How Your Business Can Prepare for Utah’s UCPA

Introduction

This is the last installment of our blog post series to help your business get ready for the new state privacy laws coming in 2023. Our final article will go over the Utah Consumer Privacy Act (UCPA), which goes into effect on December 31, 2023. 

Arguably a more business-friendly comprehensive data privacy framework, UCPA still has a number of similarities with California, Virginia, Colorado, and Connecticut. And although this law is still a year away from enactment, it’s important to use this time to get your business ready for state-by-state compliance in the U.S. 

We’ll go over what your business needs to prepare for UCPA, as well as how it compares with the state privacy laws of 2023.

Does UCPA Apply to Your Business?

The Utah Consumer Privacy Act applies to any business entities that meet these three conditions:

• Conducts business in the state or targets its products and services to Utah residents. 
• Earns an annual revenue of $25,000,000 or more.
• Controls and processes the data of 100,000 or more consumers, or earns over 50% of gross revenue from the sale of personal data of 25,000 or more consumers.

Unlike Virginia’s CDPA, Colorado’s CPA, and Connecticut’s CTDPA, UCPA does use a revenue threshold to determine which businesses are subject to the law. With such a high revenue standard, smaller businesses that don’t earn as much money or collect as much personal data are exempt from the law. This reduces the number of businesses Utah’s privacy law would apply to.

What’s Included in Utah’s Consumer Privacy Act?

Similar State Privacy Rights with Some Exceptions

Like with the previous state privacy laws, UCPA gives consumers the right to access and delete their data, data portability, and anti-discriminatory practices. Additionally, Utahns can opt out of targeted advertising or the sale of their personal data. UCPA does not, however, allow consumers to opt out of profiling based on their data.

Unlike California, Virginia, Colorado, and Connecticut, Utah does not give residents the right to correct the information companies have on them. Consumers also do not have the right to appeal if a business refuses to process a request. UCPA additionally does not give residents a private right of action

No Limits on Cure Periods

Unlike the 3Cs (California, Colorado, and Connecticut), Utah does not place limits on cure periods. Businesses have 30 days to correct the privacy violation after the attorney general initiates enforcement. 

Because cure periods are ongoing in the state, Utah cannot participate in multi-state enforcement for privacy violations. 

No Requirement for Universal Opt-Out Signals

Another difference between Utah and some of the previous state privacy laws we’ve covered is the lack of requirement for universal opt-out signals. Colorado’s CPA and Connecticut’s CTDPA require businesses to provide an easy way for consumers to manage their opt-in and opt-out preferences. UCPA does not include such a provision. 

No Requirement for Explicit Consent to Process Sensitive Data 

UCPA defines sensitive data as a Utah residents’:

• Racial or ethnic origin.
• Religious beliefs.
• Sexual orientation.
• Citizenship or immigration status.
• Medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional.

Under UCPA, businesses do not need to obtain explicit consent from consumers before processing their sensitive data. This ruling contrasts Colorado’s CPA and Connecticut’s CTDPA, where explicit consent is required. 

However, businesses must provide a clear notice before processing this kind of data, as well as give consumers an opportunity to opt-out of it. 

No Requirement for Data Protection Impact Assessments

What’s unique to UCPA is that it does not require businesses to conduct data protection impact assessments (DPIAs) to evaluate the privacy risks of their data processing activities. This is in contrast with California, Virginia, Colorado, and Connecticut. 

Layered Approach For Enforcement

UCPA has multiple layers of enforcement. The Utah Office of the Attorney General has exclusive rights to enforcement. The Division of Consumer Protection, however, will hear consumer complaints, investigate claims, and refer the case to the attorney general if necessary.

How Ethyca Can Help Your Business Comply With UCPA

Keeping track of the differences between state privacy laws can lead to a lot of confusion for your business’ privacy ops. That’s why Ethyca is updating the Consent Management experience for customers. Soon, your business will be able to classify data into different data categories. Ethyca’s Consent Management Platform can also help your business manage Utah residents’ consent preferences. They’ll be able to exercise more control over their opt-in and opt-out choices. Your business will also be able to store their consent preferences for reporting and auditing. 

Another solution for your business’ privacy ops is the Fides privacy engineering platform. Fides will help your business create a dynamic data map of all of the data in your systems. No more having to search through mounds of unorganized data. Instead, your data map will show real-time data flows of where your company’s data resides. You can also use Fides to automate users’ privacy requests for access, deletion, and portability. 

Ethyca is here to help lift the burden of privacy ops for your business.

Conclusion

UCPA may be the last privacy law taking effect in 2023, but it’s never too late to start preparing your business for compliance. If your company is already getting its privacy ops ready to be compliant with the other state privacy laws in this series, then your business is already in good shape. 

Since each state has its own unique set of business regulations and consumer protections, it can be challenging for your company to keep track of these differences. That’s why Ethyca is here to help your business stay compliant no matter what privacy law is in effect.