Utah’s Consumer Privacy Act Brings More Comprehensive Privacy Legislation to the US

Click here to listen to this article via the BreachRx Blogcast

Utah recently became the fourth state in the US to enact comprehensive privacy legislation, signing the Utah Consumer Privacy Act (UCPA) into law in March 2022. The law, which goes into effect December 31, 2023, gives consumers four rights:

• Right to access: Confirm if their personal data is being processed and access that data.
• Right to delete: Request a data controller to delete their personal data.
• Right to data portability: Obtain a copy of their personal data and share it with another data controller.
• Right to opt out: Choose not to have their data used for targeted advertising and not to have their data sold (note that this is not universal, and does not apply to all profiling).

The UCPA has many similarities to other new laws in the US, most notably the Virginia Consumer Data Protection Act. However, it does have its own unique nuances – some of which make it even more business friendly than Virginia’s law – and that makes it important for companies to understand what’s required under the law.

Who is Subject to the UCPA?

The Utah Consumer Privacy Act applies to any business that:

• Conducts business in Utah or offers a product or service targeted to Utah residents
• Has an annual revenue of $25 million or more
• Meets at least one of the following requirements:
  • Controls or processes personal data of 100,000 or more consumers in a calendar year
  • Derives more than 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers

Importantly, organizations must meet the first two requirements as well as one of the data processing thresholds to be subject to the law. As a result, many businesses will be exempt based on lower revenue or lower data processing activity.

The law also includes exemptions for:

• Certain types of organizations: Higher education institutions, non-profits, government entities and contractors, tribes, air carriers, and organizations subject to HIPAA and the Gramm-Leach-Bliley Act are exempt from UCPA.
• Certain types of data: Data covered under HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act, as well as data about individuals acting in an employment or commercial context (e.g. job applicant data) are exempt from UCPA.
• Certain instances of selling data: Only instances in which data is sold for “monetary consideration” are covered under the UCPA. Disclosures to an affiliate, disclosures to a third party to provide a product or service requested by the consumer, and disclosures to a third party if the purpose is consistent with a consumer’s reasonable expectations are specifically exempt from UCPA.
• Deidentified, publicly available, and aggregated data: Any data that has been deidentified, is already publicly available, or has been aggregated to be about a group and identities have been removed or are unlinkable in the aggregated form are exempt from UCPA.

How is the UCPA Enforced?

The Utah attorney general is responsible for enforcing the UCPA, however the attorney general’s office does not have full control over the process.

First, Utah’s Division of Consumer Protection can field consumer complaints and investigate potential violations. If the Director of the Division of Consumer Protection has reasonable cause to believe substantial evidence of a violation exists, they can refer the matter to the attorney general.

Next, the attorney general must provide written notice to the organization in question. That organization then has 30 days to cure the issue and provide an express written statement that it has been resolved and no more violations of that nature will occur.

Finally, if the organization fails to fix the issue or continues to violate the UCPA after providing a statement that the issue has been fixed, then the attorney general can impose a penalty. The penalty for violating the UCPA is a fine of up to $7,500 per violation as well as actual damages to consumers.

Money from penalties will go to the Consumer Privacy Account, which the attorney general can then use for:

• Investigative and administrative costs related to violations
• Recovery costs and attorney fees accrued in enforcement
• Consumer and business education regarding compliance with the UCPA

Consumers have no private right to action and they can’t use a violation of the Utah Consumer Privacy Act to support a claim under another Utah law.

What Incident Response is Required Under the UCPA?

The UCPA requires organizations to be transparent about consumer rights and posting privacy notices, obtain parental consent to process personal data of children under 13, not discriminate against consumers, and respond to consumer requests within 45 days. 

Importantly, it also requires organizations to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.”

Beyond those requirements, the UCPA does not outline any specific incident response measures that organizations must adhere to following a cybersecurity incident. Instead, this information comes from a pre-existing state law, which outlines the following:

What’s Considered a Security Breach?

Any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Personal information is defined as a person’s first name or first initial and last name along with at least one of the following:

• Social security number
• Driver’s license or state identification number
• Account, credit card, or debit card number along with a security code or password

If the data is encrypted or unreadable in any way, included in government records, or available to the general public, then it is not considered breached and any incidents affecting it do not require a notification.

Who Should be Notified in the Case of a Security Breach?

Organizations that experience a security breach must notify affected Utah residents, unless a reasonable and prompt investigation reveals it is unlikely the personal information has been or will be misused for identity theft or fraud.

Additionally, if an organization experiences a breach of data they do not own, they must notify the organization that owns that data immediately following their discovery of the breach.

When and How Should a Notification be Issued?

Organizations should issue a notification as expediently as possible without unreasonable delay once they have identified the scope of the breach and restored the integrity of any affected systems. The notification should be issued by one of the following methods:

• In writing by first-class mail to the most recent address on file
• By telephone
• Electronically, if that is the primary method of communication with affected consumers or if consumers previously provided consent to this method

If none of those methods are possible, organizations can publish a notice about the security breach in a newspaper that’s widely circulated across Utah.

There are no specific requirements for what should be included in the notification to consumers.

What are Exceptions to Issuing a Notification?

Organizations do not need to issue a notification following a security breach if the data is encrypted or unusable or if a good faith investigation reveals the affected data has not been and is unlikely to be misused. Additional exceptions include:

• If an organization has a separate notification policy: If an organization has its own notification policy for breached personal information as part of a corporate security policy, they can follow those procedures if they align with the timing requirements set by the state and include notifications to each affected Utah resident.
• Compliance with other regulations: If an organization is subject to state or federal regulations, adheres to breach notification procedures outlined by those regulations, and notifies each affected Utah resident in the case of a breach, then compliance with the other regulation(s) will suffice.
• Law enforcement delay: If a law enforcement agency identifies that a notification could affect a criminal investigation, that agency can request a delayed notification. In that case, the organization must issue the notification without unreasonable delay once the law enforcement agency allows it.
• Financial institutions: Financial institutions and their affiliates are exempt from issuing notifications about security breaches under Utah law.

What Types of Security Breaches Might Require Notification Under the UCPA?

Based on the existing security breach notification guidelines in Utah, a variety of incidents can trigger a security breach notification. However, organizations can avoid issuing a notification if the affected data is encrypted or unusable, making this type of preemptive security extremely beneficial. Assuming the data in question is not protected in that way, examples of incidents that can trigger a notification in Utah include:

Watering Hole Attack

A watering hole attack is a social engineering attack through which hackers profile their target victims to determine websites they visit often and then infect those websites to gain access to the victims’ computers or network. If successful, a watering hole attack provides access to protected information and that access can be particularly challenging to detect. This type of attack is often used to infiltrate more secure organizations since the entry point is through individual employees.

Ransomware Attack

A ransomware attack occurs when hackers use malware to steal data from an organization and hold that information captive in exchange for money. Even if the data ends up being returned, it is still exposed to a malicious third party, which can create security risks. Given the Utah laws, organizations that fall victim to a ransomware attack will have to determine the likelihood that the affected data will be used for theft or fraud.

Trojan Attack

A trojan attack is when hackers hide a malicious program inside of legitimate software. Once users download the software, they create an access point for the hackers to view their digital behavior and access any information they can view. This type of access means a malicious third party would have visibility and access to any type of information, and potentially be able to view encrypted information in an unencrypted format, which triggers a new level of risk under Utah law.

How Should Organizations Prepare to Comply with the UCPA?

UCPA requires organizations to maintain reasonable security practices to protect personal data and the state’s data breach notification requirements grant a reprieve to organizations with encrypted data. As a result, it pays to take a proactive approach to securing data.

Looking one step further, proactive preparation around incident response can also help organizations respond faster and more effectively when a security breach does happen.

Achieving this level of proactivity starts by assigning clear responsibilities, establishing security measures, and ensuring visibility into data collection and retention policies. Beyond those efforts, organizations should prepare for three critical phases of incident response:

Readiness

What: Introduce incident response plans before they’re needed so teams can jump into action as quickly as possible once an incident occurs.

Why: A quick response helps meet fast turnarounds on notification timelines and can reduce the costs associated with a security breach.

How: Understand the requirements in relevant regulations and customer and partner contracts. Develop response plans for each set of requirements, assign responsibilities to key stakeholders, and conduct simulations to prepare those team members.

Response

What: The actual response activities that take place when an incident occurs.

Why: A complete response based on applicable regulations is essential to maintaining compliance, avoiding penalties, and retaining customer trust.

How: Investigate the incident to determine what happened, how it happened, when it happened, what systems were involved, and the potential impact. Work with key stakeholders to remediate the issue, notify customers, agencies, and partners according to regulatory and contractual requirements, and implement a safe haven for relevant team communications.

Ongoing Management

What: Regularly revisit incident response plans to keep them up to date based on changes to external threats, regulations, and contracts.

Why: Updating response plans to increase efficiency, shore up potential weaknesses, and match changing regulatory and contractual requirements ensures readiness for an effective response at any time.

How: Monitor and report on incident response plans to identify areas for improvement and elements that need to be updated based on changes to regulations and contracts. Communicate changes to stakeholders to maintain alignment and keep them aware of their responsibilities.

How US Privacy Laws Compare: A Side-by-Side Breakdown of California, Colorado, Utah, and Virginia

When Utah passed the UCPA in March 2022, it became the fourth US state to introduce comprehensive privacy legislation, following in the footsteps of California, Colorado, and Virginia. The laws in each of the four states share many of the same principles, but are also unique in their own ways. Here’s a side-by-side look at how they compare:

	California – CCPA & CPRA	Colorado – CPA	Utah – UCPA	Virginia – CDPA
Effective Date	July 1, 2020 (CCPA) & January 1, 2021 (CPRA)	July 1, 2023	December 31, 2023	January 1, 2023
Rights Granted	Right to access Right to correct Right to delete Right to data portability Right to opt out Right to know what information is sold and to whom Right to limit use and disclosure	Right to access Right to correct Right to delete Right to data portability Right to opt out	Right to access Right to delete Right to data portability Right to opt out of certain processing	Right to access Right to correct Right to delete Right to data portability Right to opt out Right to appeal
Personal Data	Excludes deidentified data and publicly available information	Excludes deidentified data and publicly available information	Excludes deidentified data, publicly available information, and aggregated data	Excludes deidentified data and publicly available information
Enforcement	Dedicated, self-funded agency (California Privacy Protection Agency) Private action by consumers	State Attorney General and District Attorneys	State Attorney General	State Attorney General
Penalty for Non-Compliance	Up to $7,500 per incident Up to $750 per consumer, per violation in private lawsuits	Up to $20,000 per incident	Up to $7,500 per violation Actual damages to consumers	Up to $7,500 per incident
Notification Timeline	“Without unreasonable delay” once an incident is identified	Within 30 days of awareness that an incident occurred	“As expediently as possible without unreasonable delay” once an incident is identified and integrity restored to affected systems	“Without unreasonable delay” once an incident is identified

Prioritizing Proactive Incident Response in Utah and Beyond

Utah’s comprehensive privacy legislation may be the latest example from the US, but it’s certainly not the last. And the UCPA is just one of hundreds of laws like these popping up around the world. Altogether, these regulations and the growing number of cyber incidents accompanying them make proactive protection and incident response a priority for every single organization. Automation is critical.

To introduce the necessary level of proactive incident response, organizations must stay aware of new and changing regulations and the details of what they require, establish response plans with clear responsibilities, test those plans with tabletop exercises, and regularly revisit efforts to ensure readiness and maintain compliance with ongoing changes. These types of proactive activities will be the only way for organizations to respond quickly, effectively, and completely when an incident occurs.