If your business needs to comply with the Utah Consumer Privacy Act (UCPA), this checklist is for you.
Follow my easy six-step checklist below for help meeting some of the requirements and guidelines outlined by the UCPA.
UCPA Compliance Checklist: Step-by-Step
Businesses that need to comply with the UCPA can follow this easy step-by-step checklist for help meeting the necessary requirements.
Part 1: Perform a Privacy Audit
To comply with data privacy laws like the UCPA, you must know all personal information your business collects from Utah consumers.
Perform a privacy audit to identify and categorize this information so you can present it to consumers in your privacy policy.
You should also know why you collect and process the data, how it is used, and whether you share or sell it to third parties.
You can perform a data inventory using one of the following methods:
Part 2: Privacy Notification Requirements
According to the UCPA, you must present users with a clear and meaningful privacy policy that explains:
- What personal data categories you collect.
- How you process the data.
- Who has access to the data.
- How you use the data.
- Why you’re processing the data.
- What rights Utah consumers have over their data.
- How consumers can act on those rights.
- The categories of data shared with third parties.
Part 3: Consent Management for Specific Data Processing
Present your Utah consumers with a compliant consent banner configured to allow them to opt out of specific data processing activities, as required by the UCPA.
For example, protected consumers have the right to opt out of:
- Having their data sold to third parties.
- Having their data processed for targeted advertising.
- The processing of sensitive personal information.
Part 4: Contractual Obligations for Sharing or Selling Personal Data
If you work with any third parties or data processors who have access to your Utah consumers’ information, you must both sign contracts outlining the following:
- Includes the instructions for the data processing, its nature, and purpose.
- Lists the types of data being processed and the duration of the processing.
- Outlines the rights of each party and their specific obligations.
- Require a duty of confidentiality concerning the personal data.
- Require any subcontractors to sign a contract outlining the same obligations.
Part 5: Consumer Rights and Verifiable Consumer Requests
The UCPA requires businesses to provide Utah consumers with two or more ways they can act on their rights to:
- Confirm if you’re processing their personal data.
- Request access to their personal data.
- Delete the consumer’s personal data that they provided to the controller.
- Obtain a portable copy of the data when possible.
- Opt-out of having their data sold.
- Opt-out of targeted advertising.
- Opt-out of the processing of sensitive personal data.
Methods you might implement to allow users to submit verifiable consumer requests to act on these rights easily include:
- Posting a data subject access request (DSAR) form on your website.
- Presenting users with a consent banner and cookie policy disclosing if you use cookies to collect sensitive data, data you sell, or data used for targeted ads.
- Providing users with a working email address so they can contact you to request to follow through on their rights.
Part 6: Security Procedures and Practices
The UCPA requires you to establish, implement, and maintain reasonable administrative, technical, and physical data security procedures.
You must protect the confidentiality and integrity of the data and reduce risks of foreseeable harm to consumers relating to data processing.
While the law is not specific about what security measures you must implement, some standard techniques include:
- Anonymizing and de-identifying the data
- Encrypting the information
- Access controls
- Creating a data backup or recovery plan
- Creating a comprehensive personal data map
Download the UCPA Compliance Requirements Checklist
You can view our UCPA checklist below.
UCPA Requirements FAQ
Let’s answer some of the most common questions we get from businesses about complying with the UCPA.
Does the UCPA apply to my business?
The UCPA applies to your business if you conduct business in the state or target your products or services to residents of the state, have an annual revenue of at least $25 million, and:
- Processes or controls the personal data of at least 100,000 Utah consumers.
- Or processes and controls the personal data of at least 25,000 Utah consumers and derives more than 50% of gross annual revenue from the sale of data.
When did the UCPA take effect?
The UCPA took effect on December 31, 2023.
Who enforces the UCPA?
The UCPA is enforced by the attorney general, but the Utah Division of Consumer Protection (DCP) can also establish a system for receiving complaints about violations.
What are the penalties for violating the UCPA?
A controller or processor will receive a notice from the attorney general and must cure the violation within thirty days.
If they fail to cure the violation, or submit a written notice of cure but continue to violate the regulations, then that controller or processor is subject to the following penalties:
- The consumer’s actual damages caused by the violation
- A maximum fine of $7,500 per violation
Consumers do not have a private right of action under the UCPA.
Can Termly help with UCPA compliance?
Termly offers a privacy policy generator and consent management platform that can help simplify business compliance with the UCPA.
Our generator is backed by our legal team and data privacy experts and includes the clauses to help you meet the notification requirements outlined by the law.
In addition, our CMP is configurable to allow your Utah consumers to follow through on their opt-out rights.
Summary
If your business needs to comply with the UCPA, follow our easy six-step checklist:
- Perform a privacy audit so you know what personal information your business collects and why and how it’s used.
- Make and present your users with a compliant privacy policy.
- Use a consent banner to obtain users’ consent and allow them to opt out of certain types of data processing easily.
- Make, implement, and sign contracts with third-party processors that follow the law’s guidelines.
- Give Utah users two or more ways to submit verifiable consumer requests to follow through on their privacy rights.
- Establish, implement, and maintain reasonable security measures to protect the integrity and accessibility of the personal data you collect.
Using resources like our privacy policy generator and CMP can help simplify the process of following laws like the UCPA.
More about the author
Written by Josh Langeland, CIPM
Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author
