Utah Governor Spencer Cox has officially signed a new data protection act into law. The Utah Consumer Privacy Act (UCPA) echoes similar legislation in California, Colorado, and Virginia, and will officially go into effect on December 31, 2023.
The UCPA is designed to protect the personal data of Utah residents, and to prevent businesses from using that information inappropriately. However, the law does not create a private right of action, and instead assigns enforcement responsibilities to the Utah Attorney General’s office. That means that the law is unlikely to lead to a wave of lawsuits and fines like the one seen in Illinois following the passage of that state’s Biometric Information Privacy Act.
Having said that, businesses that do run afoul of the UCPA could face penalties of up to $7,500 for every violation. The Attorney General must give businesses 30 days’ written notice before pursuing penalties, giving those businesses the opportunity to avoid further punishment if they manage to fix the problem within that 30-day window.
In that regard, the law does carve out basic protections for Utah residents, even if it is more lenient than some of its predecessors. The UCPA defines personal data as any information that can be linked to an identifiable individual, covering everything from race and sexual orientation to medical history, religion, and immigration status. It also applies to biometric data and any geolocation data that could be used to track someone’s movements.
Businesses are still allowed to process personal data, but they must disclose that fact and obtain consent before doing so. Utah residents, meanwhile, can opt out at any time, and have the right to ask businesses to delete their personal information. If someone wants to know what is being processed, businesses must provide individuals with the information they have on file, and need to be able to give that data to them in a portable and usable format. Finally, Utah residents can prevent businesses from using their data for advertising or marketing purposes.
The UCPA does not apply to every organization. Government entities, and businesses working on behalf of government entities, are exempt from the law, as are tribes, non-profit corporations, and academic institutions. Healthcare providers and financial institutions are also exempt, though they are still subject to industry-specific data privacy regulations like HIPAA.
Other UCPA measures are there to protect small businesses. The law only applies to private entities that have more than $25 million in yearly revenue, and collect personal data from more than 100,000 consumers (or 25,000 customers if the sale of data is their primary business activity). Consumers are defined as private residents of the state of Utah, and the category does not include those whose data is collected as part of the terms of their employment.
Businesses that are collecting personal data need to provide a clear privacy notice, and inform consumers of their right to opt out. They are similarly expected to follow administrative and technical best practices to protect that information.
Utah passed basic facial recognition guidelines last March. The state of California, meanwhile, is considering a new data protection bill more in line with Illinois’ stricter standard.
Source: JD Supra
–
March 25, 2022 – by Eric Weiss
Follow Us