Additional Business Obligations of UCPA
Utah privacy law also includes specific business obligations that your company must follow to achieve compliance. The business obligations UCPA mandates are fewer in scope than other state privacy laws. For example, UCPA does not require businesses to conduct Data Protection Assessments.
Here’s what your business needs to do to meet UCPA’s privacy requirements.
Like with all other state privacy laws, UCPA requires companies to provide Utah consumers with a clear and accessible privacy notice on their websites. Privacy notices should include the following information.
The categories of personal data processed by the controller.
The purpose for this processing.
How consumers can exercise their consumer and consent rights.
The categories of personal data controllers share with third-parties, if any.
The categories of third-parties the controller shares personal data with, if any.
To comply with Utah's privacy law, work with your legal team to publish a privacy notice on your website that includes all of the information above.
Businesses subject to Utah's privacy law must also enter data processing contracts with entities that process personal data on the business’s behalf. Examples of this include third-party SaaS vendors that processes and store data for your business.
These contracts must include instructions for the processor to handle data on the controller's behalf. They must specify the type of data being processed, the purpose, and the duration of processing. They must also establish the rights and obligations of both the controller and processor.
The terms of UCPA's data processing contracts are more vague than in other state privacy laws. Regardless, If your business works with processors or subcontractors that process users' personal data on your behalf, be sure to enter legally binding data processing contracts with all of them.