UCPA Cookie Consent: Key Requirements and Best Practices
Learn about the key requirements and best practices for cookie consent under the Utah Consumer Privacy Act (UCPA). Understand what constitutes consent, when it is necessary, and other important UCPA obligations. Find out if your business needs to comply with the UCPA and discover how it compares to other state privacy laws. Get practical tips for UCPA cookie consent compliance and explore the penalties for non-compliance. Stay informed and ensure your business follows the UCPA guidelines effectively.
Utah stands among the select number of US states that have enacted a consumer privacy law, becoming the fourth state to legislate the protection of consumers' personal information.
Utah Governor Spencer Cox signed the law on March 24, 2022, making Utah the fourth state with consumer privacy legislation in place. It will come into effect on December 31, 2023.
The Utah Consumer Privacy Act (UCPA) aligns with the precedent established by California, Virginia, and Colorado, all of which have enacted data privacy laws in recent years. Connecticut joined this group shortly after Utah, and Iowa, Indiana, and Tennessee joined a few months later.
For businesses operating in Utah or online businesses targeting Utah residents, it's crucial to become familiar with this law as it imposes obligations on your operations. Understanding and complying with the UCPA requirements is not difficult. In fact, the UCPA presents straightforward requirements similar to those found in other state privacy laws. However, it is important to first learn about these requirements.
This article focuses on the cookie consent requirements arising from the UCPA. It will help you understand:
- What constitutes consent under the UCPA
- When do you need to obtain UCPA cookie consent
- What are the other requirements of the UCPA
Does the UCPA Apply to Your Business?
Your business needs to comply with the Utah Consumer Privacy Act (UCPA) if it meets the following criteria:
- Operates within Utah or offers a product or service specifically aimed at residents of Utah.
- Generates an annual revenue of $25,000,000 or more.
- Meets at least one of the following criteria:
However, certain entities are exempt from the UCPA, including:
- Governmental bodies
- Tribal entities
- Business partners
- Non-profit organizations
- Higher educational institutions
- Information protected under the Health Insurance Portability and Accountability Act (HIPAA)
- Personal data gathered as part of human subjects research
- Data safeguarded by the Gramm-Leach-Bliley Act (GLBA)
- Financial institutions that process data in accordance with the Fair Credit Reporting Act (FCRA), among others.
It's important to note that the UCPA applies only to data of identifiable individuals, and de-identified data, publicly available data, and aggregated data are excluded from the scope of the law.
What Is UCPA Cookie Consent?
UCPA cookie consent refers to "an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer."
For valid consent, the user must:
- Take affirmative and unambiguous action.
- Be informed about the processing activities.
In the context of online businesses, this means that the business must:
- Wait for the consumer to click on the ACCEPT button to accept the cookies. In the case of children's information, consent must be confirmed by the parent through other means.
UCPA Cookie Consent Requirements
Although the UCPA does not specifically address the use of web cookies and tracking technologies, it regulates the processing of personal data regardless of the technology used.
However, it's important to note that obtaining consumer consent is necessary for the processing of children's data.
When collecting data from children, you must obtain consent using the methods outlined in the Children's Online Privacy Protection Act (COPPA), which include:
- Consent form: Send a consent form directly to the parent and wait for them to sign and return it via postal mail, fax, or electronic scan.
- Credit card or payment method: Charge a small amount to the parent's card as a means of verifying that the person providing consent is an adult. The charged amount is subsequently refunded.
- Toll-free telephone number: Obtain consent through a monitored conversation with the parent over the phone.
- Digital certificate: Use a digital certificate, such as one based on Public Key Infrastructure (PKI), to provide assurance of the parent's identity when giving consent.
- Email plus: For internal-use-only activities involving the collection of personal information, an "email plus" system can be used. This involves sending an email to the parent and taking additional steps, like sending a delayed confirmatory email, to reasonably ensure that the person providing consent is the parent.
- Knowledge-based authentication questions: Pose questions that only the parent would know the answer to as a means of verifying their identity.
- Identity verification services: Utilize third-party services that can verify the identity of parents, such as checking their government-issued identification.
These methods ensure compliance with COPPA when obtaining consent for the processing of children's data.
UCPA Consent Requirements for the Processing of Sensitive Data
The UCPA allows the processing of sensitive data if the business provides the consumer with a clear privacy notice and an opportunity to opt out of the processing. Opt-in is not required.
Some other laws, such as the Virginia Consumer Data Protection Act and the Connecticut Data Protection Act, require an explicit opt-in for the processing of sensitive data. The Utah privacy legislation does not follow that precedent.
The UCPA relies on the opt-out principle, which means that businesses are free to process data as long as the consumer does not oppose the processing through the use of opt-out mechanisms.
Sensitive data includes:
- Data on ethnic origin, race, religious beliefs, sexual orientation, citizenship or immigration status, and medical data;
- Biometric data for the purpose of identification of the person; and
- Specific geolocation data.
Other UCPA Compliance Requirements
Having in mind that you don't need to obtain cookie consent under the UCPA, the other consent-related requirements are rather limited.
Only the processing of children's personal information would create additional duties, such as having to prove that you have obtained parental consent.
However, you also have to comply with the following data privacy requirements:
- Honor consumer requests: Consumers have consumer rights, and you must honor them. UCPA consumer rights include the right to know, access, data portability, deletion, and opt-out. In addition, you must not discriminate against consumers based on exercising consumer rights.
- Provide consumers with opt-out tools: If you use sensitive data for targeted advertising or sell personal information, you must allow data subjects to opt out of the processing.
Penalties for Non-Compliance with the UCPA
The Utah Consumer Privacy Act (UCPA) is managed by the Utah Attorney General. This office can investigate UCPA-related issues and impose fines on businesses that violate the rules.
The Attorney General has the authority to:
- Impose a fine of up to $7,500 per violation, and
- Recover the actual damages suffered by consumers as a result of UCPA violations.
Before issuing any fines, the Attorney General allows businesses 30 days to rectify the issue. If the business resolves the problem within this timeframe, no fine will be imposed. However, if the issue remains unresolved, the business will be fined.
The Division of Consumer Protection can also investigate consumer complaints, but it does not have the power to take enforcement action.
Unlike California's law, the UCPA does not grant consumers a private right of action to pursue legal action on their own. Instead, they must rely on the Attorney General to defend their privacy rights.
How Does UCPA Compare to Other US State Privacy Laws?
The UCPA is considered the least demanding consumer data privacy legislation in the United States.
Compared to other similar laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and the Connecticut Data Protection Act (CTDPA), the UCPA offers less stringent protections for consumer personal data.
These other laws may include provisions such as allowing a private right of action, requiring explicit consent for sensitive data processing, and mandating data privacy assessments to mitigate risks.
Furthermore, it's worth noting that the UCPA falls significantly short of the requirements set forth in the EU's General Data Protection Regulation (GDPR).
How to Comply with the UCPA Cookie Consent Requirements?
Ensure that you obtain parental consent if you collect data on a known child.
Consider using a consent management platform to facilitate the handling of privacy notices, opt-out mechanisms, and exemptions.
Top GDPR-Compliant Analytics Tools: Safeguarding User Privacy in 2023
Learn about the complexities of using Google Analytics 4 in accordance with the EU's General Data Protection Regulation (GDPR). Explore the compliance issues, and steps to make GA4 GDPR compliant, and discover privacy-friendly alternatives that provide powerful website analytics while respecting user privacy and data protection laws.
- Europe GDPR
Understanding Compliance: Navigating CCPA Regulations with Google Analytics 4
Discover the compatibility of Google Analytics 4 with the California Consumer Privacy Act (CCPA). This article explores the CCPA compliance of GA4, outlines the obligations it imposes on businesses, and provides insights on how to handle CCPA requirements while using Google Analytics 4 for data collection and analysis. Learn about opt-out mechanisms, data retention periods, and consumer request obligations to ensure compliance with CCPA regulations.
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance
Learn about the 10 principles of PIPEDA, the federal privacy law of Canada, and understand how to ensure privacy compliance for your organization. Discover key concepts such as accountability, consent, limiting collection, safeguards, and more. Get insights into the applicability of PIPEDA and how it compares to other data protection laws worldwide. Stay informed and protect personal data in accordance with Canadian privacy regulations.
- Canada PIPEDA