Drive UCPA sensitive data compliance

The Utah Consumer Privacy Act is a state privacy law in the U.S. state of Utah that went into effect on May 1, 2021. The UCPA provides new rights to Utah residents with respect to the collection, use, and disclosure of their personal information by businesses. The UCPA is intended to give Utah residents more control over their personal information and to increase transparency and accountability for businesses that handle this information.

UCPA applies to businesses that operate in Utah or that collect, use, or disclose the personal information of Utah residents, regardless of the business’s location. This means that the UCPA could potentially apply to any business that has customers or users in Utah and that handles their personal information. 

The UCPA applies to businesses of all sizes and types, including both for-profit and non-profit organizations. It does not apply to federal agencies or to companies that are subject to the federal Health Insurance Portability and Accountability Act (HIPAA).

UCPA applies to personal information that is collected, used, or disclosed by businesses. Personal information is defined broadly under the UCPA as any information that is linked or reasonably linkable to an individual consumer. This includes a wide range of data types, including the following:

• Identifiers such as names, addresses, phone numbers, email addresses, and social security numbers
• Financial information such as credit card numbers, bank account numbers, and payment histories
• Characteristics of protected classifications under state or federal law, such as race, religion, or sexual orientation
• Internet or other electronic network activity information, including browsing history and search history
• Geolocation data
• Audio, electronic, or visual information, including photographs and video

Under UCPA, businesses that collect, use, or disclose the personal information of Utah residents are required to comply with certain provisions in order to protect the privacy of consumers. These compliance requirements include the following:

1. Notice: Businesses must provide clear and concise notice to consumers about their data collection practices, including the categories of personal information that are collected, the purposes for which the information is used, and the categories of third parties with whom the information may be shared.
2. Affirmative consent: Businesses must obtain affirmative consent from consumers before collecting, using, or disclosing sensitive personal information. Sensitive personal information includes financial information, health information, and information about children under 13 years of age.
3. Access and correction: Consumers have the right to access their personal information and request that it be corrected or deleted. Businesses must provide a way for consumers to exercise this right.
4. Opt out of sale: Consumers have the right to opt out of the sale of their personal information. Businesses must provide a way for consumers to exercise this right.
5. Security: Businesses must implement reasonable security measures to protect personal information from unauthorized access, use, or disclosure.
6. Data minimization: Businesses must limit the collection and use of personal information to what is reasonably necessary to accomplish a legitimate business purpose.

Overall, the UCPA is designed to give Utah residents more control over their personal information and to increase transparency and accountability for businesses that handle this information.

UCPA provides for enforcement by the Utah Attorney General and allows for both civil and criminal penalties for violations of the law.

Under the UCPA, the Utah Attorney General has the authority to investigate and bring enforcement actions against businesses that violate the law. The Attorney General may seek civil penalties of up to $2,500 per violation, or up to $7,500 per violation if the violation was intentional or involved sensitive personal information.

In addition to civil penalties, the UCPA also provides for criminal penalties for certain violations. For example, it is a class A misdemeanor, punishable by up to one year in jail and a fine of up to $2,500, to intentionally or recklessly obtain, use, or disclose personal information without the consumer’s affirmative consent.

In addition to enforcement by the Utah Attorney General, the UCPA also allows for private rights of action, meaning that individuals can bring lawsuits against businesses that violate the law. In such cases, individuals may be able to recover damages, attorneys’ fees, and other costs associated with the lawsuit.