Drive UCPA sensitive data compliance

UCPA Overview

Utah Consumer Privacy Act

The Utah Consumer Privacy Act is a state privacy law in the U.S. state of Utah that went into effect on May 1, 2021. The UCPA provides new rights to Utah residents with respect to the collection, use, and disclosure of their personal information by businesses. The UCPA is intended to give Utah residents more control over their personal information and to increase transparency and accountability for businesses that handle this information.

Businesses impacted

UCPA applies to businesses that operate in Utah or that collect, use, or disclose the personal information of Utah residents, regardless of the business’s location. This means that the UCPA could potentially apply to any business that has customers or users in Utah and that handles their personal information. 

The UCPA applies to businesses of all sizes and types, including both for-profit and non-profit organizations. It does not apply to federal agencies or to companies that are subject to the federal Health Insurance Portability and Accountability Act (HIPAA).

Data types covered

UCPA applies to personal information that is collected, used, or disclosed by businesses. Personal information is defined broadly under the UCPA as any information that is linked or reasonably linkable to an individual consumer. This includes a wide range of data types, including the following:

• Identifiers such as names, addresses, phone numbers, email addresses, and social security numbers
• Financial information such as credit card numbers, bank account numbers, and payment histories
• Characteristics of protected classifications under state or federal law, such as race, religion, or sexual orientation
• Internet or other electronic network activity information, including browsing history and search history
• Geolocation data
• Audio, electronic, or visual information, including photographs and video

Compliance requirements

Under UCPA, businesses that collect, use, or disclose the personal information of Utah residents are required to comply with certain provisions in order to protect the privacy of consumers. These compliance requirements include the following:

1. Notice: Businesses must provide clear and concise notice to consumers about their data collection practices, including the categories of personal information that are collected, the purposes for which the information is used, and the categories of third parties with whom the information may be shared.
2. Affirmative consent: Businesses must obtain affirmative consent from consumers before collecting, using, or disclosing sensitive personal information. Sensitive personal information includes financial information, health information, and information about children under 13 years of age.
3. Access and correction: Consumers have the right to access their personal information and request that it be corrected or deleted. Businesses must provide a way for consumers to exercise this right.
4. Opt out of sale: Consumers have the right to opt out of the sale of their personal information. Businesses must provide a way for consumers to exercise this right.
5. Security: Businesses must implement reasonable security measures to protect personal information from unauthorized access, use, or disclosure.
6. Data minimization: Businesses must limit the collection and use of personal information to what is reasonably necessary to accomplish a legitimate business purpose.

Overall, the UCPA is designed to give Utah residents more control over their personal information and to increase transparency and accountability for businesses that handle this information.

Enforcement and penalties

UCPA provides for enforcement by the Utah Attorney General and allows for both civil and criminal penalties for violations of the law.

Under the UCPA, the Utah Attorney General has the authority to investigate and bring enforcement actions against businesses that violate the law. The Attorney General may seek civil penalties of up to $2,500 per violation, or up to $7,500 per violation if the violation was intentional or involved sensitive personal information.

In addition to civil penalties, the UCPA also provides for criminal penalties for certain violations. For example, it is a class A misdemeanor, punishable by up to one year in jail and a fine of up to $2,500, to intentionally or recklessly obtain, use, or disclose personal information without the consumer’s affirmative consent.

In addition to enforcement by the Utah Attorney General, the UCPA also allows for private rights of action, meaning that individuals can bring lawsuits against businesses that violate the law. In such cases, individuals may be able to recover damages, attorneys’ fees, and other costs associated with the lawsuit.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.