Utah: UCPA - What to do if you are unregulated, a CCPA 'business', or a GDPR data controller?
Utah has crossed the finish line in becoming number four on the #Patchwork2022 #GameOfLaws contest. Enter: Senate Bill 227 for a Consumer Privacy Act1 ('UCPA'), coming to a compliance department near you in December 2023.
On 24 March 2022, the Utah Governor signed into law the UCPA. The (surprising) fourth US state after California, Virginia, and Colorado to have a comprehensive data protection law, the UCPA borrows heavily both from the California Consumer Privacy Act of 2018 ('CCPA') and Virginia's Consumer Data Protection Act ('CDPA') but has more carve outs. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, considers the key things to think about and to do for companies who have not undergone a formal data protection compliance or which have undergone a CCPA or GDPR compliance plan.
Please note that this article was amended on 25 March 2022 to reflect the passing of the UCPA.
Does UCPA apply to me?
Yes, if you:
- either (i) conduct business in the State of Utah, or (ii) produce products or services that are targeted to residents of Utah; and
- have annual revenue of at least $25,000,000; and
- either (i) during a calendar year control or process personal data of at least 100,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal; and
- do not fall into one of the exceptions in the law, which generally include certain companies under contract with a governmental entity, financial institutions under the Gramm-Leach-Bliley Act of 1999 ('GLBA'), covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), information which is de-identified pursuant to HIPAA, information under the Fair Credit Reporting Act of 1970 ('FCRA'), information under the Driver's Privacy Protection Act of 1994, information under the Family Educational Rights and Privacy Act of 1974 ('FERPA'), certain information in the employment context, and entities subject to the Children's Online Privacy Protection Act of 1998 ('COPPA').
What if I don't comply?
The UCPA does not have a private right of action but is enforceable by the Attorney General ('AG') with a 30-day cure period after notice of violation. Violations are subject to penalties of up to $7,500 per violation. All penalties are paid into the Consumer Privacy Account to be used to support the work of the AG to enforce the law.
Things to do for the UCPA for 'unregulated entities'
If the UCPA is the first comprehensive privacy law that applies to your business – what should you start doing now:
Establish a process to address consumer requests
- Map your information and know where it is held and by whom. This should include information held by your processors as well as third parties.
- Assess whether you engage in targeted advertising.
- Establish methods for submitting consumer requests. (This should be reliable and secure and should include a process for opting out of targeted advertising and a process for opting into the processing of the information of a 'known child').
- Establish a process for authenticating/verifying the identity of the requester.
- Establish a process for ensuring that the requests are handled and responded to on time.
- Establish a process to ensure that you are not discriminating/retaliating against a consumer for having exercised their rights.
What does the UCPA say
- Similar to the CCPA, the CDPA, and the Colorado Privacy Act ('CPA'), the UCPA grants individuals rights in the personal information collected about them. This includes the right to know what information it is, get a copy of it in a portable format, and have this information deleted.
- Unlike the CCPA (but in line with the proposed amendments to the CDPA), the right to delete personal data that the consumer provided to the controller, but not all personal data the controller has obtained about the consumer.
- The UCPA also includes the right to opt out of a sale of personal information, as well as the right to opt-out of targeted advertising.
- The UCPA defines 'sale' more narrowly as 'the exchange of personal data for monetary consideration' and includes exceptions such as the disclosure to an affiliate of the controller or disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience.
- The UCPA has carved out for responding to requests when this would be unreasonably burdensome or if the controller does not associate the personal data with other personal data about the consumer and does not sell or disclose the data to third parties.
- Unlike the CCPA, the UCPA does not specify the types of methods to be used for submitting consumer claims but rather says 'means prescribed by the controller'.
Establish and maintain reasonable administrative, technical, and physical data security policies
You need to implement reasonable administrative, technical, and physical data security practice. This means:
- implement information security measures which are in line with industry standards for the type information that you process (if such exists);
- depending on the size, scope, and complexity of your data, you may want to align your practices with a data security framework such as the National Institute of Standards and Technology's ('NIST') Framework for Improving Critical Infrastructure Cybersecurity, ISO 27001, and the Center for Internet Security ('CIS') Critical Security Controls, among others;
- ensure you follow the recent enforcement actions and caselaw regarding information security as well as recent Federal Trade Commission enforcement actions; and
- document your security measures and assess them regularly.
Adopt, improve, and expand privacy notices
- Develop and implement a reasonably accessible, clear, and meaningful privacy notice which addresses all of your relevant processing of personal information (online and offline).
- The privacy notice should include:
- the categories of information processed;
- the purpose;
- how to exercise consumer rights;
- categories of personal data shared with third parties;
- any sale of personal data; and
- any processing for targeted advertising.
Implement a data processing agreement, with each processor that handles personal information for you
The agreement should include:
- clear instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of the processing;
- the rights and obligations of both parties;
- obligations regarding de-identified data (see below);
- obligations on processor's personnel and sub-processors to be bound by a duty of confidentiality; and
- obligations on the process to contractually bind its sub-processor by the same obligations.
Though not required by the law it is a good idea to still include in your agreements the below and additional provisions required under the CPRA/CDPA/GDPR:
- obligation on the processor to return or delete the data at the controller's choice;
- obligation on the processor to make available to the controller all information in its possession necessary to demonstrate compliance with the CDPA obligations; and
- obligation on the processor to allow, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor, or to arrange for a periodic third-party audit itself and present the results to the controller.
Identify your 'sensitive data'
Ensure that you:
provide a notice and option to opt out; or
- if this is data of a 'known child' – process it in accordance with COPPA (ie opt in consent of the parent).
Adopt a process for de-identified data or pseudonymous data
- Take reasonable measures to ensure that the data cannot be associated with a natural person;
- publicly commit to maintaining and using de-identified data without attempting to re-identify the data;
- contractually obligate any recipients of the de-identified data to comply these provisions;
- adopt policies and procedures to ensure the above are implemented; and
- have processes to make sure that your pseudonymous data is not attributed to an identified individual or an identifiable individual.
If you are a data processor: Adopt a process to facilitate the controller's obligations
- Adopt a process to assist the controller with responding to consumer rights. Is information readily available to provide to the controller in a format that is easy to handle?
- Adopt information security measures.
- Develop and maintain the documentation and/or certification necessary to provide the controller the necessary information to enable the controller to conduct and document data protection assessments.
Things to do for the UCPA for companies who have undergone CCPA compliance
- Ensure that your CCPA rights and processes apply to Utah residents;
- establish a process for opting out of targeted advertising;
- implement clear and conspicuous disclosure of sale for targeted advertising and the manner for exercising an opt out;
- review your service provider agreements to make sure they include all the provisions required (see above); and
- if you are a data processor, adopt a process to facilitate the controller's obligations regarding consumer rights (see above).
Things to do for the UCPA for companies who have undergone GDPR compliance
- Make sure you are on top of your GDPR obligations and that they apply to Utah residents;
- amend your privacy notice for specific requirements;
- amend your Article 28 data processing agreement to account for specific requirements (for example de-identified information);
- assess and adapt your Article 32 protections (for example do they include state and federal data breach reporting?);
- address the concept and opt out process for 'sale';
- tweak your data subject access request process - consider how you will address targeted advertising and those parts of 'sensitive information' that are not subsumed in Article 9 special category data (for example children's information and precise geolocation);
- implement verified parental consent processes for 'known children' in accordance with COPPA - this is (i) likely aged 13 and (ii) specific approved methods which are not required in the EU; and
- adopt a process for de-identified information (public undertaking not to re-identify, processes and contractual obligations downstream).
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia