Utah is poised to become the fourth state to pass a comprehensive consumer privacy law, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act (“UCPA”) is similar to the Colorado and Virginia privacy laws, but, perhaps, a bit less burdensome for businesses. If signed by the Governor, the UCPA would go into effect on December 31, 2023, but businesses should start preparing now. Fortunately, efforts to comply with the California Consumer Privacy Act (“CCPA”) have, for most companies, laid a solid foundation for UCPA compliance in 2023. One sizeable caveat to this comparison: the California Privacy Rights Act of 2020 made significant changes to the CCPA and is slated to go into effect on January 1, 2023. The compliance comparison in this blog uses the 2022 CCPA.
How would UCPA compliance compare to the CCPA?
Because the Virginia and Colorado privacy laws do not go into effect until 2023, the CCPA serves as the best point of comparison for businesses that have already had to overhaul their privacy policies and information collection practices. To start, here is some good news: the UCPA should not require nearly the same effort as preparing for the CCPA did. Making some simple updates to existing privacy frameworks should be enough to bring your business into compliance. Here are some highlights of the potential compliance issues that you should consider.
- Sensitive Data: the UCPA’s approach to processing sensitive data operates similarly to the CCPA’s. Prior to collecting sensitive data (e.g., race, religion, biometric or genetic information, geolocation), businesses must present consumers with an option to opt-out. This method contrasts with the Virginia and Colorado privacy laws (and the forthcoming California changes), where consumers must opt-in to have sensitive data processed.
- Data Protection Assessments: the UCPA does not require companies subject to the law to undertake data protection assessments. Virginia and Colorado (and starting in 2023, California), however, require some businesses to conduct these protection assessments to ensure consumer data is properly protected.
- Employment data: businesses that collect information for employment or job-search purposes are subject to CCPA notice of collection requirements. Under the UCPA, however, such data is excluded from coverage, relieving a potentially onerous compliance burden.
- Sale of personal data: the CCPA defines “sale” broadly to include any exchange of personal information for “valuable consideration” (usually money). The UCPA narrows the definition of “sale” to strictly monetary transactions. In addition, the UCPA goes further and excludes the transfer of information to third parties if the purpose of the transfer is within a consumer’s reasonable expectations. This large, though as-yet undefined, exception to “sale” could lessen the compliance burden for businesses looking to comply with the UCPA.
Hire experience data privacy attorneys.
Data privacy in the U.S. is a patchwork of narrow, single-subject federal laws (such as medical data or credit reporting data) and broader state laws. With so many different laws operating in so many different circumstances, untangling the compliance knot can be daunting and time-intensive. Hiring experienced data privacy attorneys can take the guess-work out of compliance. The attorneys at Klein Moynihan Turco have years of experience in assisting businesses with their privacy and data collection practices to stay ahead of the regulatory curve.
If you need assistance with updating your privacy policies or data collection practices, email us at firstname.lastname@example.org or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: