Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (UCPA) into law in March 2022. This makes it only the fourth US state after Colorado, Virginia and California to have its own data protection law.
In comparison, it is considered much more similar to the Virginia VCDPA than the California CCPA in that it is more business-friendly. This is mainly due to the fact that there are no requirements for data protection assessments, cybersecurity audits or risk assessments.
However, this does not mean that privacy or consumer rights are compromised. Strict obligations are imposed on all data processors and controllers to ensure that users’ rights are respected at all times.
Compliance with the UCPA should not prove too difficult for organizations willing to ensure appropriate data protection mechanisms to ensure the safety of consumer data without compromising the browsing experience.
Consumer Rights under UCPA
Like the GDPR and all other major US privacy laws, the UCPA grants consumers certain rights regarding their data and how they interact with websites known as consumer rights.
These UCPA mandated rights include the following:
- Right to access their data – All consumers have the right of access to any data collected about them by a data processor or controller;
- Right to erasure of their data – All consumers have the right to erase any data that may have been collected about them by a data processor or controller;
- right to copy their data – All consumers have the right to have a copy of any data collected about them by a data processor or controller in a workable, portable, practical and usable manner;
- Right to object to data processing – All consumers have the right to opt-out of future data processing activities carried out by a data processor or controller for targeted advertising.
All data processors and controllers must respond to a consumer who exercises any of these rights within 45 days, with an additional 45 days being allowed if a consumer request may take longer than usual to process.
A data processor or controller shall not charge a consumer for seeking information about their data. However, they may charge a fee if a second or repeat application is made.
Who Must Comply with the Utah Consumer Privacy Act?
The UCPA mentions both data controllers and data processors that handle data collection on behalf of controllers as a subject of the UCPA.
The UCPA applies to data processors and controllers with annual gross revenues greater than $25 million and either:
- Process the data of at least 100,000 consumers annually;
- Make 25% of their annual gross sales from selling/sharing consumer data.
However, there are various exceptions for organizations. Any organization that falls under the following categories is exempt from UCPA compliance:
- financial institutions subject to the GLBA;
- companies and business partners covered by HIPAA;
- governmental organizations;
- data regulated by the Fair Credit Reporting Act (FCRA);
- Data regulated by the Driver Data Protection Act (DPPA);
- Data regulated by the Farm Credit Act (FCA);
- Data governed by the Family Educational Rights and Privacy Act (FERPA).
Obligations under the Utah Consumer Privacy Act!
Like most other privacy laws, the UCPA spells out all the responsibilities and duties of data processors and controllers. The duty to ensure these obligations are met is necessary to achieve UCPA compliance and ensure that an organization has its data processing activities in order.
Some of the key obligations for organizations under the UCPA are:
- Effective security measures in place
The data processors or controllers must indicate that they have taken appropriate administrative, technical and physical data security measures to protect consumer data. These measures should ensure the integrity of all data collected.
In addition, an organization’s security measures should be proportionate considering the size, scope and scope of activities undertaken by the data processor and controller.
- purpose specification
Data processors and controllers cannot collect just any data. There must be a clear justification for collecting specific data. This justification needs to be explained to consumers through a detailed privacy statement, which should include:
- Categories of Data Collected.
- The purpose of their collection.
- How consumers can exercise their rights.
- Potential third-party consumer data is shared.
- Categories of third parties with whom consumer data may be shared.
- Non-discriminatory provision of services
This is one thing that separates the modern browsing experience from what existed before privacy laws. No website can refuse online service to consumers if they choose to exercise any of their rights or opt-out of having their information collected.
However, websites may offer special discounts or prices to elicit this voluntary consent from consumers.
- Sensitive Personal Data Notifications
Similar to other privacy laws in the United States, sensitive personal information must be treated differently to ensure it is only collected when necessary and with the consumer’s explicit consent.
Because the UCPA employs an opt-out consent model, the data processor or controller must duly inform the user of the collection of such data and provide the user with an opportunity to opt-out of having that data shared with them.
Who enforces the Utah Consumer Privacy Act?
This is perhaps the most important and peculiar aspect of UCPA. Unlike other data protection laws in the United States or elsewhere around the world, the UCPA’s enforcement duties are “split”.
They are divided in the sense that the Utah Attorney General’s office enforces the law when it comes to investigating and punishing potential violations of the law by organizations. However, the Utah Department of Commerce’s Consumer Protection Division (the Division) is responsible for receiving and responding to customer complaints related to violations of their UCPA-mandated rights.
When a customer files a complaint, the department investigates whether there is “reasonable cause to believe that there is material evidence” supporting the fact that an organization has violated the UCPA. It will then escalate the matter to the Utah Attorney’s Office.
The Attorney General’s Office can then notify the data processor or controller of the breach and give them a period of 30 days to rectify the matter to the complainant’s satisfaction. However, the Attorney General’s Office can fine up to $7,500 during those 30 days on an organization violating the law.
Both the Department and the Attorney General’s Office are required to submit a detailed enforcement report to the Business and Labor Interim Committee by 1 July 2025, indicating how they intend to share future enforcement responsibilities and detailing their collaborative efforts to date.