Marketers & the Utah Consumer Privacy Act

by Lindsey Francy May 30, 2023 News
Marketers & the Utah Consumer Privacy Act
  • Business-friendly rules. UCPA provides businesses with more time to comply.
  • Data usage. Aggregated, de-identified, and public data can be freely used.
  • Consent not required. UCPA doesn't mandate consumer consent for sensitive data processing.

The Utah Consumer Privacy Act, signed into law at the end of March 2022, gives businesses more time to ensure that they are complying with the new law and is considered as one of the most business-friendly of consumer data privacy laws going into effect around the country.

The law requires businesses in the state to comply by the end of the year.

Companies are subject to the UCPA when there are specific threshold requirements.

Businesses Benefit from UCPA Compliance & IT Adaptation

According to Jeff Sizemore, chief governance officer at Egnyte, businesses now have the option of reading the law and setting up their operations to meet the standards correctly and adjusting their IT systems to address the requirements.

The Act does not include information that is publicly available. Aggregated data is information that is only seen in a summary. The information is not accessible.

Data can't be used to identify an individual if personal details are removed. Information is publicly available from open sources.

Privacy is retained by the first two approaches, but they are not fool proof. Sizemore said that it could be possible to single out individuals' information, including their sexual orientation, religious affiliation, or political party preference. It's difficult for the processor to read such data.

There is a state of consumer data privacy legislation.

UCPA Enables Marketers to Share Anonymized Consumer Data

The UCPA allows marketers to share information from consumers in an anonymous way. He uses an example of how information from a survey can be used to make decisions.

Marketers often use publicly available data to personalize outreach efforts. They reference an alma mater in a cold email.

Sizemore advised marketers to use caution with this information and give the consumer details on how they got it, so they can opt out of being included in such lists.

Unlike other data privacy laws, the UCPA does not require consumer consent for processing sensitive data, which he says is the "big difference" between the UCPA and other data privacy laws.

Consumers don't need to give their consent for marketers to use their information.

According to Sizemore, marketers can keep to business as usual. There isn't need to be an active action taken by the consumer to approve the use of this data in the forms listed above.

There are data privacy pitfalls for marketers.

Marketers Navigate UCPA Guidelines for Sensitive Data

This makes it easier for marketers to get consumers' information.

Chris Hauk said that marketers will need to be careful in how they handle sensitive data and how they use it.

He warned that the usage could still be seen as a violation of privacy.

To Whom Does UCPA Apply?

Businesses that process less than 100,000 consumers a year are exempt from the UCPA, as are businesses that make less than $25 million a year.

Many of the regulations will not be required of several organizations.

Businesses that are covered by the law.

  • Conducts business in the state

Or something else.

  • Produces a product or service that is targeted to consumers who are residents of the state
  • Has annual revenue of $25,000,000 or more
  • Satisfies one or more of the following thresholds:
    • During a calendar year, controls or processes personal data of 100,000 or more consumers
    • Derives over 50% of the entity's gross revenue from the sale of personal data and controls orprocesses personal data of 25,000 or more consumers.

If the purpose of data disclosure is consistent with a user's reasonable expectations, the UCPA has many exceptions.

He said that the UCPA doesn't require data controllers to correct data when requested.

He said if a federal privacy law is passed, Utah businesses will be ahead of the curve because it will be a federal data privacy law.

He said that marketers will have to make sure they comply with users' data requests. Data controllers should be assigned to manage these requests.

The first step for marketers is to review where their customer data is located.

It's a good idea to map your data so you know how it's used and who can access it. He said to identify potentialcompliance gaps. Take into account all the personal and sensitive data your organization collects so you can better understand where all this information is located.

Setting up opt-out provisions for processing sensitive data is one of the things he recommended.

He said to be prepared with an action plan to respond to consumer requests quickly. Review your company's privacy policy to make sure it complies with UCPA requirements.

Customer care, compliance, IT, operations, legal and other teams will need to be involved to ensure that your business is adequately prepared.

Businesses need to understand the impact of the law on controllers andprocessors.

Compliance with Utah's data privacy policies is more straightforward because they are aligned with the strictest of standards.