How Your Business Can Prepare for the Utah Consumer Privacy Act (UCPA)
Introduction
This is the last installment of our blog post series to help your business get ready for the new state privacy laws coming in 2023. Our final article will go over the Utah Consumer Privacy Act (UCPA), which goes into effect on December 31, 2023.
Arguably a more business-friendly comprehensive data privacy framework, UCPA still has a number of similarities with California, Virginia, Colorado, and Connecticut.
Let’s go over what your business needs to prepare for UCPA, as well as how it compares with the state privacy laws of 2023.
Does UCPA Apply to Your Business?
The Utah Consumer Privacy Act applies to any business entities that meet these three conditions:
- Conducts business in the state or targets its products and services to Utah residents.
- Earns an annual revenue of $25,000,000 or more.
- Controls and processes the data of 100,000 or more consumers, or earns over 50% of gross revenue from the sale of personal data of 25,000 or more consumers.
Unlike Virginia’s CDPA, Colorado’s CPA, and Connecticut’s CTDPA, UCPA uses a revenue threshold to determine which businesses are subject to the law. With such a high revenue standard, smaller businesses that don’t earn as much money or collect as much personal data are exempt from the law. This reduces the number of businesses Utah’s privacy law applies to.
What’s Included in Utah’s Consumer Privacy Act?
Similar State Privacy Rights with Some Exceptions
Like with the previous state privacy laws, UCPA gives consumers the right to access and delete their data, data portability, and anti-discriminatory practices. Additionally, Utahns can opt out of targeted advertising or the sale of their personal data. UCPA does not, however, allow consumers to opt out of profiling based on their data.
Unlike California, Virginia, Colorado, and Connecticut, Utah does not give residents the right to correct the information companies have on them. Consumers also do not have the right to appeal if a business refuses to process a request. UCPA additionally does not give residents a private right of action
No Limits on Cure Periods
Unlike the 3Cs (California, Colorado, and Connecticut), Utah does not place limits on cure periods. Businesses have 30 days to correct the privacy violation after the attorney general initiates enforcement.
Because cure periods are ongoing in the state, Utah cannot participate in multi-state enforcement for privacy violations.
No Requirement for Universal Opt-Out Signals
Another difference between Utah and some of the previous state privacy laws we’ve covered is the lack of requirement for universal opt-out signals. Colorado’s CPA and Connecticut’s CTDPA require businesses to provide an easy way for consumers to manage their opt-in and opt-out preferences. UCPA does not include such a provision.
No Requirement for Explicit Consent to Process Sensitive Data
UCPA defines sensitive data as a Utah residents’:
- Racial or ethnic origin.
- Religious beliefs.
- Sexual orientation.
- Citizenship or immigration status.
- Medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional.
Under UCPA, businesses do not need to obtain explicit consent from consumers before processing their sensitive data. This ruling contrasts Colorado’s CPA and Connecticut’s CTDPA, where explicit consent to process sensitive data is required.
However, businesses must provide a clear notice before processing this kind of data, as well as give consumers an opportunity to opt out of it.
No Requirement for Data Protection Impact Assessments
What’s unique to UCPA is that it does not require businesses to conduct data protection impact assessments (DPIAs) to evaluate the privacy risks of their data processing activities. This also contrasts what’s found in California, Virginia, Colorado, and Connecticut’s privacy laws.
Layered Approach For Enforcement
UCPA has multiple layers of enforcement. While the Utah Office of the Attorney General has exclusive rights to enforcement, the Division of Consumer Protection, however, will hear consumer complaints, investigate claims, and refer the case to the Attorney General if necessary.
How to comply with the Delaware Personal Data Privacy Act with Ethyca
Keeping track of the differences between state privacy laws can lead to a lot of confusion for your business’ privacy ops. That’s why Ethyca built the Fides privacy intelligence automation platform. With Fides, your business will be able to automate privacy complaints with U.S. laws.
Let’s see how.
Easy consent management
With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Different state privacy laws have different consent requirements businesses must fulfill. Fides will help your business comply with the different state-by-state requirements. You’ll be able to set multiple opt-out links on your website footer, customize a Privacy Center on your website for easy consent intake, and set single or multiple opt-in or opt-out preferences for each state privacy law.
Users can also easily submit their consent preferences through a Privacy Center powered by Fides on your website. With a simple and intuitive Admin UI. you’ll be able to quickly process and record users’ consent preferences for fast and easy compliance.
Automated DSAR processing
Although privacy regulations require businesses to fulfill privacy requests like access and erasure, this process is often costly, labor-intensive, and causes a lot of pain between legal, compliance, and engineering teams.
With Fides, you’ll be able to automate DSAR processing end to end.
First, users can submit their requests through the same Privacy Center powered by Fides on your website. Once submitted, they’ll be able to verify their identity via a code sent through SMS or email.
After the user’s identity has been verified, you can approve or deny the request in an easy-to-use Admin UI. Users will then receive an email containing a file with all their requested data in a machine-readable format, or a confirmation that their data has been deleted.
Fides will also maintain a log of the requests your business has received and processed. With this built-in paper trail of reports, you can prove to regulators that your business’ privacy practices are compliant at any time.
Real-time data mapping and system inventorying
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. Once connected, Fides will be able to produce a real-time data map, or visual, of all the data in your organization.
Unlike manual spreadsheets that immediately become out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it’s stored, and where it flows.
In fact, connecting to all of your systems is how Fides can automate consent management and privacy requests in the first place. The power of privacy automation with Fides!
Conclusion
UCPA may be the last privacy law taking effect in 2023, but it’s never too early to start preparing your business for compliance. If your company is already getting its privacy ops ready to be compliant with the other state privacy laws this year, then your business is already in good shape.
Since each state has its own unique set of business regulations and consumer protections, it can be challenging for your company to keep track of these differences. That’s why Ethyca is here to help your business stay compliant no matter what privacy law is in effect.
If you have any more questions about any existing or upcoming U.S. state privacy laws, schedule a free 15-minute call with one of our privacy experts today!