Data privacy has been a hot topic for businesses and regulators over the past six months, with several states passing legislation improving protections for consumers’ personal data. Utah has followed suit, with the state legislature passing the Utah Consumer Privacy Act (UCPA) on March 3, 2022, which will now move along to the governor for final approval.
The UCPA draws influence from other state privacy acts, such as the California Privacy Rights Act and the Colorado Privacy Act. One important difference to note is that the definition of a “sale” of personal data does not include disclosures to a third party if the purpose is consistent with a consumer’s “reasonable expectations.”
(Read the full text of the bill.)
Update: On March 24, 2022, Utah’s governor signed the Utah Consumer Privacy Act into law, making the state the fourth to enact comprehensive consumer privacy legislation. The International Association of Privacy Professionals describes the law as taking a “lighter, more business-friendly approach to consumer privacy than all three of its predecessors” in California, Virginia, and Colorado due to its narrower scope and more lenient requirements.
For an organization to fall under the scope of the UCPA, it must:
The law does not apply to government, higher education, and nonprofit entities, among other exceptions.
The Utah Consumer Privacy Act will provide consumers with rights similar to those of other privacy laws, including the rights to:
However, there are also some notable divergences from existing state privacy laws. The UCPA does not provide consumers with the right to correct their data and does not allow them to opt out of automated profiling.
The UCPA’s similarity with other state privacy laws will allow compliance teams to be better prepared to face changing regulations. Many requirements should fall under existing organizational practices surrounding security, consent, transparency, etc.
The UCPA will go into effect on December 31, 2023. The state’s Department of Commerce, Division of Consumer Protection, will investigate consumer complaints regarding the processing of personal data, and the law will be enforced by Utah’s Office of the Attorney General.
Violations of the UCPA will have a 30-day rectification period, after which organizations that fail to take corrective action could face penalties of up to $7,500 per violation.
Businesses must utilize all available tools to prepare for these and forthcoming standards as state (and potentially federal) privacy regulations expand. Adopting GRC technology to help your organization track regulatory change and automate management processes supports a strong compliance posture.