Utah is the most recent state to enact a complete privacy legislation after the governor signed the Utah Consumer Privacy Act (“UCPA”) on March 24 of this 12 months. UCPA goes into impact on December 31, 2023. California, Virginia, and Colorado have handed comparable legal guidelines up to now few years, with the California Consumer Privacy Act (CCPA) already in impact.
UCPA’s core necessities are much like these within the different privacy state legal guidelines, together with a requirement to publish a privacy coverage and supply sure data topic rights to people whose info is collected by an entity that’s topic to the legislation. As with the legal guidelines in Colorado and Virginia, UCPA excludes a personal proper of motion. Instead, UCPA is enforced by Utah’s Attorney General with fines as much as $7,500 per violation, supplied the offending entity has not cured the violation inside 30 days of receiving the Attorney General’s written discover. Consumer rights, akin to the appropriate to decide out of focused promoting and sale of private data, are considerably comparable throughout UCPA and the legal guidelines in Colorado and Virginia.
The UCPA’s scope is the narrowest of the state privacy legal guidelines. UCPA applies to any for-profit entity that (i) conducts enterprise in Utah or targets residents of Utah, (ii) has annual income of $25 million or extra, and (iii) both (a) yearly controls/processes private data of 100,000 or extra shoppers or (b) derives over 50% of its gross income from the sale of private data and controls or processes private data of 25,000 or extra shoppers. This scope is narrower than the scope of the CCPA and the Colorado Privacy Act (CPA), that are relevant to entities that meet a income threshold no matter info assortment. UCPA’s scope can be narrower than the scope of the Virginia Consumer Data Privacy Act (VCDPA), which applies to entities that management or course of a specific amount of private data no matter income.
Among UCPA’s notable necessities, an entity should present the patron with clear discover and a chance to decide out of processing of geolocation data or delicate data extra typically. By manner of comparability, the legal guidelines in Colorado and Virginia require an opt-in consent previous to the processing of delicate data.
Unlike the legal guidelines in Colorado and Virginia, UCPA doesn’t require data safety assessments. Where such assessments are required below the Colorado and Virginia legal guidelines, entities should consider and doc the prices and advantages of some actions, akin to focused promoting or processing delicate data. Additionally, UCPA doesn’t direct entities to tell shoppers of a way to enchantment shopper entry requests.
One further notable function of UCPA is the definition of data “sale,” which is outlined as “the exchange of personal data for monetary consideration by a controller to a third party.” This definition gives welcome readability in comparison with the CCPA’s definition of a sale, which incorporates the alternate of private info for “monetary or other valuable consideration.”
As practically each state has or is actively contemplating a complete privacy invoice, the most recent improvement in Utah represents a much less aggressive mannequin for complete privacy necessities, which noticeably omits a personal proper of motion. While a handful of states are contemplating payments with a personal proper of motion, for instance, New York, Pennsylvania, and Massachusetts, this provision continues to be essentially the most notable sticking level within the legislative course of.
As said above, UCPA just isn’t efficient till December 31, 2023. UCPA doesn’t present for or require any implementing laws. Likewise, the VCDPA doesn’t require laws earlier than its efficient date of January 1, 2023. Comparatively, the Colorado Attorney General is already searching for casual touch upon the CPA, which can go into impact on July 1, 2023.
Relatedly, the California Privacy Protection Agency, which is chargeable for promulgating laws for the California Privacy Rights Act (CPRA), amending the CCPA, not too long ago convened pre-rulemaking informational classes however anticipates ultimate CPRA laws within the third or fourth quarter of 2022.