What is the UCPA?
The UCPA (Utah Consumer Privacy Act) is a state law designed to protect consumer data. It was signed into law on March 24, 2023 and will come into effect on December 31, 2023. At the time of its signing, the Utah Consumer Privacy Act was the fourth such state privacy legislation in the US.
The UCPA aims to protect consumers’ personal information from unrestrained processing and sale by companies that seek to profit from such personal data. The UCPA requires companies to take measures, including physical measures, to protect consumer data from leaks and breaches.
How does the Utah Consumer Privacy Act compare to other state privacy laws?
The point of comparison for any state privacy law like the Utah Consumer Privacy Act (UCPA) is the California Consumer Privacy Act (CCPA)—the first state data privacy law in the States. Other relevant privacy laws include the Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA).
The most notable difference between the UCPA and some other state privacy laws is that the Utah state legislature does not require data controllers to get consent from Utah consumers before processing sensitive information. Sensitive information (sensitive data) is any data that reveals a person’s ethnicity, sexual orientation, religious beliefs, immigration status, geolocation data, and medical information.
There are other differences between the UCPA and other data privacy laws throughout the United States. See US data privacy laws.
What rights does the Utah Consumer Privacy Act guarantee?
The Utah Consumer Privacy Act guarantees Utah residents four main privacy rights:
- The right to access.
- The right to delete.
- The right to data portability.
- The right to opt out of the sale of personal data and the processing of consumer personal data for the purposes of targeted advertising.
The right to access means that Utah residents can confirm with a given controller whether or not it processes personal data belonging to them. Residents may also be able to see what personal and sensitive data the controller has on them.
A data controller is any legal entity (including individuals) that “determines the purposes for which and the means by which personal data are processed.” Data processors are entities that process personal information on behalf of a data controller.
The right to delete means that data controllers have to honor consumer requests to delete any consumer data they provided to the controller. The right to data portability means that controllers have to provide personal data in a format that’s as usable, portable, and transmittable as reasonably possible.
Perhaps the most often invoked consumer protection right is the right to opt out of companies’ processing of personal data for the purpose of targeted advertising as well as the sale of consumers’ personal data. This allows Utah residents to stop companies from collecting, processing, and trading in their personal data.
All these rights are subject to limitations and exceptions, though. For example, a “consumer” is defined as an “individual who is a resident of the state acting in an individual or household context,” excluding individuals acting in a business context.