million or more and reach certain data-level thresholds are covered by the UCPA. A business can reach these thresholds either by controlling/ processing the personal data of 100,000 or more consumers per year, or by both deriving over 50% of its gross revenue from the sale of personal data and controlling/processing the data of 25,000 or more customers. A business that processes/controls the personal data of between 25,000 and 99,999 consumers per year— covered under the Colorado data privacy law, would be exempt from the UCPA unless it also has revenue of $25 million or more per year, over 50% of which is derived from controlling/processing personal data. The enforcement mechanism of the UCPA is different than other state privacy statutes. The Division of Consumer Protection (“DCP”) (contained within the Utah Department of Commerce) has the power to investigate any consumer complaints about potential violations of the law. After investigation, if the Division of Consumer Protection deems the claim legitimate then it must refer the matter to the Utah Attorney General. The Attorney General’s office then conducts a second review, and may either concur with the findings of the DCP or dismiss the consumer’s complaint as lacking merit. Although this might lead to a protracted review process, the existence of two levels within the UCPA’s enforcement mechanism might also lead to fewer complaints in which a violation is determined to have occurred. The UCPA does not create a private cause of action. The UCPA became effective December 31, 2023. Massachusetts Massachusetts has widely been regarded as the gold standard for data security laws. Massachusetts requires any company that owns or licenses personal information from residents of the state to develop, implement, and maintain a comprehensive written policy that creates proper administrative, technical, and physical safeguards for consumer information. Massachusetts follows a “sliding scale” approach, allowing a smaller business with limited customer information to develop a policy that works to protect their data, but does not require costly investments in
129
Made with FlippingBook - Online Brochure Maker