Utah Consumer Privacy Act (UCPA) Now in Effect
The Utah Consumer Privacy Act, or UCPA, is the fourth US consumer privacy law to be signed in the United States, which addresses the rights of consumers and the obligations of data controllers and processors with regards to the personal information collected.
The text of the law was signed into law on March 24, 2022, and has gone into effect on December 31st, 2023. With the effective date for enforcement now passed, affected businesses need to make sure they are ready to show compliance.
Some of the key aspects to know about this law are as follows:
- The law applies to any controller or processor who conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state; has annual revenue of $25,000,000 or more; and satisfies one or more of the following thresholds: during a calendar year, controls or processes personal data of 100,000 or more consumers; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
- It defines ‘personal information’ as “information that is linked or reasonable linkable to an identified individual or an identifiable individual,” but excludes “information that relates to a group or category of consumers from which individual consumer identities have been removed; and that is not linked or reasonably linkable to any consumer.”
- Data subject rights consist of the right to access, to delete, to data portability, and the right to opt out of the processing of personal data for the purposes of targeted advertising or the sale of personal data.
- Controller duties rely on the principles of Transparency, Purpose specification and data minimization, Consent for secondary use, Security, Nondiscrimination, Non Retaliation, and Non Waiver of consumer rights. This means, in short, implementing relevant security measures for the protection of personal information, lawfulness of processing, obtaining consumer consent for processing of sensitive personal information, or providing a privacy notice.
- Consumer requests have to receive a response within 45 days of the request, with an additional 45 days when reasonably necessary.
- The Attorney General has enforcement authority, however consumer complaints will first go through the Division of Consumer Protection who will initially “accept and investigate consumer complaints regarding the processing of personal data.” There is a cure period of 30 days after which penalties can go up to $7,500 per violation.