What is the Utah Consumer Privacy Act (UCPA)?
The Utah Consumer Privacy Act (UCPA) is a privacy law that was passed by the Utah State Legislature on March 24, 2022. It is also known as Utah’s privacy bill, and it aims to protect the privacy rights of consumers in Utah.
The law, which went into effect May 5, 2022— applies to businesses that collect and process personal data of Utah residents, and it gives consumers certain rights over their personal information.
Consumer Rights under Utah’s Privacy Law
Under the UCPA, consumers have the right to know what personal information businesses are collecting about them, the right to request that their personal information be deleted, and the right to opt-out of the sale of their personal information. Businesses must also provide clear and conspicuous notices to consumers about their data collection and processing practices.
The UCPA also requires businesses to implement reasonable security measures to protect consumer data and to obtain consumer consent before collecting sensitive information, such as financial information or social security numbers.
If a business fails to comply with the UCPA, it may face enforcement actions from the Utah Attorney General’s Office, including fines of up to $2,500 per violation.
Overall, the Utah Consumer Privacy Act is similar in many ways to other privacy laws, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). However, it has some unique provisions and requirements that businesses operating in Utah need to be aware of.
Exemptions under UCPA
The Utah Consumer Privacy Act (UCPA) is a state privacy law that governs how businesses handle and protect consumers’ personal information. However, not all entities are subject to the UCPA, as there are certain exemptions provided under the law.
The following are some examples of entities that are exempt from the UCPA:
- Small Businesses: Businesses that have an annual gross revenue of less than $25 million, do not process the personal information of 50,000 or more consumers, and do not derive 50% or more of their annual revenue from selling personal information are exempt from most of the requirements under the UCPA.
- Financial Institutions: Entities that are subject to certain federal laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), which govern financial institutions and healthcare providers respectively, are exempt from the UCPA’s requirements to the extent that they comply with those federal laws.
- Government Agencies: Government agencies and public institutions are generally exempt from the UCPA’s requirements, except for those related to data breach notification.
- Nonprofit Organizations: Nonprofit organizations that process personal information for charitable or religious purposes are exempt from the UCPA’s requirements.
It is important to note that these exemptions are subject to certain conditions and limitations, and entities that qualify for an exemption may still be subject to other federal or state privacy laws.
UCPA Requirements for Controllers & Processors
Under Utah’s Consumer Privacy Act (UCPA), both controllers and processors have obligations to protect the privacy rights of consumers.
1. Controllers: A controller is a business that determines the purposes and means of processing consumers’ personal information. Under the UCPA, controllers must:
- Provide consumers with a privacy notice that discloses the categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
- Allow consumers to exercise their rights to access, delete, and opt-out of the sale of their personal information.
Obtain opt-in consent before processing sensitive personal information such as Social Security numbers, driver’s license numbers, and financial account numbers.
- Implement reasonable security measures to protect consumers’ personal information from unauthorized access or disclosure.
Enter into contracts with processors that require them to comply with the UCPA’s requirements.
2. Processors: A processor is a business that processes personal information on behalf of a controller. Under the UCPA, processors must:
- Only process personal information as instructed by the controller and only for the purposes specified in the contract.
- Implement reasonable security measures to protect the personal information from unauthorized access or disclosure.
- Notify the controller promptly if there is a data breach.
- Delete or return the personal information to the controller when the contract terminates.
It is important to note that the UCPA provides consumers with the right to bring a private right of action against controllers and processors for certain violations of the law. Therefore, it is crucial for businesses to comply with the UCPA’s obligations to avoid potential legal and financial consequences.
Achieve UCPA Compliance with BigID
BigID is a data privacy platform that provides businesses with tools and solutions to achieve compliance with various privacy regulations, including the Utah Consumer Privacy Act (UCPA).
To achieve UCPA compliance with BigID, businesses can follow these steps:
- Discovery: BigID’s automated data discovery tool scans an organization’s enterprise data across multi-cloud and on-prem data stores to identify and locate personal information of Utah residents. Using advanced AI and machine learning, BigID’s platform identifies sensitive data such as Social Security numbers, driver’s license numbers, and financial account numbers.
- Classification: BigID’s data classification tool categorizes the personal information based on data sensitivity and potential risk to the consumers’ privacy rights. The tool uses advanced data analytics to identify data patterns, relationships, and context to provide accurate data classification.
- Mapping: BigID’s data mapping tool creates a visual map of the sensitive personal data stored throughout an organization—helping identify where personal information is collected, processed, stored, and shared, and assess their UCPA compliance obligations.
- Rights Management: BigID’s Privacy Portal App enables businesses to manage consumer privacy rights requests such as access, deletion, and opt-out of the sale of personal information. The tool automates the workflow for handling consumer requests and provides an audit trail to demonstrate compliance with the UCPA.
- Risk Assessment: BigID’s risk assessment tool provides businesses with a risk score for personal information processing activities, based on factors such as data sensitivity, data volume, and data usage. This helps businesses prioritize their privacy compliance efforts and allocate resources accordingly.