The UCPA and What it Means for Compliance Teams

Data privacy has been a hot topic for businesses and regulators over the past six months, with several states passing legislation improving protections for consumers’ personal data. Utah has followed suit, with the state legislature passing the Utah Consumer Privacy Act (UCPA) on March 3, 2022, which will now move along to the governor for final approval.

The UCPA draws influence from other state privacy acts, such as the California Privacy Rights Act and the Colorado Privacy Act. One important difference to note is that the definition of a “sale” of personal data does not include disclosures to a third party if the purpose is consistent with a consumer’s “reasonable expectations.”

(Read the full text of the bill.)

Update: On March 24, 2022, Utah’s governor signed the Utah Consumer Privacy Act into law, making the state the fourth to enact comprehensive consumer privacy legislation. The International Association of Privacy Professionals describes the law as taking a “lighter, more business-friendly approach to consumer privacy than all three of its predecessors” in California, Virginia, and Colorado due to its narrower scope and more lenient requirements.

UCPA Applicability

For an organization to fall under the scope of the UCPA, it must:

• Conduct business in Utah or produce a product or service targeted to Utah residents,
• Have annual revenue of at least $25 million, and
• Either 1) Control or process the personal data of 100,000 or more consumers in a calendar year, or 2) Derive more than 50% of gross revenue from the sale of personal data and control/process the personal data of at least 25,000 consumers.

The law does not apply to government, higher education, and nonprofit entities, among other exceptions.

Consumer Rights

The Utah Consumer Privacy Act will provide consumers with rights similar to those of other privacy laws, including the rights to:

• Access: confirm whether an organization is processing their personal data and access that data
• Portability: obtain a copy of the data they’ve provided to the organization in a format that is portable, usable, and transmittable
• Deletion: delete the data they’ve provided to the organization
• Opt-Out: decline data processing for the purposes of targeted advertising and the sale of personal information

However, there are also some notable divergences from existing state privacy laws. The UCPA does not provide consumers with the right to correct their data and does not allow them to opt out of automated profiling.

What Does This Mean for Compliance Teams?

The UCPA’s similarity with other state privacy laws will allow compliance teams to be better prepared to face changing regulations. Many requirements should fall under existing organizational practices surrounding security, consent, transparency, etc.

The UCPA will go into effect on December 31, 2023. The state’s Department of Commerce, Division of Consumer Protection, will investigate consumer complaints regarding the processing of personal data, and the law will be enforced by Utah’s Office of the Attorney General.

Violations of the UCPA will have a 30-day rectification period, after which organizations that fail to take corrective action could face penalties of up to $7,500 per violation.

Businesses must utilize all available tools to prepare for these and forthcoming standards as state (and potentially federal) privacy regulations expand. Adopting GRC technology to help your organization track regulatory change and automate management processes supports a strong compliance posture.