UCPA Cookie Consent: Key Requirements and Best Practices

Utah stands among the select number of US states that have enacted a consumer privacy law, becoming the fourth state to legislate the protection of consumers' personal information.

Utah Governor Spencer Cox signed the law on March 24, 2022, making Utah the fourth state with consumer privacy legislation in place. It will come into effect on December 31, 2023.

The Utah Consumer Privacy Act (UCPA) aligns with the precedent established by California, Virginia, and Colorado, all of which have enacted data privacy laws in recent years. Connecticut joined this group shortly after Utah, and Iowa, Indiana, and Tennessee joined a few months later.

For businesses operating in Utah or online businesses targeting Utah residents, it's crucial to become familiar with this law as it imposes obligations on your operations. Understanding and complying with the UCPA requirements is not difficult. In fact, the UCPA presents straightforward requirements similar to those found in other state privacy laws. However, it is important to first learn about these requirements.

This article focuses on the cookie consent requirements arising from the UCPA. It will help you understand:

• What constitutes consent under the UCPA
• When do you need to obtain UCPA cookie consent
• What are the other requirements of the UCPA
  

Does the UCPA Apply to Your Business?

Your business needs to comply with the Utah Consumer Privacy Act (UCPA) if it meets the following criteria:

1. Operates within Utah or offers a product or service specifically aimed at residents of Utah.
2. Generates an annual revenue of $25,000,000 or more.
3. Meets at least one of the following criteria:
   undefinedundefinedundefined

However, certain entities are exempt from the UCPA, including:

• Governmental bodies
• Tribal entities
• Business partners
• Non-profit organizations
• Higher educational institutions
• Information protected under the Health Insurance Portability and Accountability Act (HIPAA)
• Personal data gathered as part of human subjects research
• Data safeguarded by the Gramm-Leach-Bliley Act (GLBA)
• Financial institutions that process data in accordance with the Fair Credit Reporting Act (FCRA), among others.

It's important to note that the UCPA applies only to data of identifiable individuals, and de-identified data, publicly available data, and aggregated data are excluded from the scope of the law.

What Is UCPA Cookie Consent?

UCPA cookie consent refers to "an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer."

For valid consent, the user must:

• Take affirmative and unambiguous action.
• Be informed about the processing activities.

In the context of online businesses, this means that the business must:

• Provide the consumer with a clear notice in plain language containing essential information on the processing of personal data. Typically, this involves a privacy notice with a link to the privacy policy.
• Wait for the consumer to click on the ACCEPT button to accept the cookies. In the case of children's information, consent must be confirmed by the parent through other means.
  

UCPA Cookie Consent Requirements

Although the UCPA does not specifically address the use of web cookies and tracking technologies, it regulates the processing of personal data regardless of the technology used.

Considering how cookies function, it raises questions about whether the UCPA imposes any requirements specifically for the use of cookies.

However, it's important to note that obtaining consumer consent is necessary for the processing of children's data.

When collecting data from children, you must obtain consent using the methods outlined in the Children's Online Privacy Protection Act (COPPA), which include:

1. Consent form: Send a consent form directly to the parent and wait for them to sign and return it via postal mail, fax, or electronic scan.
2. Credit card or payment method: Charge a small amount to the parent's card as a means of verifying that the person providing consent is an adult. The charged amount is subsequently refunded.
3. Toll-free telephone number: Obtain consent through a monitored conversation with the parent over the phone.
4. Digital certificate: Use a digital certificate, such as one based on Public Key Infrastructure (PKI), to provide assurance of the parent's identity when giving consent.
5. Email plus: For internal-use-only activities involving the collection of personal information, an "email plus" system can be used. This involves sending an email to the parent and taking additional steps, like sending a delayed confirmatory email, to reasonably ensure that the person providing consent is the parent.
6. Knowledge-based authentication questions: Pose questions that only the parent would know the answer to as a means of verifying their identity.
7. Identity verification services: Utilize third-party services that can verify the identity of parents, such as checking their government-issued identification.

These methods ensure compliance with COPPA when obtaining consent for the processing of children's data.

UCPA Consent Requirements for the Processing of Sensitive Data

The UCPA allows the processing of sensitive data if the business provides the consumer with a clear privacy notice and an opportunity to opt out of the processing. Opt-in is not required.

Some other laws, such as the Virginia Consumer Data Protection Act and the Connecticut Data Protection Act, require an explicit opt-in for the processing of sensitive data. The Utah privacy legislation does not follow that precedent.

The UCPA relies on the opt-out principle, which means that businesses are free to process data as long as the consumer does not oppose the processing through the use of opt-out mechanisms.

Sensitive data includes:

• Data on ethnic origin, race, religious beliefs, sexual orientation, citizenship or immigration status, and medical data;
• Biometric data for the purpose of identification of the person; and
• Specific geolocation data.
  

Other UCPA Compliance Requirements

Having in mind that you don't need to obtain cookie consent under the UCPA, the other consent-related requirements are rather limited.

Only the processing of children's personal information would create additional duties, such as having to prove that you have obtained parental consent.

However, you also have to comply with the following data privacy requirements:

1. Honor consumer requests: Consumers have consumer rights, and you must honor them. UCPA consumer rights include the right to know, access, data portability, deletion, and opt-out. In addition, you must not discriminate against consumers based on exercising consumer rights.
2. Provide consumers with an up-to-date privacy notice and privacy policy: As a data controller, you have to be transparent to data subjects. Privacy notices are the tool for doing so.
3. Provide consumers with opt-out tools: If you use sensitive data for targeted advertising or sell personal information, you must allow data subjects to opt out of the processing.
   

Penalties for Non-Compliance with the UCPA

The Utah Consumer Privacy Act (UCPA) is managed by the Utah Attorney General. This office can investigate UCPA-related issues and impose fines on businesses that violate the rules.

The Attorney General has the authority to:

1. Impose a fine of up to $7,500 per violation, and
2. Recover the actual damages suffered by consumers as a result of UCPA violations.

Before issuing any fines, the Attorney General allows businesses 30 days to rectify the issue. If the business resolves the problem within this timeframe, no fine will be imposed. However, if the issue remains unresolved, the business will be fined.

The Division of Consumer Protection can also investigate consumer complaints, but it does not have the power to take enforcement action.

Unlike California's law, the UCPA does not grant consumers a private right of action to pursue legal action on their own. Instead, they must rely on the Attorney General to defend their privacy rights.

How Does UCPA Compare to Other US State Privacy Laws?

The UCPA is considered the least demanding consumer data privacy legislation in the United States.

Compared to other similar laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and the Connecticut Data Protection Act (CTDPA), the UCPA offers less stringent protections for consumer personal data.

These other laws may include provisions such as allowing a private right of action, requiring explicit consent for sensitive data processing, and mandating data privacy assessments to mitigate risks.

Furthermore, it's worth noting that the UCPA falls significantly short of the requirements set forth in the EU's General Data Protection Regulation (GDPR).

How to Comply with the UCPA Cookie Consent Requirements?

Ensure that you obtain parental consent if you collect data on a known child.

In all other cases, make sure to provide consumers with a privacy notice, a privacy policy, and, if applicable, mechanisms to opt out of the processing of sensitive data, processing for targeted advertising, and the sale of the consumer's personal data, unless exemptions apply.

Consider using a consent management platform to facilitate the handling of privacy notices, opt-out mechanisms, and exemptions.