The last state privacy law your business needs to comply with in 2023 is the Utah Consumer Privacy Act (UCPA). This law will go into effect on December 31, 2023. Although your business has more than a year to prepare for compliance, we’ll show you what your company needs to do to start getting ready.
This is the last installment of our blog post series to help your business get ready for the new state privacy laws coming in 2023. Our final article will go over the Utah Consumer Privacy Act (UCPA), which goes into effect on December 31, 2023.
Arguably a more business-friendly comprehensive data privacy framework, UCPA still has a number of similarities with California, Virginia, Colorado, and Connecticut. And although this law is still a year away from enactment, it’s important to use this time to get your business ready for state-by-state compliance in the U.S.
We’ll go over what your business needs to prepare for UCPA, as well as how it compares with the state privacy laws of 2023.
The Utah Consumer Privacy Act applies to any business entities that meet these three conditions:
Unlike Virginia’s CDPA, Colorado’s CPA, and Connecticut’s CTDPA, UCPA does use a revenue threshold to determine which businesses are subject to the law. With such a high revenue standard, smaller businesses that don’t earn as much money or collect as much personal data are exempt from the law. This reduces the number of businesses Utah’s privacy law would apply to.
Like with the previous state privacy laws, UCPA gives consumers the right to access and delete their data, data portability, and anti-discriminatory practices. Additionally, Utahns can opt out of targeted advertising or the sale of their personal data. UCPA does not, however, allow consumers to opt out of profiling based on their data.
Unlike California, Virginia, Colorado, and Connecticut, Utah does not give residents the right to correct the information companies have on them. Consumers also do not have the right to appeal if a business refuses to process a request. UCPA additionally does not give residents a private right of action
Unlike the 3Cs (California, Colorado, and Connecticut), Utah does not place limits on cure periods. Businesses have 30 days to correct the privacy violation after the attorney general initiates enforcement.
Because cure periods are ongoing in the state, Utah cannot participate in multi-state enforcement for privacy violations.
Another difference between Utah and some of the previous state privacy laws we’ve covered is the lack of requirement for universal opt-out signals. Colorado’s CPA and Connecticut’s CTDPA require businesses to provide an easy way for consumers to manage their opt-in and opt-out preferences. UCPA does not include such a provision.
UCPA defines sensitive data as a Utah residents’:
Under UCPA, businesses do not need to obtain explicit consent from consumers before processing their sensitive data. This ruling contrasts Colorado’s CPA and Connecticut’s CTDPA, where explicit consent is required.
However, businesses must provide a clear notice before processing this kind of data, as well as give consumers an opportunity to opt-out of it.
What’s unique to UCPA is that it does not require businesses to conduct data protection impact assessments (DPIAs) to evaluate the privacy risks of their data processing activities. This is in contrast with California, Virginia, Colorado, and Connecticut.
UCPA has multiple layers of enforcement. The Utah Office of the Attorney General has exclusive rights to enforcement. The Division of Consumer Protection, however, will hear consumer complaints, investigate claims, and refer the case to the attorney general if necessary.
Keeping track of the differences between state privacy laws can lead to a lot of confusion for your business’ privacy ops. That’s why Ethyca is updating the Consent Management experience for customers. Soon, your business will be able to classify data into different data categories. Ethyca’s Consent Management Platform can also help your business manage Utah residents’ consent preferences. They’ll be able to exercise more control over their opt-in and opt-out choices. Your business will also be able to store their consent preferences for reporting and auditing.
Another solution for your business’ privacy ops is the Fides privacy engineering platform. Fides will help your business create a dynamic data map of all of the data in your systems. No more having to search through mounds of unorganized data. Instead, your data map will show real-time data flows of where your company’s data resides. You can also use Fides to automate users’ privacy requests for access, deletion, and portability.
Ethyca is here to help lift the burden of privacy ops for your business.
UCPA may be the last privacy law taking effect in 2023, but it’s never too late to start preparing your business for compliance. If your company is already getting its privacy ops ready to be compliant with the other state privacy laws in this series, then your business is already in good shape.
Since each state has its own unique set of business regulations and consumer protections, it can be challenging for your company to keep track of these differences. That’s why Ethyca is here to help your business stay compliant no matter what privacy law is in effect.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo