How to Comply With the Utah Consumer Privacy Act (UCPA)

By Mohammed Usrof

April 1, 2022

Privacy is an important aspect of our lives, and in the 21st century, it is getting more difficult for consumers to keep track of their digital footprint and measure of security.

Accounting for this, a new Utah legislation is poised to join California, Colorado, and Virginia in improving US data privacy measures. Here’s what to know about the Utah Consumer Privacy Act and how to comply as a business.

What is the UCPA? 

The Utah Consumer Privacy Act (UCPA), also known as the senate Bill 277, includes explanations of consumers’ data rights in the state of Utah. The bill outlines the existence of 45-day request response periods, a 30-day cure period, and unique attorney general enforcement provisions in regard to data requests and handling in Utah.

The reason the UCPA is significant is because it will put Utah as the 4th US state to enact a comprehensive data privacy law. Legislation like the UCPA work to remove the blurred lines of how consumer data should be treated by businesses, and acts as an example for other state legislations to take in the possible future. Signed into law March 24, 2022, the bill will take effect December 31, 2023.

Who Has to Comply Under the UCPA? 

The UCPA concerns entities that operate for the sake of gaining monetary profit (“controllers” or “processors”) and conduct business in the state of Utah or target goods and facilities to consumers who are residents of Utah. To be affected, these entities are required to have an annual revenue of at least $25 million, and meet one of two threshold requirements:

  • Annually control or process the personal data of 100,000 or more Utah residents (“consumers”); or
  • Derive over 50 percent of gross revenue from the “sale” of personal data and control or process personal data of 25,000 or more consumers.

Certain types of data and entities are exempted, and that includes data available to the public, unidentified data, and data subject to other acts such as the Health Insurance Portability and Accountability Act (HIPAA), the Driver’s Privacy Protection Act, and the Family Education Rights and Privacy Act.

The UCPA includes a number of exceptions for entities such as organizations and businesses that are covered by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. The exemptions are also subject to non-profit entities, educational institutes, and government agencies.

How Does the UCPA Protect Consumer Data  

Similar to other US state data privacy laws, the act provides consumers with control over their personal data and allows them more rights towards certain issues. Consumers may request to:

  • Access the personal data that a controller processes about them
  • Delete personal data that the consumer provided to the controller
  • Obtain a copy of the personal data, in a “portable” format, that the consumer provided to the controller
  • Opt out of the “sale” of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing of personal data for targeted advertising

There are a set number of days for the controllers to respond, extend, and process the claims for a consumer request. In regard to consumer claims, they have 45 days to respond, and they can request a 45-day extension if deemed necessary. Controllers must handle requests free of charge; however, a fee may be charged if subsequent requests are presented in less than a year (a 12-month period). The requests can be denied by controllers if it cannot be authenticated or if the data is pseudonymized. A request can also be charged for a fee if it poses an undue burden on the entity’s resources.

How do SSO’s Help Comply with the UCPA (and more)? 

The UCPA attempts to secure user data by tightening the restrictions around who may access it and under what circumstances, giving users more freedom and transparency in how to control their personal information. Even based on how an app or website gathers user data right from the user authentication screen, organizations can better comply with the legislation’s requirements.

Authentication for an account on an app or website can involve the use of passwords, tokens, key cards, or similar personal information. Any of this access information can be used to identify users and related online activity. In the case of a data breach, or if a controller is not properly handling such data, both user privacy and legislative compliance could be compromised. Fortunately, tools such as SSO can help mitigate these situations.

Single Sign-On (SSO) services refers to the ability for users to log in just one time with one set of credentials to get access to all apps and websites under which the SSO is implemented. SSO’s are most helpful in protecting users and complying to legislation such as the UCPA when it offers passwordless logins. One such SSO would be humanID.  

humanID remains at the forefront of privacy innovation. When logging in, users are only asked for their phone number, which is then converted into a non-trackable hash and permanently deleted. Due to this, login information is never able to be distributed, stolen, or traced back to the affiliated user.

humanID aims to work on the side of consumers, and contributes to creating safe communities just as the law intends. By utilizing SSO as a staple for UCPA and related compliance, doing so would amplify consumer’s privacy to its greatest extent.