Utah: Another State to Pass a Data Privacy Law, the UCPA
In March of 2022, Utah Governor Spencer J. Cox signed into law the Senate Bill (SB) 227, also known as the Utah Consumer Privacy Act (UCPA).
The UCPA is a cross-industry privacy law that gives Utah consumers significant privacy rights over their personal information. Any data connected to an identified or identifiable individual is known as personal data. Additional compliance requirements apply to more precisely defined “sensitive data” categories. The law will come into force on December 31, 2023.
The UCPA is similar but not identical to California, Virginia, Nevada, and Colorado consumer privacy statutes. It’s heavily inspired by the Virginia Consumer Data Protection Act (VCDPA), and some VCDPA-like elements can also be found in the Colorado Privacy Act.
At first glance, certain features of the UCPA appear similar to the California Consumer Privacy Act (CCPA). In practice, however, it’s a softer, more business-friendly approach to consumer privacy than its predecessors.
How Is UCPA Different From Other State Privacy Laws
Here’s a high-level comparison of the UCPA provisions with those of
- The Colorado Privacy Act (CPA)
- The Nevada State Privacy Law (SB200)
- VCDPA
- CCPA (as amended by the California Privacy Rights Act (CPRA))
- The General Data Protection Regulation (GDPR)
| Key Provisions | Utah UCPA | Colorado CPA | Nevada SB220 | Virginia CDPA | California CCPA + CPRA |
Europe GDPR | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ability to Process | |||||||||||||||||||||||||||||||||||||||||
| Data Minimisation | Yes | Yes | – | Yes | No | Yes | |||||||||||||||||||||||||||||||||||
| Permissible Purpose | Yes | Yes | – | Yes | No | Yes | |||||||||||||||||||||||||||||||||||
| Individual Rights | |||||||||||||||||||||||||||||||||||||||||
| Right to receive notice of processing activities | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Right to access personal data | Yes | Yes | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Right to data portability. Data should be available in an easily usable format for transfer from one entity/platform to another. | Yes | Yes | . | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Right to correct errors in personal data | No | Yes | – | Yes | No | Yes | |||||||||||||||||||||||||||||||||||
| Right to delete personal data | Yes | Yes | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Right to opt-out of behavioral advertising | Yes | No | – | Yes | No | Yes | |||||||||||||||||||||||||||||||||||
| Right to object to automated profiling and decision making | Yes | No | – | Yes | No | Yes | |||||||||||||||||||||||||||||||||||
| Right to non-discrimination for the exercise of these rights | Yes | Yes | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Right to opt-out of sales of personal information | Yes | Yes | Yes | Yes | Yes | No | |||||||||||||||||||||||||||||||||||
| Opt in or opt out for processing of sensitive information | Opt-out | Opt-in | – | Opt-in | Opt-out | Opt-in | |||||||||||||||||||||||||||||||||||
| Right to appeal denial of requests | No | No | – | Yes | No | No | |||||||||||||||||||||||||||||||||||
| Accountability/Governance | |||||||||||||||||||||||||||||||||||||||||
| Data Protection Assessments | No | Yes | – | Yes | No | Yes | |||||||||||||||||||||||||||||||||||
| Security | |||||||||||||||||||||||||||||||||||||||||
| Appropriate Data Security to protect information | No | Yes | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Breach Notification | Yes | Yes | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Data Transfers Outside European Economic Area (EEA) | |||||||||||||||||||||||||||||||||||||||||
| Additional measures for international transfers | Yes | Yes | – | No | No | Yes | |||||||||||||||||||||||||||||||||||
| Transfers to Third Parties | |||||||||||||||||||||||||||||||||||||||||
| Contractual Requirements in Service Provider Agreements | No | Yes | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Marketing | |||||||||||||||||||||||||||||||||||||||||
| Consent for Adtech cookies | No | No | – | Yes | Yes | Yes | |||||||||||||||||||||||||||||||||||
| Consent obtained prior to direct marketing | No | Yes | – | No | No | Yes | |||||||||||||||||||||||||||||||||||
| Enforcement Agencies | |||||||||||||||||||||||||||||||||||||||||
| Utah Department of Commerce | Attorney General | – | Attorney General | Attorney General, CPPA | DPA | ||||||||||||||||||||||||||||||||||||
| Operative date | |||||||||||||||||||||||||||||||||||||||||
| 31 December 2023 | 1 July 2023 | 1 October 2019 | 1 January 2023 | 1 January 2020/ 1 January 2023 | 25 May 2018 | ||||||||||||||||||||||||||||||||||||
Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.
As evident from the table above, companies that comply with the CCPA, CPRA, VCDPA, and CPA will likely have no trouble meeting UCPA’s criteria.
The UCPA uses the GDPR’s “controller” and “processor” nomenclature and doesn’t offer consumers a private right of action for alleged violations. Like all other government regulations, it puts consumers in control of their personal information.
However, it also makes certain vital distinctions.
For example, UCPA doesn’t give consumers the right to have errors in their personal data corrected, nor does it require controllers to conduct data protection impact assessments (DPIAs) of specific processing operations.
UCPA mandates covered businesses to provide consumers with notices and an opportunity to opt out before processing their sensitive data.
This contrasts with the VCDPA and CPA, requiring opt-in permission to collect and process sensitive data. Furthermore, instead of going directly to the Attorney General (AG), consumer complaints are routed through the Utah Department of Commerce, which can submit concerns to the AG.
Key Provisions of the UCPA
Here are some key provisions of the UCPA.
Broad Definition of Personal Data and Sensitive Data
According to the UCPA, personal data is any information that relates to, or can reasonably be linked to, an identified or identifiable individual. It classifies specified types of data as “sensitive data,” which is subject to additional standards and limitations not applicable to other types of personal data.
Less Data Subject Rights
Consumers have four basic rights under the UCPA:
- Right to access: The right to know whether or not a controller is processing the consumer’s personal data and have access to that data.
- Right to deletion: The consumer’s right to have personal data given to the controller deleted.
- Right to portability: The right to obtain a copy of the consumer’s personal data previously provided to the controller in a portable and easily accessible format, allowing consumers to transmit the data to another controller without restrictions.
- Right to opt out: The right to refuse the processing of personal data for “targeted advertising” and “sale”.
Despite all of these important rights, the UCPA, unlike other state laws, doesn’t offer consumers the ability to have inaccurate personal information corrected.
Accessible and Clear Privacy Notices
UCPA also requires controllers to provide consumers with a notice that should contain at least the following information:
- The types of personal data the controller processes
- The purposes for which the different data categories are handled
- How customers can exercise their rights
- The types of personal data that the controller, if any, shares with third parties
- Third parties with whom the controller exchanges personal data, if applicable
Lighter Data Processing Agreements (DPAs)
The UCPA includes lighter Data processing Agreements and requires a controller to tie up with a processor. This processor manages and processes personal data for the controller.
The terms that the controller and the processor enter into should specify:
- The agreement’s nature and purpose
- Processing duration
- The type of data subject
- Each party’s rights and obligations
Processors should also oblige any subcontractors to maintain confidentiality and commission them only through a documented contract. This contract considers the subcontractor to be a processor if it takes care of the data on a processor’s behalf.
Unlike other privacy laws, the UCPA doesn’t require data processing terms to audit processors or allow controllers to opt-out of subcontracting a processor.
Familiar Security Requirements
The UCPA has a section on security. It specifies that controllers employ appropriate administrative, technical, and physical data security practices to secure personal data and eliminate foreseeable risks of harm to consumers based on the size, scope, volume, and nature of the processing.
Convert’s UCPA Compliance Checklist
Organizations operating in Utah should consider the UCPA in the same manner as other state laws. However, it can be challenging to check every box when it comes to compliance.
To help organizations navigate the intricacies of the UCPA, we have compiled this handy compliance checklist.
Here’s what you need to keep in mind:
- Make sure your business is covered by the UCPA. Organizations must assess whether they meet the UCPA’s jurisdictional threshold, including the financial and data volume threshold.
- Reconsider your privacy policy. Revise your privacy policy to reflect the processing of personal data, communicating additional consumer rights, and identifying means for consumers to exercise those rights.
- Use reasonable data security practices to protect your data. Examine your cybersecurity policies, practices, and controls to ensure they meet industry standards.
- Allow visitors to opt out of having their personal data processed (if applicable). Provide a way for Utah residents to exercise their right to opt out if a company sells or uses their personal information for targeted advertising.
- Implement a sensitive data collection mechanism. Businesses must not collect sensitive data without giving consumers a warning and an opportunity to opt out. To comply with this obligation, companies should implement suitable opt-out systems.
- Receive and respond to consumer inquiries promptly. Develop procedures for accepting, tracking, acknowledging, and fulfilling consumer requests to exercise their UCPA access and erasure rights.
Convert Respects All Privacy Laws (EU + US)
Compliance with Utah’s laws should be handled in the same way as other state laws, with minor language changes for clarity that they apply only to residents of Utah. The UCPA may require different geo-targeting of opt-out messages, which must be explicitly stated.
Convert keeps a close eye on state privacy and cybersecurity legislation. For more information on “how to prepare for the UCPA” and other new U.S. privacy laws, see our GDPR roadmap.
