The last state privacy law your business needs to comply with in 2023 is the Utah Consumer Privacy Act (UCPA). This law will go into effect on December 31, 2023. Although your business has more than a year to prepare for compliance, we’ll show you what your company needs to do to start getting ready.
This is the last installment of our blog post series to help your business get ready for the new state privacy laws coming in 2023. Our final article will go over the Utah Consumer Privacy Act (UCPA), which goes into effect on December 31, 2023.
Let’s go over what your business needs to prepare for UCPA, as well as how it compares with the state privacy laws of 2023.
The Utah Consumer Privacy Act applies to any business entities that meet these three conditions:
Unlike Virginia’s CDPA, Colorado’s CPA, and Connecticut’s CTDPA, UCPA uses a revenue threshold to determine which businesses are subject to the law. With such a high revenue standard, smaller businesses that don’t earn as much money or collect as much personal data are exempt from the law. This reduces the number of businesses Utah’s privacy law applies to.
Like with the previous state privacy laws, UCPA gives consumers the right to access and delete their data, data portability, and anti-discriminatory practices. Additionally, Utahns can opt out of targeted advertising or the sale of their personal data. UCPA does not, however, allow consumers to opt out of profiling based on their data.
Unlike California, Virginia, Colorado, and Connecticut, Utah does not give residents the right to correct the information companies have on them. Consumers also do not have the right to appeal if a business refuses to process a request. UCPA additionally does not give residents a private right of action
Unlike the 3Cs (California, Colorado, and Connecticut), Utah does not place limits on cure periods. Businesses have 30 days to correct the privacy violation after the attorney general initiates enforcement.
Because cure periods are ongoing in the state, Utah cannot participate in multi-state enforcement for privacy violations.
Another difference between Utah and some of the previous state privacy laws we’ve covered is the lack of requirement for universal opt-out signals. Colorado’s CPA and Connecticut’s CTDPA require businesses to provide an easy way for consumers to manage their opt-in and opt-out preferences. UCPA does not include such a provision.
UCPA defines sensitive data as a Utah residents’:
Under UCPA, businesses do not need to obtain explicit consent from consumers before processing their sensitive data. This ruling contrasts Colorado’s CPA and Connecticut’s CTDPA, where explicit consent to process sensitive data is required.
However, businesses must provide a clear notice before processing this kind of data, as well as give consumers an opportunity to opt out of it.
What’s unique to UCPA is that it does not require businesses to conduct data protection impact assessments (DPIAs) to evaluate the privacy risks of their data processing activities. This also contrasts what’s found in California, Virginia, Colorado, and Connecticut’s privacy laws.
UCPA has multiple layers of enforcement. While the Utah Office of the Attorney General has exclusive rights to enforcement, the Division of Consumer Protection, however, will hear consumer complaints, investigate claims, and refer the case to the Attorney General if necessary.
Keeping track of the differences between state privacy laws can lead to a lot of confusion for your business’ privacy ops. That’s why Ethyca built the Fides privacy intelligence automation platform. With Fides, your business will be able to automate privacy complaints with U.S. laws.
Let’s see how.
With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Different state privacy laws have different consent requirements businesses must fulfill. Fides will help your business comply with the different state-by-state requirements. You’ll be able to set multiple opt-out links on your website footer, customize a Privacy Center on your website for easy consent intake, and set single or multiple opt-in or opt-out preferences for each state privacy law.
Users can also easily submit their consent preferences through a Privacy Center powered by Fides on your website. With a simple and intuitive Admin UI. you’ll be able to quickly process and record users’ consent preferences for fast and easy compliance.
Although privacy regulations require businesses to fulfill privacy requests like access and erasure, this process is often costly, labor-intensive, and causes a lot of pain between legal, compliance, and engineering teams.
With Fides, you’ll be able to automate DSAR processing end to end.
First, users can submit their requests through the same Privacy Center powered by Fides on your website. Once submitted, they’ll be able to verify their identity via a code sent through SMS or email.
After the user’s identity has been verified, you can approve or deny the request in an easy-to-use Admin UI. Users will then receive an email containing a file with all their requested data in a machine-readable format, or a confirmation that their data has been deleted.
Fides will also maintain a log of the requests your business has received and processed. With this built-in paper trail of reports, you can prove to regulators that your business’ privacy practices are compliant at any time.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. Once connected, Fides will be able to produce a real-time data map, or visual, of all the data in your organization.
Unlike manual spreadsheets that immediately become out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it’s stored, and where it flows.
In fact, connecting to all of your systems is how Fides can automate consent management and privacy requests in the first place. The power of privacy automation with Fides!
UCPA may be the last privacy law taking effect in 2023, but it’s never too early to start preparing your business for compliance. If your company is already getting its privacy ops ready to be compliant with the other state privacy laws this year, then your business is already in good shape.
Since each state has its own unique set of business regulations and consumer protections, it can be challenging for your company to keep track of these differences. That’s why Ethyca is here to help your business stay compliant no matter what privacy law is in effect.
If you have any more questions about any existing or upcoming U.S. state privacy laws, schedule a free 15-minute call with one of our privacy experts today!
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo