On March 24, Utah’s Governor Spencer Cox signed the Utah Consumer Privacy Act (Utah Law) into law, making it the fourth state privacy law enacted in the United States.
It can be hard to track the disparate legal privacy requirements, not to mention reading the actual laws. This I reached out to Linda Thielova, the Head of Privacy Center of Excellence and Data Protection Officer (DPO) at OneTrust to provide us with insights on what to expect from Utah’s new privacy law. The following is a slightly edited version of our exchange.
Kristina Podnar (Kristina): Who is subject to UCPA and to what does it apply?
Linda Thielova (Linda): The recently passed Utah privacy law pertains to a few different types of entities. Primarily, the UCPA applies to any controller or processor who:
I. conducts business in Utah or offers products or services targeted to Utah residents;
II. has an annual revenue of at least $25 million; and (iii) either
a. controls or processes personal data of 100,000 or more consumers annually, or
b. derives at least 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Kristina: What are the key aspects of UCPA that marketers and corporations should know about?
Linda: Like the CCPA, the Virginia CDPA, and the Colorado Privacy Act, the UCPA grants individuals rights to the personal information collected about them. This includes the right to know what information it is, the right to obtain a copy of it in a portable format, and the right to have this information deleted. A clear distinction where the UCPA differs from the CCPA is that the right to delete applies to personal data that the consumer provided to the controller, but not all personal data the controller has obtained about the consumer.
Many aspects of the UCPA, however, may especially impact marketing and advertising organizations. This is because the UCPA also includes the right to opt out of a sale of personal information, as well as the right to opt-out of targeted advertising. The UCPA defines 'sale' more narrowly as 'the exchange of personal data for monetary consideration' and includes exceptions such as the disclosure to an affiliate of the controller or disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience.
Kristina: Many organizations are dealing with data privacy regulation fatigue, having already addressed GDPR, CCPA, LGPD, POPI, and others. How different is UCPA or can teams take a breath before hitting the next sprint?
Linda: Fortunately, the UCPA follows a similar framework to preceding laws such as the GDPR and the CCPA in the US. Similar to the Virginia CDPA and the Colorado CPA, Utah’s UCPA adopts the “controller” and “processor” nomenclature used in the EU General Data Protection Regulation (“GDPR”) and does not include a private right of action for consumers to sue for potential violations. Also, like the GDPR and the other state frameworks, the UCPA grants consumers certain rights over their personal data.
If companies have already undergone GDPR compliance, they should first make sure they are on top of their GDPR obligations and can operationalize them in their day-to-day business. Then, they can move forward with smaller amendments to their records of processing (tracking of specific Sensitive Data), tweaks to their consumer request management process as well as their vendor agreements, and privacy notice for specific UCPA requirements.
For companies who have already undergone CCPA compliance, they should establish a process for opting out of sale and targeted advertising, implement clear and conspicuous disclosure of these including instructions on how to exercise an opt out; review your service provider agreements to make sure they include all the provisions required (see above); and if you are a data processor, adopt a process to facilitate the controller's obligations regarding consumer rights (see above).
Kristina: How do organizations know if they are ready for UCPA?
Linda: Organizations that have implemented the necessary documents and processes for UCPA can test their readiness by running a ‘tabletop exercise’ where they simulate typical UCPA-related compliance tasks with the responsible business owners following the policies and procedures required by the law. These can include onboarding a new service provider that processes sensitive data under the UCPA or dealing with various consumer requests and opt-outs from individuals. By testing itself through real-life scenarios, the company can identify whether its daily operations are ready and comply with the UCPA not just on paper, but also in reality.
From the accountability perspective, it’s extremely helpful to gather evidence for the privacy compliance controls that the company relies on for its UCPA readiness. This helps with reporting and auditing as well as with growing and maturing the privacy program over time.
Kristina: Are there global privacy capabilities for the regulatory future that you advise organizations to consider?
Linda: As we see more local laws passed in the US, many following the GDPR framework, there are a few best practices and capabilities organizations should implement. This will support them in being an overall trusted organization with the agility to adapt to new and evolving laws and regulations. These include: establishing a process to address consumer requests; mapping the organizations’ information; establishing and maintaining reasonable administrative, technical, and physical data security policies; adopting, improving, and expanding privacy notices; implementing a data processing agreement; identifying sensitive data; and adopting a process for de-identified data or pseudonymous data.
On a broader level, we see the most successful businesses benefiting from well laid-out communication strategy among the key departments ‘owning’ privacy compliance: Marketing, Legal, Security, IT etc. These lines of collaboration help businesses stay agile and respond more effectively to any regulatory developments.
Kristina: Some organizations are struggling to still pull together a reasonable data privacy policy for their website. Others are dabbling in NFTs and VR. What does the privacy maturity look like with regards to emerging technologies, and do you think that organizations are ready to leap forward?
Linda: As organizations embrace emerging technologies such as AI, NFTs and AR/VR, the time to invest in their privacy program is now. We know that it can often take many years to apply privacy law to new technologies, however we currently have comprehensive frameworks that do provide a set of best practices (think ‘privacy by design’) that organizations can apply broadly in their development of emerging technologies. For example, ensuring that a new VR application has a clear consent and opt-out capability. There are few current regulations around VR, but more companies are gearing up to address consumer privacy in OTT environments such as CTV and gaming. Ultimately, regardless of whether an organization is hiring its first CPO or has spent the last five years building out its privacy program, trust and transparency should be built into their products and services from the onset.
Kristina: What are the biggest risks that you can see around non-compliance with UCPA or other state-level laws?
Linda: Most businesses associate the immediate risks of non-compliance with UCPA or other emerging privacy laws: the potential enforcement action (including orders to delete/stop processing personal data) and fines. Arguably bigger risks are those that are caused by non-compliance more broadly: bad press and loss of good reputation, loss of company stock value, and the biggest of all – the loss of trust from customers, vendors, and the public. When businesses mishandle personal information or are not upfront about their data practices, this sends a strong message that is hard to erase.
Kristina: Which state do you think will be next to pass a data privacy law and at what point will we see (if ever) a federal level privacy law?
Linda: While discussions for a federal privacy law in the U.S. have been taking place for a long time, none have been able to deliver a consolidated and comprehensive framework. The rapid passage of the UCPA may be a turning point for more states passing their own laws. Currently, various laws in Arizona, Georgia, and Maine are on pause. While data privacy bills are still alive in some other states, such as Alaska, Connecticut, Ohio, and Pennsylvania, Utah is the first to cross the finish line in 2022, and the first state to pass comprehensive legislation since Colorado in July 2021.
Kristina: A multitude of vendors have solutions for establishing, maturing, and operationalizing a privacy management program. Is there one solution that’s the golden ticket to solve all privacy problems? If not, what kind of software tapestry ought organization be weaving?
Linda: While the passing of the UCPA demonstrates that privacy is becoming a bigger priority, many businesses are still struggling with the basics of GDPR. There is never a ‘one-size fits all’ solution for businesses to operationalize privacy management, but there are best practices that can guide them in the right direction. By implementing a ‘center of trust’ within the organization that reaches across departments, and that prioritizes privacy by design, they can remain one step ahead of compliance. Ultimately, many successful privacy programs are characterized by this culture of ‘privacy by design,’ as well as a foundation of trust. This means not just checking the box on compliance but seeking out a trusted vendor with a holistic platform (privacy and data governance; security and GRC; ethics and compliance; and ESG and sustainability) that ensures these efforts don’t take place in a silo.
The bottom line
After years of collecting as much data as we could, we are starting to realize that all that data has an evil twin: risk. In addition, consumers have become more aware that their data is a valuable resource, and they're asking more questions about how it's used and who has access to it. As we’ve seen most recently with the state of Utah, governments across the world and in the U.S. are also starting to pay more attention. There is no time like the present to ensure your marketing and digital operations are prepared for the scrutiny.
Photo by Andrey Grinkevich on Unsplash