Everything You Need to Know About the Utah Consumer Privacy Act

Proactive management of data privacy compliance to handle challenging UCPA requirements

CYTRIO - Utah UCPA

What is the UCPA?

UCPA Timeline

The UCPA contains several key provisions, including the right of Utah residents to know what personal information is being collected and the right to request that their personal information be deleted. The law requires businesses to provide reasonable security for personal information and to provide timely notification in the event of a data breach. The UCPA provides for penalties for non-compliance, including fines for data breaches. The maximum fine for a violation under the UCPA is $2,500.

The UCPA applies to businesses that collect, process, or maintain personal information of Utah residents and that meet one of the following criteria:

  1. The business generates at least $25M annual revenue..
  2. The business collects personal information from 100,000 or more Utah residents.
  3. The business derives 50% or more of its annual revenue from selling personal information and the business collects personal information from 25,000 or more Utah residents.

Cookie Consent under UCPA

When it comes to cookie consent, the act requires businesses to obtain informed consent from users before using certain types of cookies and other tracking technologies that collect and store personal information. To comply, businesses may need to implement a cookie consent solution that:

  1. Displays a clear and conspicuous notice to users about the use of cookies and tracking technologies on the site.
  2. Provides users with information about the types of cookies and tracking technologies used, as well as their purposes.
  3. Allows users to make an informed choice about whether to accept or reject the use of cookies and tracking technologies.
  4. Provides an easy-to-use mechanism for users to manage their cookie and tracking preferences, such as a cookie consent banner or pop-up.
  5. A clear and conspicuous link to the website’s “Do Not Sell My Personal Information” page, where users can exercise their opt-out rights.
  6. Keeps records of user consents and maintains the security of personal information collected through cookies and tracking technologies.

It’s important for businesses operating in Utah to review and implement a cookie consent solution that is compliant with the law and gives users control over their privacy preferences.

Consumer Rights under the UCPA

The right to notice

The right to opt-out of sale of personal information

The right to request deletion of personal information

The right to access personal information

The right to correct inaccuracies

Best Practices: How to Comply

Compliance starts with a strategic plan and checklist. Below are a few tips to get going:

Establish and update your privacy policy

Review legal basis for processing personal data

Document all data that is collected/processed

Map personal information fields to each internal database

Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to incoming Data Subject Access Request (DSARs)

Meet proper deadlines

Audit/create reports showing your data landscape, purpose, and DSARs completed to date.

Understand all exemptions under UCPA

Decipher between data definitions as they differ between state laws

What are the fines and penalties for non-compliance?

Non-Compliance Civil Penalty
Maximum $2,500 per offense

How does Utah’s CPA compare to
California CPRA?

  • The business generates over 50% of its annual revenue from selling personal information.
  • The business collects personal information from 50,000 or more Utah residents.
  • The business derives 50% or more of its annual revenue from selling personal information and the business collects personal information from 10,000 or more Utah residents.
CDPA CPRA
Rights
  • The right to receive clear and concise notice from businesses about the types of personal information they collect, the purposes for which that information is used, and the third parties with whom it is shared.
  • The right to opt-out of sale or sharing of personal information
  • The right to delete personal data and the personal data collected from third parties
  • The right to access personal Information
  • The right to correct inaccuracies
  • The right to know what personal information is sold or shared and to whom
  • The right to delete personal data and the personal data collected from third parties
  • The right to opt-out of sale or sharing of personal information
  • The right to non-discriminate
  • The right to correct inaccurate information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to opt-out of automated decision-making technology
Who Must Comply: Organizations that conduct business or produce commercial products or services that are intentionally targeted to residents and that either:
  • The business generates over 50% of its annual revenue from selling personal information.
  • The business collects personal information from 50,000 or more Utah residents.
  • The business derives 50% or more of its annual revenue from selling personal information and the business collects personal information from 10,000 or more Utah residents.
  • Gross Revenue >$25 million
  • Buy, receive, sell, or share the personal information of more than 100,000 consumers, households, or devices for commercial purposes
  • Derive 50 percent or more of its annual revenues from selling or sharing consumers’ personal information
Fines The maximum fine for a violation under the UCPA is $2,500.
  • Unintentional Non-Compliance Civil Penalty: Maximum $2,500 per offense
  • Intentional Non-Compliance Civil Penalty: Maximum $7,500 per offense
  • Consumers can file private lawsuits for between $100 to $750 damages or for actual damages
Links - Websites must have “Do not sell my personal information” link and “Limit the use of my personal information” link
Enforcement The Utah Attorney General CA Attorney General + California Privacy Protection Agency
Minors - Organizations must notify minors under 16 years of age if they intend to sell or share their personal data
Cure Period (Fines) 30 Day Cure Period No Cure period (CCPA has a 30 Day Cure Period)
Minor Fines - Automatic $7,500 fine per violation involving the personal information of minors

Frequently Asked Questions

The Utah Consumer Privacy Act (UCPA) was enacted in 2022 with the purpose of providing Utah residents with greater control over their personal information and greater transparency regarding how their information is collected, used, and shared by businesses. The UCPA imposes several obligations on businesses that collect, use, or sell personal information of Utah residents.
The Utah Consumer Privacy Act imposes several obligations on businesses that collect, use, or sell personal information of Utah residents. By implementing best practices and taking steps to comply with the UCPA, businesses can help ensure that they are handling personal information in a responsible and secure manner and that they are respecting the privacy rights of Utah residents.

The UCPA applies to businesses that collect, process, or maintain personal information of Utah residents and that meet one of the following criteria:

·         The business generates over 50% of its annual revenue from selling personal information.

·         The business collects personal information from 50,000 or more Utah residents.

·         The business derives 50% or more of its annual revenue from selling personal information and the business collects personal information from 10,000 or more Utah residents.

The UCPA grants consumers several rights that they can exercise to protect their personal information and privacy.

Right to Notice: Consumers have the right to receive clear and concise notice from businesses about the types of personal information they collect, the purposes for which that information is used, and the third parties with whom it is shared. This notice must be provided in a manner that is easily understandable and accessible to consumers.

Right to Opt Out of Sale of Personal Information: Consumers have the right to opt out of the sale of their personal information. Businesses must provide a clear and conspicuous method for consumers to exercise this right.

Right to Request Deletion of Personal Information: Consumers have the right to request that their personal information be deleted. Businesses must delete the personal information of a consumer upon receiving a verifiable request from the consumer, subject to certain exceptions.

Right to Access Personal Information: Consumers have the right to access their personal information that is collected and maintained by a business. Businesses must provide this information in a manner that is easily accessible and understandable to consumers.

Right to Correct Inaccuracies: Consumers have the right to request that businesses correct any inaccuracies in their personal information. Businesses must respond to a verifiable request from a consumer to correct inaccuracies in a timely manner.

CYTRIO is helping organizations meet the burden of the Utah Consumer Privacy Act (UCPA) with an easy-to-use All-in-One Data Privacy Compliance Platform. With CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, improved SLAs and minimization risk of regulatory fines, all the while building consumer trust.

With CYTRIO, organizations can operationalize and automate consent and privacy rights management, to meet a complex set of UCPA compliance requirements through the All-in-One Data Privacy Compliance Platform featuring Cookie Consent Manager, Cookie Banner Generator, Cookie Scanner, DSAR Manager, DSAR Response Automation, Data Discovery, Data Mapping and Records of Processing Activity (ROPA) and Data Protection Impact Assessments (DPIA).

The Utah Attorney General

Any individual who has a permanent address in Utah

Customers of household goods and services, employees, and those who make business-to-business transactions

Consumers may only make information requests twice a year and only for a 12-month look-back

Yes, if you have a customer/client who resides Utah you must comply

An individual whose data is collected and processed

 An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form

The process of matching fields from one database to another

A person who determines the purposes and means of the processing of personal data

A third-party who processes personal data on behalf of the controller

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship

Why CYTRIO?

NextGen Privacy Rights Management

State of CCPA and GDPR Privacy Rights Compliance

Q3 2022 Research Report – 9,827 companies researched

Screenshot_4.png