Utah Consumer Privacy Act & HIPAA

The Utah Consumer Privacy Act (UCPA) has narrower applicability than similar privacy laws in other states. It sets specific criteria for businesses' annual revenue and data processing activities and offers exemptions to organizations governed by certain federal laws such as HIPAA.

Understanding the Utah Consumer Privacy Act

The UCPA applies to businesses meeting specific revenue and data processing thresholds, encompassing those conducting business in the state or targeting Utah residents. Notably, the act offers consumers rights, including access to their personal data, the ability to request data deletion, and the right to opt out of certain data processing. The law also emphasizes data transparency, mandating clear privacy notices detailing data categories, processing purposes, and more. While the UCPA outlines consumer rights and controller obligations, enforcement falls under the Utah Attorney General, with a multi-step violation process.

See also: Do disclaimers make emails HIPAA compliant?

Who does the UCPA apply to?

The UCPA applies to businesses that meet the following criteria:

1. Conduct business in Utah or produce products/services targeted at Utah residents.
2. Have an annual revenue of $25 million or more.
3. Satisfy one or more of the following data processing thresholds:
   1.  Control or process personal data of 100,000 or more Utah residents during a calendar year.
   2. Derive over 50% of the entity's gross revenue from the sale of personal data and control personal data of 25,000 or more Utah residents

See also: Spouses, family members and marriage under HIPAA

UCPA & HIPAA

While the UCPA aims to protect consumer privacy and personal data, it incorporates specific exemptions to accommodate certain entities and scenarios. Notably, institutions of higher education, nonprofits, organizations under HIPAA, and institutions governed by the Gramm-Leach-Bliley Act, are exempt from UCPA requirements. Additionally, government entities, contractors, tribes, and air carriers fall within the scope of these exemptions. This aligns with UCPA's focus on consumer data privacy and recognizes certain sectors' adherence to federal regulations like HIPAA.

Customer rights granted by the UCPA

1. Right to access: Consumers can confirm whether a controller is processing their personal data and access the personal data being processed.
2. Right to deletion: Consumers have the right to request the deletion of the personal data provided to the controller. However, this right is limited to the data that the consumer provided.
3. Right to data portability: Consumers can request a copy of their personal data previously provided to the controller. The data must be provided in a portable and usable format, allowing the consumer to transmit it to another controller.
4. Right to opt out: Consumers have the right to opt out of the processing of their personal data for targeted advertising purposes or the sale of their personal data.

Obligations for organizations that fall under the UCPA

Organizations must provide clear and accessible privacy notices to consumers, detailing the categories of processed personal data, processing purposes, and how to exercise their rights. If personal data is sold or used for targeted advertising, they must disclose this and provide opt-out options. These organizations must also establish and maintain data security practices to protect the confidentiality and integrity of personal data.

See also: HIPAA Compliant Email: The Definitive Guide