In the United States, most products are regulated by federal agencies that oversee safety standards and enforce fair business laws. The consumer protection concept dates back to the 1800s when Congress established federal regulatory agencies to crack down on abusive monopolies like railroad companies.
Despite its regulatory history, the U.S. remains one of the only leading economies without a federal privacy law that protects a widely used “commodity”: personal data. This legislative void has left Americans at the mercy of digital technologies that have the potential to exploit personal information and have no legal obligation to safeguard it. Polls show that 75% of Americans want privacy regulation. Congressional efforts have continuously log-jammed, forcing individual states to forge their own way toward privacy reform.
Five states now have their own legislation in place due to the continued lack of Congressional action on comprehensive federal privacy law in the United States. This blog will discuss the Utah data privacy law and its implications for businesses.
Utah Consumer Privacy Act
With the recent enactment of the Utah Consumer Privacy Act (UCPA) by Governor Spencer J. Cox on March 24, 2022, Utah has joined California, Colorado, and Virginia as the fourth state to pass a comprehensive law addressing consumer data privacy. The UCPA, which goes into effect on December 31, 2023, allows businesses operating in the state to achieve compliance by that date.
The Utah privacy bill is more business-friendly than other state data protection acts. Its threshold for compliance is higher than the other state privacy acts, making more SMBs exempt from it. Generally, the Utah consumer protection act resembles the Virginia Consumer Data Protection Act (VCDPA) more than the California Consumer Privacy Act (CCPA) or the Colorado Privacy Act (CPA).
The passage of the UCPA demonstrates the increased willingness among U.S. states to mandate consumer privacy protections. Utah has joined the forerunners, Virginia, Colorado, and California in enacting a comprehensive privacy law.
Implication on Businesses
The ease with which goods and services flow across state boundaries requires businesses to be aware of and comply with the requirements of multiple state privacy laws and regulations. The risk that a business could be liable for violating a state privacy law is likely to increase given the addition of privacy bills currently in the making by several state legislatures.
The enactment of the UCPA demonstrates that U.S. states have not settled on a unified approach to privacy legislation. For instance, though the UCPA is similar to the VCDPA and the CPA, its scope is narrower and many of its protections for consumers and requirements of businesses are less stringent. Unlike the VCDPA and the CPA, the UCPA applies only to businesses with annual revenue of $25 million or more, applies particular requirements only to personal data that individuals provided to businesses, instead of all the information that those businesses obtain, does not give consumers the right to opt-out of profiling, and does not require that businesses assess data processing with “a heightened risk of harm,” such as the use of sensitive data and profiling.
Businesses should first assess whether they are subject to the UCPA, based on the revenues and data processing activities of Utah residents. A business that is subject to the UCPA should evaluate, and, where appropriate, update, its data collection and privacy policies and practices as follows:
- Develop a comprehensive understanding of the personal data and the sensitive data that the business collects and processes.
- Review its privacy notices to ensure they contain the content required by the UCPA.
- Review its policies, procedures, and systems designed to respond to consumer rights under the UCPA.
- Review and revise, as appropriate, its contracts with third-party service providers to include the provisions required by the UCPA.
- Develop any necessary opt-out mechanisms applicable to the business’s processing of sensitive data, the use of personal data for targeted advertising, or the sale of personal data.
Who Must Comply with the UCPA?
The UCPA pertains to “controllers” and “processors,” just like the VCDPA, CPA, and the European General Data Protection Regulation (GDPR).
A controller is defined as “a person doing business in the state who determines the purposes for which and means by which the personal data is processed, regardless of the person’s decision being made alone or with others”
A processor is defined as “a person who processes personal data on behalf of a controller.”
The UCPA is applicable to controllers and processors who have an annual income of $25,000,000 or more, do business in Utah, or create goods or services marketed to Utah people and either:
- Control or process the personal data of 100,000 or more consumers annually.
- Derive over 50 percent of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
What Obligations Do Controllers and Processors Have?
The UCPA contains requirements for both controllers and processors. These requirements are similar to those found in the CPA and VCDPA, with some variations.
Processors Obligations
- Complies to controller instructions
- Employ appropriate technical and organizational measures to assist the controller in meeting its obligations, including obligations related to security under the UCPA.
- Enter into a contract with a controller that sets the controller’s instructions for the processing of personal data and ensures each subcontractor is under a contract subjecting them to the same obligations as the processor.
Controller Obligations
- Purpose Specification
A controller must provide a reasonably clear and accessible privacy notice to consumers that includes detailed information about how their data is processed and consumer rights.
- Sensitive data
The UCPA does not require opt-in consent for processing sensitive data. Instead, controllers must provide consumers with notice and an opportunity to opt out before processing sensitive data. In the case of personal data concerning a child, controllers must process the data in accordance with the COPPA. (The UCPA does not include a separate clause pertaining to the personal information of children.(
- Security
Controllers must establish and maintain administrative, technical and physical data security practices. These practices are intended to guard the confidentially and integrity of personal data while reducing foreseeable risks to consumers relating to the processing of their data.
- Nondiscrimination
A controller cannot refuse goods or services, change the price or provide a different level of quality to a consumer that exercises their rights under the UCPA.
- Provision of Products and Services
A controller is not required to provide a product, service, or functionality to a consumer if the consumer’s personal data is reasonably necessary for the controller to provide that product or service and the consumer did not allow for the use of the personal data.
The UCPA provides an extensive listing of exemptions for companies that are regulated by certain other regulatory or industry standards.
Don’t Wait for December 2023
With over a year ahead of us until the Utah Privacy bill goes into effect, we recommend that companies perform an assessment to discover if they are covered by the UCPA and develop a strategy toward compliance. At Centraleyes, we make it simple to crosswalk controls you’ve implemented for other standards automatically, cutting out redundant processes and taking the headache out of compliance management.
Stay tuned as we add the UCPA to dozens of other standards and frameworks currently on the Centraleyes advanced GRC framework.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
