What is UCPA?
The Utah Consumer Privacy Act is the fourth legislature regarding data privacy in the US, addressing the rights of consumers and the obligations of data controllers and processors with regards to the personal information collected. The text of the law was signed into law on March 24th of this year, and it is set to go into effect on December 31st, 2023.
What is Personal Information and what are other key definitions?
There are few differences between this and the other privacy laws in the US but as regards the way personal data is defined, namely “information that is linked or reasonable linkable to an identified individual or an identifiable individual,” however, the difference is that it does not include, among other types of data, aggregated data, which is understood as “information that relates to a group or category of consumers (a) from which individual consumer identities have been removed; and (b) that is not linked or reasonably linkable to any consumer.”
The consumer is defined by the UCPA as “an individual who is a resident of the state acting in an individual or household context,” meaning that it does not include individuals “acting in an employment or commercial context,” same as the other privacy laws.
One difference however between the UCPA and the CPA or CCPA is that under Utah’s privacy law, sale means “the exchange of personal data for monetary consideration by a controller to a third party,” making a clear distinction since the exchange of personal data qualifies as sale only if the consideration is monetary, but similar to the others, a child is defined as “an individual under the age of 13 years old.”
Last but not least, the UCPA draws a distinction between personal data and sensitive personal data, which it defines as “personal data that reveals: an individual's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data.
Who has to comply with the UCPA?
The UCPA “applies to any controller or processor who:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
Due to the multiple thresholds it establishes, the UCPA is narrower in scope than the other three meaning that smaller entities would not be subject to it unless they reach the imposed revenue, and larger entities could be exempt if they only meet the revenue criteria but not the others.
Who is excluded from UCPA compliance?
Similar to the other laws, UCPA includes exemptions of both entity and data types such as:
- “a governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity;
- a tribe;
- an institution of higher education;
- a nonprofit corporation;
- a covered entity;
- a business associate;”
- financial institutions governed by the Gramm-Leach-Bliley Act of 1994;
- air carriers;
- information subject HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act;
- data processed or maintained in the process of employment, such as job applicant data.
How can I keep my organization UCPA compliant?
The UCPA, similar to the CPA, for example, offers a series of duties that companies need to adhere to for the purpose of compliance.
- Purpose specification and data minimization
- Consent for secondary use
- Non Retaliation
- Non Waiver of consumer rights
What this means for your business is that you have to take a series of steps that fall in line with these seven duties, namely:
- Provide your website visitors with a “reasonably accessible and clear
privacy notice that includes:
- the categories of personal data processed by the controller;
- the purposes for which the categories of personal data are processed;
- how consumers may exercise a right;
- the categories of personal data that the controller shares with third parties, if any; and
- the categories of third parties, if any, with whom the controller shares personal data.
- Inform them of how they can opt out of the sale of their personal data or of the “processing for targeted advertising.”
- Establish, implement and maintain “reasonable administrative, technical, and physical data security practices” designed to protect the personal data you collected and to reduce any foreseeable risks of harm to your website visitors. These measures have to be “appropriate for the volume and nature of the personal data at issue.”
- Do not process sensitive data without consent and in the case of a child’s data, follow all the regulations set under COPPA.
- You may not discriminate against a website visitor by denying access to goods or services, by charging them different rates for goods and services, or offering them a “different level of quality of a good or service.” However, you are allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” if they either opted out of targeted advertising or if your offer relates to their voluntary participation in a bone fide loyalty program.
- Before processing personal data on behalf of a controller, you are required to have a data processing contract, just like with the other privacy laws in the US. No mention of a requirement for a data protection assessment is offered, however.
What data access rights does UCPA grant?
Unlike the other privacy regulations in the US, the UCPA only grants four data subject access rights, themselves somewhat limited:
- Right to access: giving consumers the right to confirm whether you are processing their personal data and to access their personal data.
- Right to delete: gives consumers “the right to delete the consumer’s personal data that the consumer provided to the controller,” meaning that your website visitors can only request the personal data that they provided to you.
- Right to data portability: gives your website visitors “the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that:
- to the extent technically feasible, is portable;
- to the extent practicable, is readily usable; and
- allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.”
- Right to Opt Out of certain processing: means that your website visitors have “the right to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising; or the sale of personal data.”
Unlike the CDPA or CPA, opting out of profiling is not included in the right to opt out and the opt out does not have to be universal, as is the case with CPA.
Also, there is no right to correction granted to consumers by the UCPA, and no right to appeal for consumers whose data subject access requests were denied.
How to address data subject access requests under UCPA?
Here is what the UCPA says about addressing data subject access requests:
- You have 45 days to reply to a data subject access request and to inform the person that submitted the request of any action taken.
- You are allowed to extend the period by another 45 days “if reasonably necessary due to the complexity of the request or the volume of the requests received.” If you extend the period, before the initial 45 days, you must inform the person that submitted the request of the extension, as well as of the length of extension, and provide them with the reason for this.
- This does not apply if you are unable to authenticate the request and reasonably suspect that the request is fraudulent.
- Upon receiving a request, if you are unable to authenticate it using “commercially reasonable efforts,” you are not required to comply with the request but before that you may request additional information that is “reasonably necessary to authenticate the request.”
- If you choose not to take action on a request, within 45 days of receiving the request you have to inform the person that submitted the request of this as well as of the reasons for not taking action. There is no requirement for setting up an appeal method, nor any mention of consumers being given the right to appeal with the Attorney General your refusal to take action.
- You are not allowed to charge a fee for information in the process of responding to a request unless this is the second or subsequent request of the same individual within a 12 month period. Also, you may charge a reasonable fee if the request is excessive, repetitive, technically infeasible or “manifestly unfounded,” if you have reason to believe the purpose of the request is something other than exercising a right, or if the request “harasses, disrupts, or imposes undue burden” on the resources of your business. In all of these cases, it is your responsibility to demonstrate that the request falls in any of the previously mentioned categories.
Enforcement and penalties
The UCPA grants the Attorney General authority, same as with the other privacy laws, however it takes a new approach by deciding that the Division of Consumer Protection will initially “accept and investigate consumer complaints regarding the processing of personal data.”
The director of the division will investigate a complaint in order to determine whether there is an actual violation of the UCPA and if they have “reasonable cause to believe that substantial evidence exists that a person identified in a consumer complaint is in violation of this chapter, the director shall refer the matter to the attorney general,” after which they will provide “consultation and assistance to the attorney general in enforcing this chapter.”
Before taking any action against your business, the Attorney General will provide you with a written notice outlining the UCPA provision being violated. If you cure the violation within 30 days after receiving this written notice, and provide the Attorney General with a written statement that the violation has been cured and that no further violation will occur, then no action will be taken against you.
However, if you fail to cure a violation or continue to violate a provision for which you issued a statement previously, the Attorney General may recover the actual damages suffered by the consumer and an amount up to $7,500 per violation.
There is no private right of action granted by the UCPA, same as with the other US privacy laws.
Data Subject Rights - GDPR vs. UCPA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to delete
- Right to data portability
- Right to Opt Out of certain processing
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.