reporting protected under the Fair Credit Report Act. The law also exempts personal data collected, processed, sold, or disclosed in compliance with various federal laws.
Additionally, the UCPA does not apply to health information, records, data, and documents protected under HIPAA, other federal or state medical laws, and information maintained by a healthcare facility/provider. This includes a wide range of health-related data, including patient information, identifiable private information for the protection of human subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research. Personal data maintained for employment records also do not fall under the scope of the UCPA. Due to its revenue threshold and the several exceptions to the UCPA, it has a much narrower applicability than other state privacy laws.
The UCPA requires businesses handling personal data of Utah residents to implement robust data protection measures, potentially necessitating significant changes to existing practices.
The UCPA has critical implications for businesses that handle the personal data of Utah residents. It mandates them to review and potentially modify their data handling practices to ensure compliance. Businesses are required to be transparent in their data collection and usage practices, implement robust data protection measures, and respect the rights of consumers concerning their personal data. Some businesses may need to make significant changes to their practices in order to become compliant with the UCPA. The UCPA obligates these businesses to implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
This legislation requires a contract between controllers and processors to govern all processing. This contract must outline relevant consumer privacy provisions. Processors are required to adhere to the controller’s instructions and assist and cooperate to ensure compliance with the law, including meeting obligations regarding the security of data processing and data breach notifications.
It also provides Utah residents with several rights concerning their personal data, including the right to access, correct, delete, and port their data, and the right to opt out of the collection and use of personal data for certain purposes e.g targeted advertising. Businesses are required to provide a clear and understandable privacy notice to consumers before or at the point of data collection. The notice should include the categories of personal data collected, the purposes for which such data will be used, and how consumers can exercise their rights under the UCPA. While UCPA does not require businesses to collect users’ consent to process personal information, nor any other form of opt-in, controllers are required to obtain parental consent in case the personal data involve children below the age of 13. If necessary, businesses may need to notify consumers of any security breaches that affect their personal data. The Utah Attorney General’s Office is tasked with enforcing the Act. Violators could face significant financial penalties.