Guide to Utah’s Consumer Privacy Act (UCPA)

In this guide:

  1. Overview of the UCPA
  2. How to ensure business compliance
  3. Why Privacy Bee works

Overview of Utah’s Consumer Privacy Act (UCPA)

Utah signed the Consumer Privacy Act (UCPA) into law in 2022, and it took effect at the end of 2023 to protect the privacy rights of Utah residents. To do so, the UCPA establishes data privacy obligations for businesses that process an individual’s data. The Act is very similar to other US data privacy regulations like the Virginia Consumer Data Protect Act (VCDPA) and the California Consumer Privacy Act (CCPA). However, the UCPA is more business-friendly in the regulations it establishes compared to these other US-based laws.

The UCPA applies to any business located in the state or operating within the state, referring to these organizations as “controllers” or “processors” which aligns with global data privacy terminology. Any organization that processes the personal data of more than 100,000 individuals, attains 50% or more of its revenue from the sale of personal data, or has annual revenue of at least $25,000,000 must ensure compliance with the UCPA or face legal action and/or fines. Note, however, that this is a comparatively limited scope.

Individuals are granted the following protected rights which they can exercise at any time under the UCPA:

  1. Right to access personal data collected and sold from an entity.
  2. Right to correct inaccuracies in the personal data held about the individual.
  3. Right to delete personal data provided directly to the entity. This differs from most other data privacy laws, which allow the individual to request deletion of all their held data, not just that which was provided directly.
  4. Right to opt out of data collection and the use of personal data for certain purposes.
  5. Right to data portability, which means the individual can receive their data in a format that is easy to transfer to another entity.

By providing these data privacy rights, Utah forces organizations to be careful stewards of personal information. Businesses must comply with these requests from an individual within 45 days.

However, the UCPA does not provide for a “private right of action.” Instead, the Division of Consumer Protection investigates complaints. Where action is needed, Utah’s Attorney General steps in to enforce the law and impose penalties. There are some exceptions to the provisions above, as some information is exempted like data covered under HIPAA. The Act also doesn’t apply to non-profits or government entities.

As the US Congress continues to mull over a national data privacy law to unify these types of regulations across the country, consumers will still be reliant on state regulations like this one to protect their privacy. Utah should be applauded for being one of the first states to implement these protections as more states continue to follow the trend set in Europe and first brought to the United States by the California state legislature. Although it creates numerous obligations for businesses, the UCPA makes data privacy a priority which is critical to the success of the digital economy.

(Source: Utah State Legislature website)

How to ensure business compliance

Utah is already enforcing the UCPA, so non-compliant organizations and those with outdated policies need to make the changes required to effectively show their data protection practices and respect for data privacy rights as soon as possible. Here’s the good news: becoming compliant with the UCPA will also help your organization avoid fines from other states and abroad, especially if marketing and sales efforts have already begun in those areas.

Using the UCPA as a starting point, organizations can turn these obligations into a positive opportunity to differentiate and showcase their data privacy expertise. This in turn builds consumer trust, all while protecting from debilitating fines and legal action.

These are the critical aspects for businesses to consider when pushing towards organization-wide compliance:

  1. Data transparency: Businesses must disclose what personal information they collect, why they need it, how they use it, and with whom they share it.
  2. Consumer rights: Gives Utah residents the right to access, delete, and opt-out of the sale of their personal data. Businesses must comply within 45 days.
  3. Opt-out of data sales: Consumers can direct businesses not to sell their personal information. This opt-out right must be easily accessible.
  4. Data minimization: Businesses should only collect consumer data that is reasonably necessary and proportional to their services.
  5. Data security: Requires businesses to have reasonable data security practices appropriate to the risk level.
  6. Non-discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights under UCPA.
  7. Enforcement: The Utah Attorney General and county attorneys can enforce UCPA and fine businesses up to $7,500 per violation. When a data breach happens, it is best to open up communications as soon as possible to show the positive actions taken to proactively protect consumer data.
  8. Consent to process children’s personal data: Controllers processing the personal data individuals under the age of 13 are required to obtain verifiable parental consent and process that data following all regulations established years ago in the Children’s Online Privacy Protection Act (COPPA). This is the only activity that requires affirmative consent.

These regulations might appear straightforward at first, but can get complicated in practice. Regularly reviewing the company’s processes, practices and training is a great way to ensure any updates are captured, but there’s a lot more to it.

Businesses operating or located in Utah should consider the following best practices:

  • Understand and align with UCPA requirements: Thoroughly understand the provisions and regularly review updates to ensure full compliance. Align business practices and data processing activities with the specific requirements outlined in the legislation.
  • Establish a robust privacy policy: Develop and maintain a comprehensive privacy policy that clearly communicates how personal data is collected, processed, and protected. Ensure that the privacy policy is easily accessible to data subjects.
  • Implement explicit consent mechanisms: Obtain explicit and informed consent from individuals before collecting, processing, or using their personal data. Clearly communicate the purposes for data processing and allow individuals to make informed decisions about their information.
  • Data minimization and purpose limitation: Practice data minimization by collecting only the minimum amount of personal data necessary for the intended purposes. Ensure that data processing activities align with the specific purposes for which consent was obtained.
  • Secure data management: Implement robust security measures to protect personal data from unauthorized access, disclosure, or alteration. Regularly assess and update security protocols to address evolving threats.
  • Ensure data accuracy and currency: Establish procedures to maintain the accuracy, completeness, and currency of personal data. Regularly review and update records to reflect any changes in individuals’ information.
  • Enable Data Subject Rights: Facilitate the exercising of data subject rights, including the right to access, correct, and delete personal data. Establish mechanisms for individuals to easily submit requests related to their data.
  • Anonymization and pseudonymization: Where applicable, utilize anonymization or pseudonymization techniques to process personal data, especially if it is still possible to fulfill the intended purposes through these methods.
  • Conduct Data Privacy Impact Assessments (DPIA): Perform DPIAs to assess the impact of data processing activities on privacy. This proactive approach helps identify and mitigate potential privacy risks.
  • Train employees on data protection: Provide comprehensive training to employees on data protection principles, PIPA requirements, and the organization’s privacy policies. Foster a culture of privacy awareness and responsibility.
  • Employ a Data Protection Officer (DPO): Consider appointing a DPO to oversee compliance efforts, act as a point of contact for data subjects, and ensure ongoing adherence to data protection practices.
  • Regularly audit and monitor compliance: Conduct regular internal audits to assess compliance with PIPA requirements. Monitor data processing activities to identify and address any deviations from established privacy practices.

Mentioned previously, doing these things will help your organization ensure compliance with most of the data privacy laws already in effect around the world. These are constantly changing and more states and countries are rolling out new laws and additional amendments regularly, so it’s vital to stay in the loop and have someone in charge of ensuring the latest changes are cared for appropriately.

The best way to handle data privacy is to get ahead of the curve. It will prove to be a key differentiator for your business, and will protect the short term and long term financial success of the organization.

Why Privacy Bee works

Personal data protection is imperative for businesses engaged in online service delivery today, especially for sensitive data. New regulations are popping up every day around the world. The current trend is that these continue to require more stringent opt-in policies while granting consumers more rights. The public now has the ability to review and remove their personal data, increasing the accountability and obligations of every organization processing personal identifiable information (PII).

Yet the responsibility still falls primarily on the individual to oversee, assess, update and delete (via DSAR request) their personal data wherever it may be collected and dispersed across the internet.

This becomes a massive lift for any business looking to protect their organization from data breaches. When working to cover an entire company, it is practically impossible for a single person or small team to manage External Data Privacy without help from a specialized team of experts. The identification and subsequent elimination of this data plays a pivotal role in deterring cybercriminals from launching dangerous social engineering attacks against an organization by closing the data protection gap.

That’s why Privacy Bee emerges as the optimal solution. The time-consuming process of monitoring and eradicating employee data as a complement to cybersecurity is a must, and Privacy Bee covers every site across the internet exposing your organization’s data. This data monitoring and deletion service is especially effective for executives who are highly visible to the general public. Using sophisticated automation processes backed by an active human service team, Privacy Bee substantially reduces a company’s attack surface and mitigates the looming threat of an expensive data breach. Industry estimates put the cost of a single data breach somewhere between $7-10 million USD. That can be crippling for a small or mid-size business–not to mention the fines from noncompliance–which is why a proactive approach for maximum security is a must.

Social engineering attacks are the fastest-growing data breach threat, no matter how mature an organization’s cybersecurity program is today. If your response to these attacks isn’t already completely covered, then threat actors still have a lucrative way to target and obtain your organization’s most sensitive information.

Ideally, you are already conducting risk assessments and vendor surveys as well. If so, well done! However, it is absolutely essential to recognize vendors are most susceptible to a breach via social engineering attacks relying on exposed data. Privacy Bee not only minimizes the proliferation of your organization’s data across the vast digital landscape but also extends its protection to vendors, helping you ensure third party partners do not serve as the weak link in your security defenses or put you at risk of noncompliance. Don’t miss this step, as there are far too many massive organizations falling victim to cyberattacks due to a vendor’s lack of proactive security.

Who benefits from doing something like this?

In the ever-growing billion-dollar surveillance industry, Data Brokers and People Search Sites are the key players. They reap record-breaking profits by trading and transferring your organization’s information with obscure and uncontrollable entities. These entities then either publish this information directly for clicks or compile it all to sell on again top yet another organization. Suddenly, you and your employees’ personal data can be easily found via quick Google Search.

If it’s that simple to find you and your coworker’s information, then threat actors can launch cyberattacks at scale by targeting the most vulnerable team members with emotionally engaging messaging that turns even the most highly-trained professionals into victims on a regular basis. The only way to prevent this is by stopping the data flow at the source. The consequences are simply too costly to risk:

  • A solitary data breach leads to massive productivity losses, expensive remediation efforts, and recurring breach incidents.
  • This isn’t new, and is a predicament that plagues the vast majority of businesses following an initial breach. Industry estimates state as many as 83% of organizations who experienced a data breach go on to experience multiple. That is staggering, and is exactly what Privacy Bee is fighting back against.
  • The initial data breach sets off a chain reaction that inflicts short-term damage on your bottom line while eroding brand value and customer trust over time.
  • Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching.

Privacy Bee combats threat actors lurking beyond your organization’s perimeters. By meticulously analyzing every location across the internet where your personal and sensitive data resides, then swiftly purging it, Privacy Bee closes the data security gap. The service even encompasses dark web monitoring and provides timely data breach notifications if another company falls victim to an exploitation incident and exposes your information in the process.

Our unwavering commitment is deeply rooted in the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable. We compel Data Brokers, People Search Sites, and more than 150,000 additional websites to expunge your stored data and opt out of further data collection to protect you, your family, and your entire organization. This unchanging goal is the reason we offer no-charge monitoring services and deletion guides. You need only reach out when help is needed.

Privacy Bee protection covers a wide range of potential threats, including:

  1. Data breaches
  2. Social engineering attacks
  3. Doxxing
  4. Spam emails
  5. Telemarketing calls
  6. Cyberstalking
  7. Identity theft
  8. Swatting
  9. Blackmail
  10. And more!

Privacy Bee is quickly emerging as the next necessary tool in your security tool belt. There’s no better addition for business leaders with a mature cybersecurity program wanting to protect employee and customer data in the midst of innovative threat actors using AI and other new apps to scale their efforts.

Privacy is more important and harder to come by than ever. Today, you need a trusted partner fighting to preserve your personal and organizational integrity.

Learn More
Previous article

Guide to South Korea’s Personal Information Protection Act (PIPA)
Next article

MOVEit Attack – A Postmortem Through the Prism of External Data Privacy Management

MOVEit File Transfer Data Breach and External Data Privacy Management

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account:

By registering, you're agreeing to our Terms of Service

Or prefer to speak with sales?