Utah Governor Spencer J. Cox signed Utah Consumer Privacy Act (UCPA) to become law in March 2022. Since then it has become only the fourth US state to have its own data protection law after Colorado, Virginia and California.
Comparatively, it is considered more similar to VCDPA in Virginia than California Consumer Privacy Protection Act, as it is more suitable for business. This is primarily due to the fact that there are no requirements for data protection assessments, cybersecurity audits, or risk assessments.
However, this does not mean that it jeopardizes the privacy of consumers’ data or their rights. Strict obligations are placed on all data processors and controllers to ensure that users’ rights are respected at all times.
Compliance with UCPA should not be too difficult for organizations wishing to ensure appropriate data protection mechanisms to ensure the security of consumers’ data without compromising their browsing experience.
Consumer rights under UCPA
Like the General Data Protection Regulation And every other major data protection law in the United States, the California Consumer Privacy Protection Act (UCPA) gives consumers certain rights over their data and how they interact with websites, known as consumer rights.
These rights, as set forth by UCPA, include:
- The right to access their data – all consumers have the right to access all data collected by the data processor or controller;
- The right to delete their data – all consumers have the right to delete all data that may have been collected about them by the data processor or controller;
- The right to copy their data – all consumers have the right to make a copy of all data collected on them by the data processor or controller in a practical, portable, functional and usable way;
- Right to opt out of data processing – All consumers have the right to request to opt out of any future data processing activities of the data processor or controller intended for targeted advertising.
All data processors and controllers must respond to a consumer exercising any of these rights within 45 days, allowing an additional 45 days if a consumer order is taking longer than usual to complete.
Neither the data processor nor the controller can charge the consumer for information about any of their data. However, they may charge a fee if second or repeat applications are submitted.
Who needs to comply with the Utah Consumer Privacy Act?
UCPA lists both data controllers and data processors who handle data collection on behalf of controllers as subject to UCPA.
UCPA applies to data processors and controllers with combined annual revenue greater than $25 million and either:
- Processing data of at least 100,000 consumers annually;
- Generate 25% of their total annual revenue from selling/sharing Consumer data.
However, there are various exceptions for organizations. Any organization that falls under the following categories is exempt from compliance with UCPA:
- Financial institutes subject to the GLBA;
- Institutions of higher education;
- Covered Entities and Business Partners HIPAA;
- government organizations;
- data regulated by the Fair Credit Reporting Act (FCRA);
- Data regulated by the Driver Privacy Protection Act (DPPA);
- data regulated by the Agricultural Credit Act (FCA);
- The data is regulated by the Family Educational Rights and Privacy Act (FERPA).
Obligations under the Utah Consumer Privacy Act!
Like most other data protection laws, UCPA also comprehensively sets out all of the responsibilities and obligations of data processors and controllers. The duty to ensure that these obligations are fulfilled is necessary to achieve compliance with the Consumer Privacy Protection Act and to ensure that the organization has its data processing activities in order.
Some of the most important obligations for organizations under UCPA include:
- Effective security measures in place
Data processors or data controllers shall indicate that they have taken reasonable administrative, technical and material action data security Measures to protect consumer data. These procedures must ensure the sanctity of any data collected.
Moreover, the security measures of the organization must be appropriate, taking into account the size, scope and scale of the activities of the data processor and the observer.
- Purpose specification
- Categories of aggregated data.
- purpose of their group.
- How consumers can exercise their rights.
- Potential consumer data is shared by third parties.
- Categories of third party consumer data may be shared with them.
- Non-discriminatory performance of services
This is the one thing that differentiates the modern browsing experience from that which existed before data protection laws. No website can deny consumers an online service if they choose to exercise one of their rights or refuse to collect their data.
However, websites can offer discounts or special rates to get this approval from consumers of their own free will.
- Notifications regarding sensitive personal information
Similar to other data protection laws in the United States, sensitive personal information must be treated differently to ensure it is collected only when necessary and with the express consent of the consumer.
Since UCPA employs Withdrawal Consent FormThe data processor or controller shall duly inform the user about the collection of such data and allow him to opt-out of sharing this data with them.
Who enforces the Utah Consumer Privacy Act?
This may be the most important and oddest aspect of UCPA. Unlike other data privacy laws in the United States or elsewhere globally, UCPA’s law enforcement responsibilities are “shared.”
It is shared in the sense that the Utah Attorney General’s Office enforces the law when it comes to investigating and imposing fines for potential violations of the law by organizations. However, the Utah Department of Commerce’s Consumer Protection Division (Division) is responsible for receiving and actively responding to customer complaints regarding violations of their UCPA rights.
When a customer files a complaint, the department investigates to see if there is “reasonable reason to believe there is substantial evidence” to support the fact that an organization has violated the Consumer Privacy Protection Act. Then it will refer the matter to the Utah attorney general’s office.
The Attorney General’s Office can then notify the data processor or controller of the violation and give them 30 days to correct the matter to the complainant’s satisfaction. However, the attorney general’s office can still impose a fine of up to $7,500 on an organization that is found to be in violation of the law during these 30 days.
Both the Division and the Office of the Attorney General are required to submit a detailed enforcement report to the Temporary Business and Labor Committee by July 1, 2025, outlining how they would like to share future enforcement responsibilities and details about their past collaborative efforts.