What are the requirements of the UCPA?
Utah consumers are granted a set of data subject rights and consent rights businesses must fulfill. If your business is subject to UCPA, here are the rights you’re legally obligated to enable consumers to exercises.
Data subject requests (DSRs) are requests that users can make to exercise control over the personal information businesses collect on them.
Under UCPA, Utah residents have the following consumer rights:
|Right to Know and Access||Consumers are allowed to request to know if a company is collecting and processing their personal information, and access what personal data that company has on them.|
|Right to Delete||Consumers are allowed to request the deletion of all of the personal data a company has on them. This also extends to the personal data held by data processors, third-party vendors, or subcontractors.|
|Right to Data Portability||Consumers are allowed to request a copy of the data a company holds on them in a machine-readable format.|
Unlike other state privacy laws, Utah residents do not have the right to correct information that they believe to be incorrect, nor do they have the the right to appeal when a business denies a data subject request.
Like other state privacy laws, though, UCPA mandates that businesses respond to consumers' requests within 45 days. They can also extend for an additional 45 days if needed to process complicated requests.
Connecticut's privacy law also grants specific consent rights for consumers to exercise control over how their personal data is processed by businesses. Under CTDPA, businesses must enable consumers to submit their consent preferences online. Here are the opt-out and opt-in consent rights Colorado residents have:
|Targeted Advertising||Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.|
|Sale of Personal Data||The exchange of personal data for monetary consideration by the controller to a third party|
|The Processing of Sensitive Data|
Notably, UCPA does not allow the ability to opt out of profiling, or even mentions profiling at all it in the text. Utah’s privacy law also does not require businesses to recognize a universal opt-out mechanism. Unlike other state privacy laws, Utah consumers have to opt out of the processing of their sensitive data.
UCPA does require opt-in consent form a parent or legal guardian before processing the data of a known child (under 13 years old). They must also obtain users' affirmative consent before collecting data for a secondary use that is not stated in its privacy notice.
Businesses must communicate how users can exercise their consent rights through Privacy Notices on their websites.
One unique aspect of UCPA is its layered enforcement approach to privacy violations between the Division of Consumer Protection and the Attorney General of Utah.
The "Division's" enforcement powers include receiving consumer complaints about controllers' alleged privacy violations. The Division can investigate these complaints and refer them to the Attorney General to address. They can also assist the Attorney General in enforcement actions.
The Attorney General of Utah has exclusive authority over enforcing the Utah Consumer Privacy Act. That means consumers do not have a private right of action and cannot directly sue companies over privacy violations.
If a privacy violation is found, businesses have a 30-day cure period to correct it. If violations are not corrected in time, businesses could face a civil penalty of up to $7,500 per violation. Utah's cure period will not expire like in Colorado and Connecticut, so businesses your business does not need to prepare for this.