As always, this is meant to be general guidance and should not be viewed as legal advice. Please consult with your legal counsel to ensure your actions align with the interpretations and requirements of your legal team.
On March 24, 2022, Utah became the fourth state in the United States to sign privacy legislation into law, joining California, Virginia, and Colorado. The new law, the Utah Consumer Privacy Act (UCPA), grants Utah residents certain rights with respect to their personal data. Similar to the Virginia and Colorado laws, the UCPA follows a controller/processor model and lays out both specific rights for users, as well as specific obligations for businesses that process users’ data. Here we will explore the key points that marketers and advertisers with users in Utah need to be aware of.
Who does the law apply to?
The Utah Consumer Privacy Act applies to any controller or processor who conducts business in Utah or produces a product or service targeted to consumers who are residents of Utah. These businesses must also meet the following thresholds:
- Have annual revenue of $25 million or more, and satisfy one of the following:
- In a calendar year control or process personal data of 100,000 or more consumers, or
- Derive more than 50% of gross revenue from the sale of personal data, and control or process personal data of 25,000 or more consumers
What rights are granted to consumers?
Utah consumers are granted the right to:
- Confirm whether the controller is processing the consumer’s personal data
- Access the consumer’s personal data which has been processed
- Delete the consumer’s personal data that the consumer has provided to the controller
- Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a format that
- To the extent technically feasible, is portable;
- To the extent practicable is readily usable; and
- Allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means
- Opt-out of the processing of the consumer’s personal data for purposes of:
- Targeted advertising; or
- The sale of personal data
There are some fancy terms being used in that explanation—what are you talking about?
Some important definitions to be aware of:
- Consumer – an individual who is a resident of the state acting in an individual or household context (ex. A user living in Utah who is accessing your website)
- Controller – entity that determines the purposes for which and the means by which personal data is processed (generally the owner of a website being visited)
- Processor – entity who processes personal data on behalf of a controller (ex. Your web analytics platform provider)
- Process – an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data
- Personal data – information that is linked or reasonably linkable to an identified or an identifiable individual (for example, a unique user ID assigned to a user when they visit your website)
- Sale, sell, or sold – exchange of personal data for monetary consideration by a controller to a third party
- Targeted advertising – displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests
- It does not include advertising:
- Based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application
- Based on the context of a consumer’s current search query or visit to a website or online application
- Directed to a consumer in response to the consumer’s request for information, product, a service, or feedback
- Processing personal data solely to measure or report advertising:
- Performance
- Reach
- Frequency
- It does not include advertising:
So … what do I need to be doing?
When considering the new requirements from a marketer or advertiser’s perspective, I like to approach the requirements through a few general categories: transparency and disclosure; user choice; user access and deletion; and privacy practices.
Transparency & Disclosure
First and foremost, the controller (this is likely your business as you own the website and are defining data strategy) must provide consumers with a reasonably accessible and clear privacy notice. This must include:
- Categories of personal data processed by the controller;
- Purposes for which categories of personal data are processed;
- How consumers may exercise a right;
- Categories of personal data that the controller shares with third parties, if any; and
- Categories of third parties, if any, with whom the controller shares personal data
In addition, if the controller sells a consumer’s personal data to any third parties or if they engage in targeted advertising, they must clearly and conspicuously disclose to the consumer how they can exercise their right to opt-out of either activity.
User Choice
If the controller is engaging in the sale of personal data or targeted advertising, the consumer must be given the ability to opt-out of either activity. As a marketer, you must identify if these activities are occurring and ensure there are mechanisms in place to confirm user choice selections are able to be respected so the user’s data is no longer sold nor processed for targeted advertising.
User Access & Deletion
When a user submits a request for access or deletion of their personal data, the controller has 45 days to take action on the consumer’s request and to inform the consumer of any action taken. This period can be extended for an additional 45 days if reasonably necessary so long as notice is given to the consumer of the extension within the initial 45-day period.
Any processing of personal data for purposes of marketing and advertising needs to be documented in order to enable adherence to these requests and also structured and stored in such a way as to be able to trace, access, and/or delete the data in question.
Privacy Practices
Marketers and advertisers can make the lives of their counterparts in compliance significantly easier by doing the following for any of their data activities:
Document data collected, identify data which can fall into the “personal data” definition, map the platforms personal data is flowing through, and how personal data is being used for marketing and advertising activities.
Follow data minimization best practices
Ask yourself, “what is the minimum amount of personal data necessary to accomplish my defined business use case?” Design the data architecture accordingly to minimize the amount of personal information processed.
Ensure technical and operational safeguards are in place to protect personal data processed
Define, practice, and enforce data governance processes to ensure that personal data is only being processed for the defined purposes which are documented and disclosed to users.
What happens in the event of a violation?
Enforcement for the Utah Consumer Privacy Act lies with the state Attorney General. The Utah Attorney General is tasked with investigating and identifying instances of noncompliance. Once identified, the Attorney General must provide notice of a violation at least 30 days before an enforcement action can be made. Within this period, organizations have the ability to demonstrate the issue has been fixed in a way that is compliant with the law. If this is not completed, an enforcement action can be brought against the violating organization resulting in a fine and reputational damage.
When does the law go into effect?
The effective date of the Utah Consumer Privacy Act is December 31, 2023.
Create Your Privacy Best Practices Now
As you can see, the UCPA ushers in some key differences between consumer privacy rights now versus their rights in the future. If you operate in Utah or have users in Utah, you need to start ramping up now to ensure you’re compliant—otherwise, you may be at risk of steep penalties.
The UCPA codifies privacy best practices, from being strategic and purposeful around what data you collect and how you use it, to making sure you disclose your purposes to users and give them the option to opt-out of various uses of their personal data. But, now that you understand the major points of the law, you can start taking steps to create processes around those best processes, so you’re fully prepared when it goes into effect.