Utah Consumer Privacy Act (UCPA) Compliance

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) is applicable to data controllers operating in Utah who meet the following criteria:

– Have an annual revenue of at least $25 million;

– And either (a) control or process the personal data of 100,000 or more consumers per year, or (b) derive over 50% of gross revenue from the sale of personal data and process the data of 25,000 or more consumers.

The UCPA does not apply to aggregated data that is not linkable to any consumer.

Utah was the fourth U.S. state to implement comprehensive consumer privacy legislation, and the UCPA became effective on December 31, 2023.

The UCPA applies to individuals who conduct business in Utah or who process personal data of a specific number of residents

Obligations & Consequences

The following are few key obligations & consequences, flowing from the UCPA, on any organization to whom these provisions apply:

UCPA requires that companies uphold the principle of “Transparency” where informing users what data is collected from them, the purpose for collection, what data is shared with third parties, and how to exercise their data rights.
The UCPA mandates the collecting of parental consent in order to process children’s personal data.
The UCPA grants the consumer four basic rights: Right to access, right to delete, right to data portability, and right to opt out of certain processing.
Adoption of the “Data Minimization”, which implies that, organizations must collect & retain what is reasonably necessary and proportionate to the intended purpose.

Challenges

Following challenges, emanating from the UCPA requirements, are currently being encountered by various organizations:

To facilitate its smooth implementation of UCPA Organizations need to have knowledge of their entire “Data Footprint” to facilitate implementation of the CPA.
Lack of visibility for Organizations sharing the user data with various third parties, during the course of its business.
Manually managing data mapping and inventory to adhere to UCPA requirements is costly and time-consuming, but must be done within a 45 days period or the organization opens itself to sanctions.
Implementation of Data Minimization under UCPA.
Lack of provision or process to delete the data, despite the fact that the UCPA mandates data deletion when the lawful basis for processing expires.
Organizations lack the mechanism of validating the permanent deletion of the data.

Solutions

Compliance Automation

TurtleShield CA (Compliance Automation) automates and streamline privacy-related processes and tasks. Compliance assessments, risk assessments, PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.
Data Discovery and Intelligence

Our AI-based, patented solution, TurtleShield DD (Data Discovery and Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. It enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often, organizational silos between business and IT teams make it difficult to get a complete view of data flowing in and out, especially when shared with third parties or partners. TurtleShield DD automatically maps your “data sharing” to provide clear visibility and actionable insights.
Data Minimization

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.
Right to Erasure with Assured Deletion
Enable Data subject rights with cost savings and compliance in totality

Search capability in large datasets to fulfill consumer requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.
TurtleShield Unified Consent Management

TurtleShield UCM (Unified Consent Management) is designed to help organizations ensure consent compliance by implementing processes, technologies, and policies that enable the proper user consent collection, storage, updating, revocation and management in alignment with applicable data protection regulations and industry best practices.