On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law. This Act is the latest addition to the state privacy laws in the USA, together with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).
The Utah Consumer Privacy Act (UCPA): A premier
The UCPA follows suit with many of the provisions found under the CCPA, CPRA, CDPA, and CPA, such as similarities in the application threshold, exemptions for employee data, and the inclusion of sensitive personal information.
One difference to consider is the UCPA’s definition of ‘sale’ which includes an exemption for personal data being disclosed to a third party if the disclosure is consistent with the ‘reasonable expectations’ of the consumer. The definition of sale also excludes the term ‘other monetary consideration’ – something that is seen in the CCPA, CPRA, and CPA.
The UCPA will take effect on December 31, 2023.
Application Threshold
The UCPA applies to organizations that conduct business in the state of Utah or produce a product or service that targets consumers who are residents of the state.
Organizations will fall under the scope of the UCPA if they have annual revenues of over $25,000,000, and either:
- control or process the personal data of 100,000 or more consumers annually, or
- derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
The UCPA includes many exemptions from its provisions including employee data and other types of regulated data such as that found under the Gramm-Leach-Bliley Act (GLBA) or HIPAA. The UCPA will also not apply to non-profit organizations or higher education institutions, much like the CDPA and CPA.
Consumer Rights
The incoming privacy law in Utah will provide consumers with similar rights to those found under existing state privacy laws., such as:
- The right to be informed
- The right to access
- The right to erasure
- The right to data portability
- The right to opt-out of processing
One of the differences found within the UCPA’s consumer rights is a limitation to the right to erasure where consumers can only request the deletion of personal data that they have provided directly to the organization.
The UCPA’s right to opt-out of processing only covers the processing of personal data for purposes of targeted advertising and the sale of personal data. This differs from the CDPA and the CPA by excluding the opportunity for consumers to opt out of profiling.
Organizations should provide at least one method for consumers to submit rights requests and have 45 days from receipt of the request to respond to the consumer. A 45-day extension is available if necessary due to the complexity of the request.
Data Controller Obligations Under the UCPA
The new privacy law in Utah outlines several requirements for covered organizations to comply with. Many of these requirements fall under familiar topics including transparency, purpose specification, data minimization, consent, and security.
One of the areas that the UCPA is unique is its requirements relating to the processing of sensitive personal information. Data controllers that process sensitive personal information do not need to obtain consent from the consumer, however, it is required that the data controller presents the consumer with the opportunity to opt-out of the processing of their sensitive personal information before the processing commences.
In relation to processing children’s data, the UCPA requires the data controller to obtain parental consent to process the personal information of a minor, in accordance with COPPA.
Enforcement
The UCPA will be enforced by the Utah Attorney General (AG), however, cases brought before the AG will first have to be deemed valid by the Utah Department of Commerce’s Division of Consumer Protection.
Organizations that are found to have violated the provisions of the UCPA have a 30-day cure period to rectify the areas of non-compliance concerned. Unlike the cure period found under the CPA, the UCPA’s cure period facility will not sunset at a later date.
If the organization fails to rectify the non-compliance within the 30-day cure period, the AG may recover:
- actual damages to the consumer; and
- up to $7,500 per violation, per consumer
Money received from enforcement actions brought forward by the AG will be deposited into a ‘Consumer Privacy Account’.
In a similar fashion to the CDPA and the CPA, the UCPA does not provide consumers with a private right of action
0 comentarios