What is the Utah Consumer Privacy Act?
The Utah Consumer Privacy Act, or UCPA, is a state-level data privacy law enacted in Utah, USA, aimed at providing residents with greater control over their personal data. The UCPA shares similarities with other state privacy laws like the California Consumer Privacy Act (CCPA) but has its own unique provisions.
Who is it relevant to?
The UCPA applies to companies that do business in Utah or produce commercial products or services that are targeted to residents of Utah. The law applies to these companies only if one (or more) of the following applies:
- The company has an annual revenue of at least $25 million.
- The company controls or processes the personal data of at least 100,000 consumers.
- The company derives over 50% of its gross revenue from the sale of personal data, and controls or processes personal data of at least 25,000 consumers.
Who Needs to Comply?
The UCPA, like many other privacy laws and regulations, differentiates between controllers and processors, and mandates compliance from both. A data controller is an entity that determines the purposes and means of processing personal data. Essentially, it decides why and how personal data is processed. For example, an e-commerce company that collects customer information (like names, addresses, and payment details) to process orders and manage customer accounts, is considered a controller because in this case the company decides what data to collect, how it will be used (e.g., to fulfill orders, for marketing purposes), and how long it will be kept.
The data processor is an entity that processes personal data on behalf of a data controller. The processor does not decide the purpose or means of processing but follows the instructions given by the controller. In the example we gave above of an e-commerce company, a related processor might be a cloud storage service that the e-commerce company uses to store customer data. The cloud storage service is a processor because it stores and manages data based on the e-commerce company’s instructions without deciding how or why the data is used.
The responsibilities of a controller and processor are different.
Controller Responsibilities:
- Determine Purpose: Decide why personal data is needed and how it will be used.
- Data Collection: Collect personal data from individuals.
- Compliance: Ensure that the data processing complies with privacy laws and regulations.
- Rights of Individuals: Handle requests from individuals regarding their data rights, such as access, correction, or deletion of their data.
Processor Responsibilities:
- Follow Instructions: Process data according to the controller’s instructions.
- Data Security: Implement appropriate security measures to protect personal data.
- Sub-processors: Seek authorization from the controller before hiring other processors (sub-processors).
- Data Handling: Assist the controller in fulfilling data protection obligations, such as data breach notifications or handling data subject requests.
What rights do consumers have under the UCPA?
- Access: Consumers have the right to know what personal data is being collected about them.
- Deletion: Consumers can request the deletion of their personal data.
- Portability: Consumers can obtain a copy of their data in a portable and, to the extent technically feasible, readily usable format.
- Opt-Out: Consumers have the right to opt out of the sale of their personal data or targeted advertising.
What are the requirements for the Utah Consumer Privacy Act?
- Transparency: Businesses must provide clear and accessible privacy notices detailing their data practices.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Non-Discrimination: Businesses cannot discriminate against consumers who exercise their privacy rights under the UCPA.
Actionable Steps to Comply
- Determine applicability:
Assess the company’s business activities and determine whether it falls within the UCPA’s jurisdiction.
- Data mapping and inventory:
Identify personal data by mapping out all personal data held by the company, making sure to understand the source of the data and where the data is being transferred. Categorize the type of personal data that is being collected.
- Update privacy policies:
Privacy policies are important for informing consumers about data collection practices, purposes, and their rights under the UCPA. Make sure that the privacy notices are up-to-date, easy to access, and written in an easy-to-understand language (no legal-speak.)
- Implement processes to handle consumer requests:
Consumers need to have the ability to exercise their rights under UCPA, such as accessing data. The company needs to have a system such as an online portal or customer service process, that is able to handle these requests. The requests may include receiving a copy of data, deleting or rectifying data, and updating third parties when this happens. Consumers also need to be able to opt-out of the sale of their data.
- Implement data security mechanisms:
Reasonable security measures should be implemented to protect personal data. These measures may include: multifactor authentication, secure passwords, employee awareness training on data privacy and security, physical security mechanisms, logging and monitoring of the system, among others.
- Contracts with third parties:
Review and update contracts with third-party service providers to ensure they comply with UCPA requirements. This includes ensuring they implement appropriate data security measures, adhere to instructions regarding data processing, and conducting due diligence over the course of the relationship.
- Develop internal policies and procedures:
Develop data handling policies which include collecting, storage, processing, and sharing of personal data, as well as incident response policies and procedures. The incident response plan should include notification of the Utah Attorney General and affected consumers, as required.
- Monitor and audit compliance:
Conduct regular audits to ensure ongoing compliance with the UCPA. This can involve reviewing data practices, updating procedures, and addressing any compliance gaps. Keep informed about any changes in the UCPA and other relevant privacy laws. Adapt compliance measures as necessary.
Why should you be UCPA compliant?
Compliance with the Utah Consumer Privacy Act (UCPA) is mandatory for businesses that meet certain criteria. Non-compliance can result in significant legal penalties and fines imposed by the Utah Attorney General’s office.
But being UCPA compliant is not just about avoiding penalties—it’s about building trust, enhancing data security, streamlining operations, and positioning your business as a leader in privacy and consumer protection. Prioritizing compliance can lead to long-term benefits, including increased consumer loyalty, better reputation, and new business opportunities.
How is compliance achieved?
To comply with the Utah Consumer Privacy Act (UCPA), organizations can leverage Centraleyes’ comprehensive risk management and compliance platform. Centraleyes offers automated data collection and analysis, prioritized remediation advice and real-time risk scoring.
Read more: https://dcp.utah.gov/ucpa/