O que é UCPA? Navegando pelos requisitos de conformidade

What is the Utah Consumer Privacy Act (UCPA)?

The Utah Consumer Privacy Act (UCPA) is a privacy law that was passed by the Utah State Legislature on March 24, 2022. It is also known as Utah’s privacy bill, and it aims to protect the privacy rights of consumers in Utah.

The law, which went into effect May 5, 2022— applies to businesses that collect and process personal data of Utah residents, and it gives consumers certain rights over their personal information.

Consumer Rights under Utah’s Privacy Law

Sob o UCPA, consumers have the right to know what personal information businesses are collecting about them, the right to request that their personal information be deleted, and the right to opt-out of the sale of their personal information. Businesses must also provide clear and conspicuous notices to consumers about their data collection and processing practices.

The UCPA also requires businesses to implement reasonable security measures to protect consumer data and to obtain consumer consent before collecting sensitive information, such as financial information or social security numbers.

If a business fails to comply with the UCPA, it may face enforcement actions from the Utah Attorney General’s Office, including fines of up to $2,500 per violation.

Overall, the Utah Consumer Privacy Act is similar in many ways to other privacy laws, such as the Lei de Privacidade do Consumidor da Califórnia (CCPA) and the European Union’s Regulamento Geral sobre a Proteção de Dados (GDPR). However, it has some unique provisions and requirements that businesses operating in Utah need to be aware of.

Exemptions under UCPA

The Utah Consumer Privacy Act (UCPA) is a state privacy law that governs how businesses handle and protect consumers’ personal information. However, not all entities are subject to the UCPA, as there are certain exemptions provided under the law.

The following are some examples of entities that are exempt from the UCPA:

• Pequenas empresas: Businesses that have an annual gross revenue of less than $25 million, do not process the personal information of 50,000 or more consumers, and do not derive 50% or more of their annual revenue from selling personal information are exempt from most of the requirements under the UCPA.
• Financial Institutions: Entities that are subject to certain federal laws, such as the Lei Gramm-Leach-Bliley (GLBA) ou o Lei de Portabilidade e Responsabilidade de Seguros de Saúde (HIPAA), which govern financial institutions and healthcare providers respectively, are exempt from the UCPA’s requirements to the extent that they comply with those federal laws.
• Government Agencies: Government agencies and public institutions are generally exempt from the UCPA’s requirements, except for those related to data breach notification.
• Nonprofit Organizations: Nonprofit organizations that process personal information for charitable or religious purposes are exempt from the UCPA’s requirements.

It is important to note that these exemptions are subject to certain conditions and limitations, and entities that qualify for an exemption may still be subject to other federal or state privacy laws.

UCPA Requirements for Controllers & Processors

Under Utah’s Consumer Privacy Act (UCPA), both controllers and processors have obligations to protect the privacy rights of consumers.

1. Controladores: A controller is a business that determines the purposes and means of processing consumers’ personal information. Under the UCPA, controllers must:

• Provide consumers with a privacy notice that discloses the categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Allow consumers to exercise their rights to access, delete, and opt-out of the sale of their personal information.
  Obtain opt-in consent before processing sensitive personal information such as Social Security numbers, driver’s license numbers, and financial account numbers.
• Implement reasonable security measures to protect consumers’ personal information from unauthorized access or disclosure.
  Enter into contracts with processors that require them to comply with the UCPA’s requirements.

2. Processadores: A processor is a business that processes personal information on behalf of a controller. Under the UCPA, processors must:

• Only process personal information as instructed by the controller and only for the purposes specified in the contract.
• Implement reasonable security measures to protect the personal information from unauthorized access or disclosure.
• Notify the controller promptly if there is a data breach.
• Delete or return the personal information to the controller when the contract terminates.

It is important to note that the UCPA provides consumers with the right to bring a private right of action against controllers and processors for certain violations of the law. Therefore, it is crucial for businesses to comply with the UCPA’s obligations to avoid potential legal and financial consequences.

Achieve UCPA Compliance with BigID

BigID is a data privacy platform that provides businesses with tools and solutions to achieve compliance with various privacy regulations, including the Utah Consumer Privacy Act (UCPA).

To achieve UCPA compliance with BigID, businesses can follow these steps:

• Discovery: BigID’s automated data discovery tool scans an organization’s enterprise data across multi-cloud and on-prem data stores to identify and locate personal information of Utah residents. Using advanced AI and machine learning, BigID’s platform identifies sensitive data such as Social Security numbers, driver’s license numbers, and financial account numbers.
• Classificação: BigID’s data classification tool categorizes the personal information based on data sensitivity and potential risk to the consumers’ privacy rights. The tool uses advanced data analytics to identify data patterns, relationships, and context to provide accurate data classification.
• Mapping: BigID’s data mapping tool creates a visual map of the sensitive personal data stored throughout an organization—helping identify where personal information is collected, processed, stored, and shared, and assess their UCPA compliance obligations.
• Rights Management: Aplicativo do Portal de Privacidade da BigID enables businesses to manage consumer privacy rights requests such as access, deletion, and opt-out of the sale of personal information. The tool automates the workflow for handling consumer requests and provides an audit trail to demonstrate compliance with the UCPA.
• Avaliação de risco: BigID’s risk assessment tool provides businesses with a risk score for personal information processing activities, based on factors such as data sensitivity, data volume, and data usage. This helps businesses prioritize their privacy compliance efforts and allocate resources accordingly.

To see how BigID can help your organization achieve compliance with UCPA and other regulamentos de privacidade— Obtenha uma demonstração gratuita 1:1 hoje mesmo.

Autor

Alexis Porter

Gerente de marketing de conteúdo

Alexis atua como gerente de marketing de conteúdo da BigID, fornecedora de DSPM líder do setor. Ela é especialista em ajudar startups de tecnologia a criar e aprimorar sua voz - para contar histórias mais convincentes que repercutam em diversos públicos. Ela é bacharel em Redação Profissional e tem mestrado em Comunicação de Marketing pela Universidade de Denver. Alexis mora em Orlando, Flórida.