What Does Utah Consumer Privacy Act Mean for US Businesses?
By Anas Baig, Data Science Central on September 17, 2022
Utah Governor Spencer J. Cox signed the?Utah Consumer Privacy Act (UCPA) ?into law in March 2022. It has since become only the fourth US state to have its own data protection law after Colorado, Virginia, and California.?
Comparatively, it is considered a lot more similar to Virginia’s VCDPA than?California’s CCPA , owing to it being more business-friendly. This is primarily down to the fact that there are no requirements for data protection assessments, cybersecurity audits, or risk assessments.
However, that does not mean it compromises consumers’ data privacy or their rights. Strict obligations are placed on all data processors and controllers to ensure users’ rights are respected at all times.?
Compliance with the UCPA should not prove too difficult for organizations willing to ensure appropriate data protection mechanisms to guarantee consumers’ data is safe without compromising their browsing experience.?
Consumer Rights Under UCPA
Like the?GDPR ?and every other major US data protection law, the UCPA affords consumers certain rights over their data and how they interact with websites, known as consumer rights.?
These rights, as prescribed by the UCPA, include the following:?
All data processors and controllers must respond to a consumer exercising any of these rights within 45 days, with an additional 45 days allowed if the completion of a consumer’s request may take more time than usual.
A data processor or controller cannot charge a fee from a consumer for seeking information about any of their data. However, they may charge a fee if second or repeated requests are made.?
Who Needs To Comply With Utah Consumer Privacy Act?
The UCPA mentions both data controllers and data processors handling data collection on behalf of controllers as subject to the UCPA.?
The UCPA applies to data processors and controllers that have annual gross revenue in excess of $25 million and either:
However, there are various exemptions for organizations. Any organization that falls under the following categories is exempt from having to adhere to the UCPA:
Obligations Under Utah Consumer Privacy Act!
Like most other data protection laws, the UCPA also thoroughly lays down all data processors and controllers’ responsibilities and obligations. The duty to ensure these obligations are met is necessary to achieve UCPA compliance and ensure that an organization has its data processing activities in order.?
领英推荐
Some of the most important obligations for organizations under the UCPA include the following:?
The data processors or controllers must indicate that they have undertaken reasonable administrative, technical and physical?data security ?measures to protect consumers’ data. These measures should ensure the sanctity of any data collected.?
Moreover, an organization’s security measures should be appropriate, considering the size, scope, and scale of activities being carried out by the data processor and controller.?
Data processors and controllers cannot go about collecting any data they wish. There has to be an unambiguous rationale behind the collection of specific data. This rationale must be explained to the consumers via a detailed privacy policy that should contain the following:
This is one thing that differentiates the modern browsing experience from the one that existed before data protection laws. No website can deny consumers a service online if they choose to exercise one of their rights or refuse to have their data collected.?
However, websites can offer special discounts or prices to elicit this consent from consumers out of their own free will.
Similar to other data protection laws in the United States, sensitive personal information has to be handled differently to ensure it is only collected when necessary and with the consumer’s explicit consent.?
Since the UCPA employs an?opt-out consent model , the data processor or controller must duly inform the user about collecting such data and allow them to opt-out of sharing this data with them.?
Who Enforces the Utah Consumer Privacy Act?
This may very well be the most important and peculiar aspect of the UCPA. Unlike the other data privacy laws in the US or anywhere else globally, the UCPA’s enforcement responsibilities are “shared”.
They are shared in the sense that the Utah Attorney General’s Office enforces the law when it comes to investigating and fining potential violations of the law by organizations. However, the Utah Department of Commerce Division of Consumer Protection (the Division) is responsible for actually receiving and responding to customer complaints related to their UCPA-mandated rights being violated.?
When a customer launches a complaint, the Division investigates to find out whether there is a “reasonable cause to believe that substantial evidence exists” supporting the fact that an organization has violated the UCPA. It will then refer the matter to the Utah Attorney General’s office.
The Attorney General’s office can then notify the data processor or controller of the violation and provide them with a 30-day period to rectify the matter to the complainant’s satisfaction. However, the Attorney General’s office can still fine an organization found in violation of the statute up to $7,500 during these 30 days.?
Both the Division and the Attorney General’s office are required to submit a detailed enforcement report to the Business and Labor Interim Committee by July 1, 2025, indicating how they wish to share future enforcement responsibilities and details on their past collaborative efforts.