Under the UCPA, consumers have the right to access and delete their personal data. They can also choose to opt out of the sale of their personal data and/or targeted advertising that leave many consumers feeling vulnerable.
Utah joins California, Colorado, and Virginia as the only states that have outlined distinct data privacy laws. Data privacy has been a hot button issue as data breaches and phishing attacks against an organization can leave consumers’ private information vulnerable. Despite various attempts, there is currently no federal law as congress has failed to come up with a consensus similar to the EU’s General Data Protection Regulation (GDPR) established in 2018. Because of this – many states have taken it upon themselves to pass data privacy legislation with California leading the way- passing the California Consumer Privacy Act (CCPA) in 2018.
When measured up against the three other state legislation around data privacy – UCPA appears to me more lenient towards businesses that break the law – while the other states’ laws appear to be stricter towards businesses and how they collect, share, and manage personal data. For instance, under the UCPA – it does not require companies to correct data at a customer’s request – only delete it. And unlike the other state laws – companies under the new Utah law are not required to undergo a data protection assessment that lists the ways they plan on keeping a customer’s data safe which some critics may say do not allow for full transparency.
When it comes to enforcement – businesses will be at the mercy of Utah’s attorney general who has sole discretion over fines and punishments for those organization found in contempt of the law . According to the law – the enforcement process will be rigorous – giving an organization a 30-day period to fix the violation. If the violation is not fixed within the 30-day window a company can face up to $7,500 per violation.
In an interview with Infosecurity – Reece Hirsh, partner and co-head of the Morgan Lewis’ Privacy & Cybersecurity practice said; "The UCPA takes a somewhat more measured, business-friendly approach to consumer privacy regulation when compared with other recent state laws. Companies should be able to integrate compliance with the Utah law into their existing privacy compliance strategies for 2023 without major disruption."
Republican State Senator Kirk Cullimore who sponsored the law explained that it “guarantees rights to consumers while avoiding unnecessary regulation for corporations.” He adds that - “This bill is a win for both Utahns and businesses, and I hope it will serve as a model for other states.”
According to the US State Privacy Legislation Tracker – there are currently 17 active bills going through the legislative process today. Of those 17, three states - Oklahoma, Iowa, and Maryland have bills currently presiding in cross-committee.