The UCPA provides certain exceptions where a controller may deny a consumer request; however, the burden of demonstrating9that the request falls under such exceptions is on the controller. The right to confirm whether a company is processing their personal data; The right to obtain a copy of their personal data in a format that is portable, readily usable, and easily transferable; and. Update March 31, 2022: Utah Governor Spencer Cox signed the bill into law March 24, 2022. The law requires the controllers to follow certain requirements as outlined below: The attorney general has the exclusive authority to enforce the law. A parent, guardian, or conservator may also request the information on a consumers behalf. While Utah privacy law closely tracks that of Virginia and other state privacy laws in general, Utah takes a unique approach with respect to consumer UCPA violation claims. The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) was signed into law on May 10, 2022 and is scheduled to take effect on July 1, 2023. A Question OpenSky Should ATA Calls for Stakeholder Letter on Telemedicine Controlled Equitable Mootness No Bar to Slicing & Dicing Exculpation EPA Region 1 Expands NPDES Stormwater Permitting Requirement to Sites Unpacking Averages: Finding Medical Device Predicates Without Using 2023 Employee Benefit Plan Limits Announced by IRS. A "consumer" under the UCPA is "an individual who is a resident of Utah acting in an individual or household context." Like the VCDPA, Utah's law states a consumer does not include a "natural person acting in a commercial or employment context." Consumer Rights. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. As in other state laws, the UCPA grants consumers certain rights to their personal data. Languages Back Deutsch English Espaol Franais Italiano Portugus Platform Solutions Resources Customers Company Why OneTrust 6 Consumer Privacy Act, State of Utah. The attorney general may bring an action for uncured violations and recover actual damages to the consumer and $7,500 per violation in civil penalties. In line with the other state privacy laws, the UCPA has a right to cure provision, which allows first-time violators to avoid civil penalties if they cure their violation within 30 days of notice. Gretchen Scott On March 24, 2022, Utah became the fourth U.S. state to adopt consumer data privacy legislation after Utah Gov. A company that wants to collect sensitive data must provide consumers with a clear notice that they can opt out of sharing this type of information. A piecemeal approach to data privacy based on individual regulatory requirement will only compound the difficulty. 4 Consumer Privacy Act, State of Utah. EPA Provides Report to Congress on Its Capacity to Implement Certain SEC Adopts Amendments Requiring Electronic Filing of Forms 144. Omer Tene. Utah's privacy law is unique in that controllers don't need to obtain opt-in consent to collect and process sensitive data. While responding to consumer requests, the law expects the controller to authenticate the identity of the consumer "using commercially reasonable efforts." 7 The law allows a controller to request additional information to authenticate a consumer request. And as with other state laws, the Act contains broad exceptions for certain entities and data categories, including higher education institutions, nonprofits, and information and entities regulated by both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). TURNABOUT: TCPA Defendant Recovers Damages (Fees) Against Plaintiff What Gives You the Right to Be in This IPR? Unlike Virginia and Colorado, controllers must only provide notice and an opportunity to opt out prior to processing consumer's sensitive data (or comply with the Children's Online Privacy Protection Act (COPPA) for the sensitive data of children under 13) as opposed to obtaining opt-in consent to collect and process such data. Although the bill generally tracks the comprehensive privacy law passed in Virginia last year, the VCDPA, there are some notable differences. (t)(2)(C); 1798.145. The new law also contains specific requirements for companies that want to collect sensitive data (such as information about an individuals race or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical information or treatment information, genetic or biometric data, or specific geolocation data). During law school, Cathy was editor-in-chief for theAmerican Intellectual Property Law Association Quarterly Journal You are responsible for reading, understanding and agreeing to the National Law Review's (NLRs) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. Challenges in the Valuation of VC-Backed Companies: Why Relying on NYDFSs $4.5 Million EyeMed Cyber Settlement Reminder To Industry, ESG Considerations for Retirement Plans: A Moving Target, European Commission Publishes Report on Decentralized Finance. For businesses that are developing their national privacy strategies on one or more of the three other upcoming comprehensive state privacy law frameworks (California, Virginia or Colorado), the UCPA does not impose additional or significant compliance burdens. The Division of Consumer Protection (Division) within the Department of Commerce will accept complaints related to the alleged violation of the law. The Division will investigate the validity of a complaint and, based on its determination, the Division may refer the matter to the attorney general. 13 Consumer Privacy Act, State of Utah. With passage of the Utah Consumer Privacy Act ( UCPA ), Utah will become the fourth state to adopt omnibus consumer privacy legislationfollowing California, Virginia, and Colorado when Utah Governor Spencer Cox signs the bill. The UCPA provides exemptions not found in the Virginia or Colorado laws, however. California Court of Appeal Dismantles Rounding Where Accurate Defense Contractors - Check Your Non-Disclosure Agreements for Three Notable Antitrust & Tech Updates That May Have Flown Under Justice Department Obtains Permanent Injunction Blocking Penguin SEC Awards Whistleblower $10 Million After Returning Money to Harmed Uncovering Juror Bias, Counteracting Nuclear Verdicts, & the Future of Fall Back: Westchesters Pay Transparency Law Takes Effect on November 6, 2022. Utah became the fourth US state after California, Virginia, and Colorado to enact a comprehensive privacy law. The passage of the UCPA may influence more states to pass similar data privacy laws. The content and links on www.NatLawReview.comare intended for general information purposes only. The categories of personal data processed; The purposes for which the personal data is processed; The categories of personal data shared with third parties (if any); and. But security does feature within the UCPA. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor. 3/11/2022. Consumer Rights Under the new legal framework, Utah residents are granted the following six categories of rights: The categories of third parties with whom the controller shares personal data (if any). Cathy Lee focuses her practice on privacy and cybersecurity matters, including compliance and GDPR related matters. The Act, which is scheduled to take effect on December 31, 2023, includes many of the same rights, obligations and exceptions that have become common in other consumer privacy laws and proposals: The Act provides consumers with the now well-known rights of notice, access, portability and deletion. The Act grants the Utah Department of Commerce Division of Consumer Protection the power to investigate consumer complaints regarding the processing of their personal information by a business. Sensitive data includes information about racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatment or conditions, biometric or genetic data used to identify individuals, and geolocation data. The UCPA applies to controllers and processors that conduct business in the state of Utah or produce a product or service that is targeted to Utah residents, have annual revenue amounts of $25,000,000 or more, and: Controller A (EEA) Processor Z (EEA) Employee of Processor Z (Non PTO Extends Deadline for Comments on Initiatives to Ensure Patent With Election Day Around the Corner, Employers Need to Remember You Puerto Rico Publishes Model Protocol for Expanded Sexual Harassment Podcast: Post-Dobbs Navigating the Fast-Changing and Uncertain Health Care and Life Sciences Practice Group. 10 Consumer Privacy Act, State of Utah. The ASA Effective Date is Fast Approaching: Employers Should Get Commonwealth Court Restricts the Pending Ordinance Doctrine. Destroyed: FTC Levels Incredible $100 Mm Penalty Against Vonage for Dark Patterns Bidens Executive Order Implementing New EU-U.S. Data Privacy Framework to Connecticut Joins the Interstate Medical Licensure Compact and the Psychology FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations, Privacy Tip #348 Considerations for Electronic Monitoring of Employees, SEC Awards $2.5 Million to Whistleblowers Who Reported Fraudulent Practices. David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on Austin Mooney focuses his practice on global privacy, cybersecurity, and emerging technologies. Destroyed: FTC Levels Incredible $100 Mm Penalty Against Vonage for Bidens Executive Order Implementing New EU-U.S. Data Privacy Connecticut Joins the Interstate Medical Licensure Compact and the More Autonomous Big Rigs Needed on the Road: Why Start There? If you would ike to contact us via email please click here. The Act would exclude employee data and business-to-business contact information from its scope, following similar exclusions in other states. The UCPA is the least onerous of the four state data privacy laws passed to date. The attorney general may recover actual damages or an amount up to $7,500 for each violation if the entity fails to cure the violation. Until a national law is passed, businesses that process personal data of consumers across state lines will have to continue to closely monitor new state law developments and be prepared to build out their privacy practices in compliance with multiple applicable state laws. Cathys experience encompasses, working with digital advertising companies to confirm compliance policies with the digital advertising ecosystem, as well as drafting training materials on the comprehensive data privacy laws globally including in Australia, Georgia, Hong Kong, Moldova, Montenegro, South Korea, Turkey and New Zealand.