The UCPA contains several key provisions, including the right of Utah residents to know what personal information is being collected and the right to request that their personal information be deleted. The law requires businesses to provide reasonable security for personal information and to provide timely notification in the event of a data breach. The UCPA provides for penalties for non-compliance, including fines for data breaches. The maximum fine for a violation under the UCPA is $2,500.
The UCPA applies to businesses that collect, process, or maintain personal information of Utah residents and that meet one of the following criteria:
When it comes to cookie consent, the act requires businesses to obtain informed consent from users before using certain types of cookies and other tracking technologies that collect and store personal information. To comply, businesses may need to implement a cookie consent solution that:
It’s important for businesses operating in Utah to review and implement a cookie consent solution that is compliant with the law and gives users control over their privacy preferences.
The right to notice
The right to opt-out of sale of personal information
The right to request deletion of personal information
The right to access personal information
The right to correct inaccuracies
Establish and update your privacy policy
Review legal basis for processing personal data
Document all data that is collected/processed
Map personal information fields to each internal database
Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to incoming Data Subject Access Request (DSARs)
Meet proper deadlines
Audit/create reports showing your data landscape, purpose, and DSARs completed to date.
Understand all exemptions under UCPA
Decipher between data definitions as they differ between state laws
The UCPA applies to businesses that collect, process, or maintain personal information of Utah residents and that meet one of the following criteria:
· The business generates over 50% of its annual revenue from selling personal information.
· The business collects personal information from 50,000 or more Utah residents.
· The business derives 50% or more of its annual revenue from selling personal information and the business collects personal information from 10,000 or more Utah residents.
The UCPA grants consumers several rights that they can exercise to protect their personal information and privacy.
Right to Notice: Consumers have the right to receive clear and concise notice from businesses about the types of personal information they collect, the purposes for which that information is used, and the third parties with whom it is shared. This notice must be provided in a manner that is easily understandable and accessible to consumers.
Right to Opt Out of Sale of Personal Information: Consumers have the right to opt out of the sale of their personal information. Businesses must provide a clear and conspicuous method for consumers to exercise this right.
Right to Request Deletion of Personal Information: Consumers have the right to request that their personal information be deleted. Businesses must delete the personal information of a consumer upon receiving a verifiable request from the consumer, subject to certain exceptions.
Right to Access Personal Information: Consumers have the right to access their personal information that is collected and maintained by a business. Businesses must provide this information in a manner that is easily accessible and understandable to consumers.
Right to Correct Inaccuracies: Consumers have the right to request that businesses correct any inaccuracies in their personal information. Businesses must respond to a verifiable request from a consumer to correct inaccuracies in a timely manner.
CYTRIO is helping organizations meet the burden of the Utah Consumer Privacy Act (UCPA) with an easy-to-use All-in-One Data Privacy Compliance Platform. With CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, improved SLAs and minimization risk of regulatory fines, all the while building consumer trust.
With CYTRIO, organizations can operationalize and automate consent and privacy rights management, to meet a complex set of UCPA compliance requirements through the All-in-One Data Privacy Compliance Platform featuring Cookie Consent Manager, Cookie Banner Generator, Cookie Scanner, DSAR Manager, DSAR Response Automation, Data Discovery, Data Mapping and Records of Processing Activity (ROPA) and Data Protection Impact Assessments (DPIA).
The Utah Attorney General
Any individual who has a permanent address in Utah
Customers of household goods and services, employees, and those who make business-to-business transactions
Consumers may only make information requests twice a year and only for a 12-month look-back
Yes, if you have a customer/client who resides Utah you must comply
An individual whose data is collected and processed
An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form
The process of matching fields from one database to another
A person who determines the purposes and means of the processing of personal data
A third-party who processes personal data on behalf of the controller
A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship
