Data privacy and personal data protection have emerged as critical issues in today’s digital age, with various regulations and frameworks being developed to address them. This article explores the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Transparency & Consent Framework 2.0 (TCF 2.0), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) in detail, outlining the specific ways each of these instruments approaches data protection.

GDPR (General Data Protection Regulation)

The GDPR, which came into force on May 25, 2018, is a comprehensive data protection law applicable within the EU and EEA, with the aim of harmonizing privacy laws across Europe. Notably, the GDPR also applies to non-EU businesses that offer goods or services to EU residents or monitor their behavior.

GDPR introduced several data subject rights, including:

• Right of Access: Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose.
• Right to Rectification: The data subjects have the right to have the controller rectify without undue delay any inaccurate personal data concerning them.
• Right to Erasure (“right to be forgotten”): Data subjects can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
• Right to Restrict Processing: Under certain conditions, data subjects have the right to block or suppress the processing of their personal data.
• Right to Data Portability: The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.
• Right to Object: Data subjects have the right to object to their data being used for direct marketing purposes.

Under GDPR, businesses are also required to adhere to a set of principles, such as lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, and integrity and confidentiality. Businesses are expected to demonstrate their compliance (“accountability”) with these principles.

CCPA (California Consumer Privacy Act)

The CCPA, enforced from January 1, 2020, provides California residents with rights that largely parallel the rights under GDPR, albeit with notable differences. The CCPA applies to any business, regardless of location, that collects consumers’ personal data, does business in California, and meets one of several specific criteria relating to revenues or data processing volumes.

The CCPA guarantees consumers:

• The Right to Know: Consumers can request disclosure of the data a company has collected about them over the past 12 months.
• The Right to Delete: Consumers can ask a company to delete their personal information, with some exceptions.
• The Right to Opt-out: Consumers can direct a business to not sell their personal information.

Unlike GDPR, the CCPA does not include a specific right of rectification (the right to correct inaccurate personal data), data portability for purposes other than verifying data accuracy, or a generalized right to object to processing.

TCF 2.0 (Transparency & Consent Framework 2.0)

Developed by Interactive Advertising Bureau (IAB) Europe, the Transparency & Consent Framework 2.0 (TCF 2.0) is a voluntary standard that provides a guide for companies to navigate the GDPR and the ePrivacy Directive. While it doesn’t carry the force of law, its adoption helps businesses demonstrate their commitment to the transparent handling of personal data.

Scope: The TCF 2.0 provides guidance to any entity involved in digital advertising across Europe, particularly those utilizing programmatic advertising channels.

User Rights: TCF 2.0 doesn’t grant rights to users in the same manner as statutory laws. However, it emphasizes the necessity of obtaining informed, explicit consent from users before processing their data for personalized advertising.

Data Handling Procedures: The TCF 2.0 proposes the following steps for companies to stay compliant:

• Obtaining Consent: Companies should present clear and comprehensive information to users about how their data will be processed, and secure their explicit consent.
• Recording Consent: Consent should be appropriately documented to provide evidence of compliance.
• Updating Consent: Businesses should review and refresh consents at appropriate intervals.

Transparency: The framework also places a strong emphasis on transparency, urging businesses to disclose how users’ data is processed and used for digital advertising. This includes specifying who is processing the data and for what purpose.

CPRA (California Privacy Rights Act)

The CPRA, which extends and strengthens the CCPA, introduces new privacy rights and broadens the definition of sensitive personal information. It also establishes the California Privacy Protection Agency (CPPA) to enforce privacy rights.

Under the CPRA, consumers are granted the following new rights:

• Right to Correct: Consumers can request businesses correct inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: Consumers can direct businesses to limit the use of their sensitive personal information.
• Right to Opt-out of Automated Decision-Making Technology: Consumers can opt out of the use of their personal information for automated decision-making.

VCDPA (Virginia Consumer Data Protection Act)

Effective from January 1, 2023, the VCDPA offers comprehensive data privacy rights to Virginia residents. The law lays emphasis on principles similar to the GDPR, like data minimization, purpose limitation, and security.

Under the VCDPA, consumers are granted rights including:

• Right to Access: Consumers can confirm whether a controller is processing their personal data and obtain a copy of this data.
• Right to Correct: Consumers can correct inaccuracies in their personal data.
• Right to Delete: Consumers can delete personal data provided to, or obtained by, a controller.
• Right to Data Portability: Consumers can obtain their data in a portable, readily-usable format.
• Right to Opt-out: Consumers can opt-out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

CPA (Colorado Privacy Act)

Expected to be enforced from July 1, 2023, the CPA applies to businesses that process the personal data of Colorado residents and meet certain criteria.

The CPA grants consumers the following rights:

• Right to Access: Consumers can access their personal data.
• Right to Correct: Consumers can correct inaccuracies in their personal data.
• Right to Delete: Consumers can delete their personal data.
• Right to Data Portability: Consumers can obtain their data in a portable and usable format.
• Right to Opt-out: Consumers can opt out of certain types of data processing.

CTDPA (Connecticut Data Privacy Act)

The Connecticut Data Privacy Act (CTDPA) is still in the legislative proposal stage at the time of this article’s last update. The details provided here are subject to change based on the final approved version of the law.

The proposed CTDPA offers several consumer rights and imposes obligations on businesses similar to those seen in the CCPA and the GDPR.

Scope: The CTDPA would apply to businesses that conduct business within Connecticut, or produce products or services that are intentionally targeted to residents of Connecticut, and satisfy other criteria.

User Rights: If enacted, the law would grant consumers several rights concerning their personal information:

• Right to Know: Businesses must disclose the types of personal information they collect and the purposes for which the information will be used.
• Right to Delete: Consumers can request the deletion of their personal information under certain conditions.
• Right to Opt-Out: Consumers can choose to opt out of the sale or sharing of their personal data.

Data Handling Procedures: The CTDPA, as proposed, would also require businesses to implement reasonable security measures to protect personal information and to provide a privacy policy explaining their data collection practices.

UCPA (Utah Consumer Privacy Act)

The Utah Consumer Privacy Act (UCPA) is a prominent regulation developed to enhance the privacy rights of Utah citizens. The law aims to provide consumers with greater authority over their personal data while ensuring businesses handle this data responsibly.

Central to the UCPA is the obligation it places on businesses regarding the management of consumer data. The law establishes acceptable practices for collecting, storing, processing, and sharing personal data, and mandates that businesses implement suitable data security measures.

Furthermore, the UCPA provides consumers with various rights related to their personal data. These include the ability to access and rectify their personal data, delete it, obtain it in a portable format, and refuse its sale or use for targeted advertising.

A key aspect of the UCPA is its wide-ranging applicability. It encompasses businesses operating in Utah and managing the data of its residents, regardless of the physical location of the business.

The introduction of the UCPA signifies Utah’s entry into the group of states with comprehensive data privacy laws, indicating a broader move towards enhanced data privacy regulations at the state level.

Understanding the Utah Consumer Privacy Act

Utah has become the fourth state in the U.S. to enact a privacy law, slated to take effect on December 31, 2023. Drawing on previously enacted state laws for inspiration, the UCPA integrates elements from Colorado’s CPA and heavily relies on Virginia’s CDPA. These laws highlight the evolution of privacy legislation since California’s pioneering CCPA came into effect in 2020.

On balance, Utah’s privacy law is seen as more lenient and conducive to business than other state-level regulations so far. The progression towards a comprehensive federal U.S. privacy law, however, continues at a slow pace.

Key Components of the Utah Consumer Privacy Act In essence, the Utah Consumer Privacy Act (UCPA), signed into law on March 24, 2022, safeguards the privacy of Utah’s residents while laying down data privacy obligations for companies conducting business in the state, specifically those handling Utah residents’ data.

The UCPA is particularly concerned with the sale of personal data and targeted advertising, and it clarifies what constitutes a sale: “the exchange of personal data for monetary consideration by a controller to a third party.”

Distinguishing itself from the CCPA and CPRA, Utah’s law does not recognize non-monetary “other valuable consideration” transactions as a sale. Moreover, unlike California’s Privacy Rights Act (CPRA), Utah’s statute does not extend to data sharing. However, targeted advertising is included, despite not being a direct transaction with the consumer and typically involving monetary considerations.

Following the lead of other U.S. state laws, the UCPA operates on an opt-out model, allowing personal data to be gathered, sold, or utilized for targeted advertising without explicit consumer consent, except when the data pertains to a minor. In that case, consent must be procured from a parent or legal guardian. Importantly, consumers retain the right and must be afforded the choice, to opt out of the sale of their data or its use for targeted advertising. If they opt out, their data can no longer be used for these stated purposes.

Understanding key terms in the Utah Consumer Privacy Act

The UCPA governs the actions of data controllers or processors. It describes a controller as: “a business entity operating in the state that determines the objectives and methodologies of personal data processing, regardless of whether this decision is made independently or collaboratively.” Here, “business entity” refers to both individuals and commercial or noncommercial organizations that process data and meet the applicability prerequisites.

A processor is depicted as: “an entity that handles personal data on behalf of a controller.” While the term “entity” is used, it encompasses company entities such as third-party vendors that might process data, not just individuals.

A consumer is characterized as: “a state resident acting in a personal or household capacity.” This definition pertains to individuals in their private lives and explicitly omits those “engaging in an employment or commercial capacity,” meaning for business-related purposes.

Personal data refers to “information that is connected or reasonably connectable to a recognized individual or an identifiable individual.” It is important to note that certain kinds of personal data can directly identify an individual, like a name or email address. Conversely, other data types, for instance, an IP address, might not qualify on their own, but when combined with additional personal data, they can become identifiable.

What is not considered personal data under UCPA

The UCPA delineates several exceptions to what is not considered personal data. For instance, data that is publicly accessible, or has undergone deidentification or anonymization procedures, or consumer data that has been aggregated to the extent that individual identification becomes impossible.

Definition of delicate personal data

In the context of the UCPA, delicate data refers to personal data that discloses:

• Origin in terms of race or ethnicity (except when processed by a video communication service or by a healthcare provider with a valid license).
• Religious beliefs.
• Sexual orientation citizenship or immigration status.
• Medical history, mental or physical health condition, or a medical diagnosis made by a healthcare professional.
• Genetic or biometric data, if the processing aims to identify a specific individual.
• Geolocation data, if the processing aims to identify a specific individual.

Unlike various other data privacy laws, the Utah privacy law does not necessitate consent for the processing of delicate personal data. However, controllers must give clear notifications to consumers and the opportunity to opt-out of their delicate personal data being processed before such data is collected and processed.

Who is subject to the Utah Consumer Privacy Act?

The UCPA applies to businesses that meet the following three major criteria:

1. They either conduct business within the state or manufacture a product or offer a service targeted at consumers who are residents of the state.
2. Their annual gross revenue is equal to or exceeds $25,000,000.
3. They meet one or both of the following conditions:
   • Over a calendar year, they handle or process the personal data of 100,000 or more consumers.
   • More than half of the entity’s gross revenue is generated from the sale of personal data and they handle or process the personal data of 25,000 or more consumers.

This sets the UCPA apart from other data privacy laws as it necessitates entities to fulfill multiple criteria for applicability, as opposed to simply having a revenue of $25 million or processing data of 100,000 consumers. By requiring the fulfillment of multiple criteria, it limits the range of entities that will be deemed as qualifying for compliance. Furthermore, the revenue threshold also implies that smaller SMEs will not be considered eligible.

Who is exempt from the Utah Consumer Privacy Act?

Exemptions at the organizational level

The UCPA has outlined certain organizations that are exempt from its purview besides those that do not meet the stipulated revenue or data processing volume criteria. These exempt entities include:

• Higher education institutions,
• Non-profit organizations,
• Government entities and their contractors,
• Indigenous tribes,
• Air carriers,
• Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA),
• Financial institutions that are regulated by the Gramm-Leach-Bliley Act.

Exemptions at the data level

The UCPA also stipulates exemptions at the data level. It does not apply to information that is already covered by the following acts:

• Health Insurance Portability and Accountability Act (HIPAA),
• Gramm-Leach-Bliley Act,
• Fair Credit Reporting Act,
• Driver’s Privacy Protection Act,
• Family Educational Rights and Privacy Act,
• Farm Credit Act.

Exemptions in the employment context

Data collected or used in the context of employment are exempted under the UCPA. This includes data related to an individual applying for a role, or acting as an employee, agent, or independent contractor of a controller, processor, or third party, provided the data is collected and used within the scope of the specific role.

Consumer rights as per the Utah Consumer Privacy Act

The UCPA acknowledges four main rights of consumers, which are particularly associated with the data provided directly by the consumer to the controller. This means the consumers can’t claim rights over data about them that was acquired indirectly.

The key rights are:

1. Right to Access: This includes the right to confirm whether a controller is processing their data and the right to request and obtain that data.
2. Right to Deletion: Consumers can ask for the deletion of personal data, provided that they directly furnished the data to the controller.
3. Right to Data Portability: Consumers can request a copy of their personal data they submitted to the controller, given that the data format is:
   • Technically feasible to port.
   • Pragmatically usable.
   • Allows the consumer to transmit the data to another controller easily when the processing is executed via automated means.
4. Right to Opt-Out: Consumers can opt out of specific processing activities, specifically the sale of personal data or for the purpose of targeted advertising.

Certain rights available in other state-level laws in the US but are missing in the UCPA include the right to opt-out of profiling and the right to correction (the right to request and have inaccuracies or missing information in one’s personal data rectified).

Under the UCPA, controllers aren’t obligated to recognize “universal opt-out signals” or global privacy control (GPC) as a mechanism for consumers to opt out of data processing. GPC allows users to set consent preferences once (for example, on a website) and have these preferences respected across all other sites and platforms they visit, as opposed to set preferences on every individual online property they access.

Moreover, the UCPA doesn’t provide for a private right of action, which means a consumer doesn’t have the right to file a lawsuit against a controller for noncompliance or a data breach. Furthermore, a violation of the UCPA cannot be used to substantiate a claim under other laws in Utah.

Company obligations under the Utah Consumer Privacy Act

Under the UCPA, data controllers are obligated to facilitate the exercise of consumer rights. Controllers need to establish the method by which consumers can submit requests, and they are required to respond within a reasonable timeframe, typically within 45 days.

Transparency provisions

Controllers are required to make a privacy notice or policy “reasonably accessible and transparent” to consumers, usually via the company’s website. The privacy notice must contain:

• The categories of personal data the controller processes.
• The categories of personal data shared with third parties, if applicable.
• The categories of third parties with whom the controller shares personal data, if applicable.
• The purposes for processing the data.
• The means through which consumers can exercise their rights.
• A “clear and conspicuous” disclosure if personal data is sold to a third party or utilized for targeted advertising, along with the procedure to exercise the right to opt-out.

Implementing a consent management solution can assist in creating a precise and comprehensive notification and privacy policy, allowing controllers to maintain it updated without extensive manual work.

Responding to consumer requests

Consumer requests must be accommodated at no cost, except in cases where the request is:

• A second or subsequent request within the same 12-month period.
• Deemed to be “excessive, repetitive, technically infeasible, or manifestly unfounded.”
• Assumed by the controller to be primarily for a purpose other than exercising a right.
• Considered to harass, disrupt, or impose an undue burden on the controller’s business resources.

Controllers are obligated to respond to a consumer request within 45 days by taking action and informing the consumer of the action taken. If the controller is unable or chooses not to comply with the consumer’s request (for instance, if the consumer’s identity cannot be reasonably verified for security reasons), this must be communicated within the 45-day period.

There are certain exceptions that allow the response period to be extended by another 45 days if deemed necessary, such as in cases of very complex requests or a high volume of requests. The consumer must be informed of the extension, along with its reasons and duration, within the initial 45-day response period.

Unlike some other laws, the UCPA does not provide an appeal process for consumers whose requests are denied.

Maintaining data security

Controllers are required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to safeguard the confidentiality and integrity of personal data.” This obligation also extends to third parties utilized by the controller for data processing and must be stipulated in contracts between controllers and third-party processors.

Processing children’s personal data

In the UCPA, a child is identified as an individual known to be under 13 years of age. Controllers must obtain verifiable consent from a parent or guardian before processing the child’s data, in accordance with the Children’s Online Privacy Protection Act (COPPA). The processing of children’s data is the only activity under the UCPA that requires explicit affirmative consent.

Non-discrimination policy

Controllers are not allowed to discriminate against any consumer for exercising their privacy rights. Forms of possible discrimination could include:

• Refusal to provide goods or services.
• Charging a different price or rate for goods or services.
• Delivering goods or services of a different quality level.

However, controllers are permitted to offer a differing “price, rate, level, quality, or selection of a good or service” to a consumer if that consumer has chosen to opt out of targeted advertising, or if the offer pertains to the consumer willingly participating in the controller’s loyalty program.

Data processing by third parties

Controller organizations are allowed to engage third parties to process data on their behalf. These arrangements need to be regulated by a contract, a practice that is common under other state-level laws like the CCPA and VCDPA. The contract should contain data processing instructions, as well as some details similar to those required in consumer notifications, including:

• The nature and purpose of the processing.
• The type of data to be processed.
• The duration of processing.
• All parties’ rights and obligations, including a confidentiality clause.
• A requirement is that the processor must have a written contract with any subcontractor involved in processing personal data, which fulfills the same obligations as the processor.

Interestingly, the UCPA does not mandate that a contract between a controller and processor includes a provision for the processor to comply with reasonable audits carried out by the controller.

Enforcement and penalties under the Utah Consumer Privacy Act

Enforcement authority

The enforcement of the UCPA lies in the hands of the Utah attorney general who has the power to impose penalties for non-compliance. However, the responsibility of administering consumer complaints and examining the validity of alleged infringements is assigned to the Division of Consumer Protection.

Notably, the UCPA doesn’t require controllers to assess the risks associated with their data processing activities through data protection (risk) assessments, as is required in the CPA or VCDPA.

Investigations and cure period

If sufficient evidence or reasonable cause of an infringement is identified, the case is referred to the attorney general. The attorney general can then choose to take action. Should the attorney general decide to proceed, a written notice must be sent to the controller or processor outlining the violation. The offending party is then provided with a 30-day period, known as the “cure” period, to address and rectify the violation. They are also required to deliver a statement to the attorney general detailing the measures taken to resolve the violation and prevent its recurrence.

Damages and fines

If the controller or processor fails to rectify the violation within the cure period or continues to breach the law even after submitting a written assurance of compliance, the attorney general can initiate an enforcement action. This may involve imposing actual damages and fines of up to $7,500 per violation.

The role of consent management in the Utah Consumer Privacy Act

Unlike some other U.S. state-level laws that require explicit consent, the Utah privacy law, being an “opt-out” law, does not necessitate the consent of data subjects before collecting or processing their personal data. This holds true even for sensitive data, with the exception that explicit consent is required for processing children’s data.

However, despite not requiring consent, controllers are obligated to provide clear notification to consumers and allow them the choice to opt-out of their personal data being processed, either before or at the point of data collection and processing.

This is where a consent management solution (CMP) comes into play. A CMP can present accept/decline consent options for personal data processing, provide comprehensive information about data processing and consumers’ rights, and generate a compliant Privacy Policy that clearly communicates all necessary information to consumers.

For organizations operating across the United States or globally, geolocation functionality in a CMP can present customized CMP banners with specific notification information and consent options based on the user’s location. This ensures compliance with a variety of laws including the CCPA/CPRA, VCDPA, CPA, UCPA, and even the GDPR, depending on where the user is based.

Utah Consumer Privacy Act – conclusion

In conclusion, the Utah Consumer Privacy Act, currently in its initial version, will undergo practical testing to shape future amendments. The law mandates the Utah attorney general and Division of Consumer Protection to present an evaluation report on its effectiveness by July 1st, 2025. Any amendments to the UCPA are likely to occur after this date, influenced by evolving privacy legislation and amendments to existing laws. Unlike California, the UCPA does not include a private right of action, meaning consumer class-action lawsuits will not impact future amendments.

Although the Utah privacy law is considered less strict compared to other state-level laws in the US due to its business-friendly nature, it is advisable to seek legal counsel to understand your organization’s specific responsibilities and ensure compliance with privacy regulations when the law is enacted. Taking proactive measures to safeguard user privacy is always recommended as it helps establish user trust and ensures the acquisition of high-quality data for marketing operations.