Utah Consumer Privacy Act (UCPA): The Scope, Purpose, and How to Comply

05.10.2023 twitter X safetica

One of the latest strides in data protection in the United States comes from Utah, which has enacted the Utah Consumer Privacy Act (UCPA). The UCPA is designed to create a balance between data protection and business interests. With the UCPA poised to come into force on December 31, 2023, it's time to dive into the nitty-gritty of this comprehensive privacy law to ensure you're not only complying but also safeguarding individuals' privacy rights as best you can.

In this article, we’ll shed light on the UCPA’s unique features, its relevance in today's digital world, and how businesses can meet its demands.

What is the UCPA?

The UCPA, enacted on March 24, 2022, is like a digital guardian, ready to protect the personal data of Utah residents. Its wings will be fully spread come December 31, 2023, and understanding its core is essential to navigate the evolving landscape of data privacy.

This act aims to safeguard the data generated by online interactions and transactions. With the UCPA in place, businesses that handle personal data are held to high standards of responsibility and transparency. It's all about ensuring that consumers’ information isn't misused, mishandled, or exploited.

Under the UCPA, consumers have the right to:

  • access the data that a controller is processing,
  • delete their data if they directly provided it to the controller,
  • obtain a copy of their personal data in a way that is easily portable and transferable to another controller and
  • opt out of targeted advertising or out of the sale of their data to third parties.

Here's the deal: businesses can still collect and process personal data by default without explicitly seeking consumer consent (if they have a suitable privacy policy). But because of the UCPA’s requirements, it's like giving consumers a privacy remote control, giving them the authority to set the boundaries of what's shared and what's not.

UCPA in Comparison to Other Privacy Laws

Let's take a moment to draw some comparisons. You might be familiar with privacy laws like the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA). These are the trailblazers, setting the stage for privacy protection. The UCPA walks its own path while taking inspiration from these pioneers but is being considered more business-friendly than its counterparts in other states. We’ll talk about some of the main differences between the UCPA and other US data protection laws a little later in this article.

What is the Purpose of the UCPA?

The UCPA steps into this realm with clear-cut intentions: Its primary goal is to fortify the privacy rights of Utah residents. Under the UCPA, consumers have the right to know how their information is being used and shared by businesses. They can ask for their data to be deleted or opt out of their data being sold or used for targeted advertising.

We know what you’re thinking: We live in an era where data is the lifeblood of business growth. How is this going to affect my business? Luckily, business innovation and customer privacy need not be at odds. The UCPA recognizes a need for balance. In fact, it's designed to be pragmatic and business-friendly. UCPA acknowledges that data-driven innovation is essential for business’ success.

UCPA's scope: Who does it apply to?

If you're an organization conducting business in Utah or marketing to the state's residents with an annual revenue of USD 25 million or more, the UCPA applies to you. Additionally, if you're processing personal data for over 100,000 consumers or generate more than half of your revenue from selling personal data while processing information for at least 25,000 consumers, congratulations, you're also subject to the UCPA's provisions!

There are exceptions, though. These include educational institutions, non-profit organizations, government bodies, indigenous tribes, and a few more. If your business already adheres to other privacy acts like HIPAA or the Gramm-Leach-Bliley Act, UCPA compliance might not be required from you.

While UCPA's criteria might seem a little complex, viewing them as individual puzzle pieces can help clarify the bigger picture. Meeting these criteria isn't about a single factor; it's about how various factors interconnect. Your revenue, consumer data interactions, and data processing practices collectively determine whether your business falls under the UCPA’s umbrella.

Key definitions of the UCPA

Welcome to the backstage of UCPA compliance! To get a better grasp of UCPA’s provisions, let’s talk about some important definitions.

Controller vs processor

  • Controller: A controller calls the shots in terms of personal data processing. They decide why and how data is processed.
  • Processor: Processors handle data on behalf of controllers. Their role is execution rather than decision-making. They follow controllers' instructions on data processing.

Understanding these roles is essential because UCPA responsibilities and compliance measures differ based on whether you're a controller or a processor.

Personal vs sensitive data

The UCPA distinguishes between personal and sensitive data. Here’s how:

  • Personal Data=identifying information. According to the UCPA, personal information can be linked or reasonably connected to an identifiable individual. This includes things like names and email addresses but can also extend to less obvious details like IP addresses.
  • Sensitive Data=delicate information. Sensitive data within the UCPA involves particularly delicate details, such as racial or ethnic origin, religious beliefs, medical history, genetic and biometric data, and sexual orientation. This category acknowledges the heightened potential for harm or misuse of this kind of information if it gets into the wrong hands.

Notably, UCPA doesn't require explicit consent for processing sensitive data. What it does is mandate clear notification to consumers and the option to opt-out before collecting or processing such data.

Publicly available, de-identified, or anonymized information is excluded from being considered personal information at all.

No money, no sale

In the context of the UCPA, a sale refers to the exchange of personal data for monetary compensation from a controller to a third party. This direct monetary element sets the stage for what constitutes a sale under UCPA's lens.

However, not all data sharing counts as a sale under UCPA. No money = no sale. If no monetary transaction is involved, UCPA doesn't categorize it as a sale. This distinction acknowledges the diversity of data transactions.

Compliance measures and UCPA implementation

Here's a simplified breakdown of steps to guide your business to comply with UCPA's requirements:

  1. Understand applicability: Determine if your business falls within UCPA's scope based on revenue, consumer data, and connection to Utah.
  2. Data mapping: Identify the types of personal and sensitive data your business processes, including accurate categorization.
  3. Transparency: Develop a comprehensive privacy policy that clarifies data processing practices, shared data, purposes, and third-party involvement.
  4. Opt-out mechanism: Implement a clear and user-friendly opt-out mechanism, giving consumers the choice to limit their data usage or sale.
  5. Data security: Establish strong security practices across your business. Take a look at the ISO 27001 international standard. It covers 14 domains of a company’s information security system and suggests measures that you can put into practice to secure them.
  6. Consumer rights: Set up processes to respond promptly to consumer requests, granting access, deletion, or data portability.
  7. Regular updates: Keep up with UCPA updates and developments to maintain compliance as regulations evolve.

Enforcement and penalties under the UCPA

The enforcement of the UCPA lies strictly within the authority of the attorney general, meaning the UCPA doesn't allow private individuals to take legal action against violators.

When violations surface, the following ensues:

  1. Notice: The attorney general gives the data controller or processor written notice of the violation.
  2. Cure period: A 30-day period is granted for the controller or processor to rectify the violation and confirm its resolution, as well as what has been done to prevent it from happening again in the future.
  3. Enforcement action: If the violation persists after the cure period, the attorney general can initiate enforcement actions. 

UCPA violations can carry weighty consequences. Expensive ones, too: Violations can result in fines of up to USD 7,500 per occurrence, depending on the severity of the data privacy breach. Companies can also be responsible for recovering any damages suffered by consumers due to the non-compliance issue.

Ongoing or repeated violations can even lead to legal battles, which in turn puts another huge financial (and sometimes even operational) burden on the company. Not to mention the impact non-compliance can have on reputation and customer trust.

Comparison with other privacy laws in the US

The US doesn’t have a federal data protection law, and each state is left to come up with its own (though only 12 have done so so far). That leaves many companies and organizations that do business across the states to undergo the excruciating process of figuring out the differences between the individual regulations.

Here are some of the ways in which the UCPA differs from other prominent privacy laws in the US:

Opt-out consent model. Unlike the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA), which require explicit consent with data collection, the UCPA uses an opt-out consent model instead. This means that, by default, personal data can be collected, processed, and even used for targeted advertising without consumers' explicit consent and that consumers have the right to opt-out if they prefer their data not to be used for these purposes.

A narrower scope. The UCPA uses a revenue threshold as one of the ways to determine which businesses need to comply with its regulations. In addition, the UCPA allows for quite a few exemptions.  Other states have cast a wider net, with some, like the Connecticut Data Privacy Act (CTDPA), not taking revenue into consideration at all. This could result in other state privacy laws applying to a wider range of businesses, perhaps creating safer-feeling environments for their citizens.

Data sale definition. UCPA defines a sale as the exchange of personal data for monetary consideration to a third party. Unlike CCPA, it doesn't consider non-monetary transactions as sales.

Sensitive data handling: UCPA doesn't mandate explicit consent for processing sensitive data, instead requiring clear notifications and opt-out options, setting it apart from many other privacy laws.

In general, the UCPA comes out the most business-friendly of the bunch, allowing businesses to take a more passive approach to facing the consumer.

How Safetica can be your partner in UCPA compliance

Navigating the complexities of regulations like the Utah Consumer Privacy Act demands robust data protection solutions, and Safetica is here to assist your organization in achieving that goal. In a user-friendly way, at that!

Our Data Loss Prevention (DLP) solutions offer a toolkit that’ll make UCPA compliance a breeze:

  • Data classification: Easily identify and classify personal data within your organization, ensuring proper handling and protection.
  • Data encryption: Encrypt sensitive data, rendering it inaccessible to unauthorized parties, bolstering your UCPA compliance efforts.
  • Data monitoring and auditing: Monitor data usage in real-time, track sensitive data transfers, and generate detailed audit logs for compliance reporting and analysis.
  • Access controls: Implement access controls to ensure that only authorized personnel can access sensitive data, reducing the risk of data breaches.
  • Incident response: Safetica's software enables you to quickly respond to potential data breaches, allowing you to investigate incidents, contain the impact, and mitigate risks.

To explore the full range of features and benefits, take the next step with Safetica today. Your data privacy journey starts here! If you’re wondering how Safetica can help your particular business, schedule a free demo call with our specialists (here’s what you can expect from a demo call).



Let's discuss your UCPA compliance

Next articles

Regulatory Compliance

SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.
Read more
Regulatory Compliance

HITRUST framework: The Scope, Purpose, and How to Comply

This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.
Read more
Regulatory Compliance

Understanding SOC 2: The Scope, Purpose, and How to Comply

Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.
Read more