The United States does not yet have a single federal data protection law. To date, an increasing number of states have passed their own laws and/or updated existing ones, and bills have been introduced, are in progress, or have failed in many others.
There are a number of other long standing privacy laws that target specific types of information or human demographics in the US, like the Health Insurance Portability and Accountability Act (HIPAA) for health and the Children’s Online Privacy Protection Act (COPPA) for children’s safety. This does not make it easy to keep track of all or achieve compliance for all relevant regulations that address personal data.
The first and most influential state-level consumer privacy law passed in the United States is the California Consumer Privacy Act (CCPA). It takes some influence from the European Union’s General Data Protection Regulation (GDPR) and has, in turn, influenced privacy bills drafted by other states, including the Virginia Consumer Data Protection Act (VCDPA).
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a US state-level consumer privacy law that was passed in 2018 and came into effect on January 1, 2020. It applies exclusively to residents of California, known as ”consumers” under the law, and regulates the protection of their personal information.
It’s worth noting, however, that California is the most populous US state, with a population of over 39 million people, as well as having the world’s fifth largest economy, and a number of the world’s largest and most influential tech companies are headquartered there. So the state has an outsized influence on many fronts.
A consumer under the law is a natural person who is a resident of California, however identified, including by means of a unique identifier. A “resident” means:
- every individual who is in the State for other than a temporary or transitory purpose
and
- every individual who is domiciled in the state who is outside the state for a temporary or transitory purpose
The CCPA was amended and expanded by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, and granted additional rights to consumers and established the California Privacy Protection Agency (CPPA), among other things. Enforcement of the CPRA began in February 2024 after a legal challenge. Enforcement had been scheduled to begin on July 1, 2023.
Definitions under the California Consumer Privacy Act (CCPA) data privacy law
The CCPA, as amended by the CPRA, defines several terms that cover the data it protects and data processing activities. Unlike most other data privacy laws, California does not use the terms “controller” or “processor”.
Personal information under the CCPA/CPRA
The CCPA/CPRA law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA/CPRA’s definition of personal information is wide ranging, and examples under the law include, among other things:
- IP address, real name, alias, postal address, Social Security number, and email address
- biometric information that can establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, as well as sleep, health, or exercise data that contain identifying information
- electronic activity information, such as browsing history or interactions with online ads
- professional or employment-related information
Personal information is known as personal data under many international and other state-level data privacy laws in the US.
Sensitive personal information under the CCPA/CPRA
Sensitive personal information is that which can cause harm to a consumer if misused, and includes, among other things:
- driver’s license, state ID card, passport, or Social Security number
- precise geolocation data that can accurately identify a person within a radius of 1850 feet (563 meters)
- racial or ethnic origin
- debit card or credit card number in combination with any required password or credentials that provide access to the account
- genetic data
- contents of a consumer’s postal mail, email, and text messages
Unique identifier under the CCPA/CPRA
The CCPA/CPRA law defines a unique identifier or “unique personal identifier” as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.”
The law specifies that a family means a custodial parent or guardian and any children under 18 years of age who are in their custody.
Examples of unique identifiers are:
- device identifier
- IP address
- cookies, beacons, pixel tags, mobile ad identifiers, or similar technology
- customer number, unique pseudonym, or user alias
Consent under the CCPA/CPRA
The law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.“
The following does not constitute valid consent under the CCPA/CPRA:
- acceptance of a general or broad terms of use or similar document
- hovering over, muting, pausing, or closing a piece of content
- agreement obtained through dark patterns
Sale under the CCPA/CPRA
The law defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”
A business is not considered to have sold information when:
- a consumer uses or directs the business to intentionally disclose or interact with third parties
- the business uses or shares an identifier for the consumer, for the purpose of informing others that the consumer has opted out of the sale of or limited the use of their personal information
- the business transfers personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business
Who must comply with the California Consumer Privacy Act (CCPA)?
The CCPA/CPRA law applies to for profit businesses that operate in California and collect the personal information of the state’s residents, if they meet any one the following thresholds:
- annual gross revenues exceeding USD 26,625,000 for the previous calendar year
- receive, buy, sell, or share personal information of 100,000 or more consumers or households
- earn more than half of their annual revenue from the sale of consumers’ personal information
Interestingly, more recently passed privacy laws in other states have abandoned the revenue-only compliance threshold. Whether or not the company is headquartered in or has an office in California is not relevant to compliance. All companies that meet the threshold must meet CCPA/CPRA obligations if they are doing business with California residents, regardless of where in the world they are based.
What are consumers’ rights under the California Consumer Privacy Act (CCPA) laws?
The CCPA, as amended by the CPRA, grants consumers several rights to enable them to protect their personal information and control how it’s used.
- Right to delete: consumers can request businesses to delete their personal information that was collected from the consumer.
- Right to correct: consumers can request a business to correct any incomplete or inaccurate personal information that it holds.
- Right to know and access: consumers have a right to know and access the categories of personal information the business holds about them, the purposes for collecting the information, where the business obtained the information from, categories of third parties who receive the information, and the specific personal information the business has collected about the consumer.
- Right to know regarding sale or disclosure: consumers have the right to know what categories of personal information the business holds; the categories of personal information sold, shared, or disclosed; and the categories of third parties to whom it is sold, shared, or disclosed.
- Right to opt out: consumers have the right to opt out of the sale or sharing of their personal information.
- Right to limit: consumers have the right to limit the use or disclosure of their sensitive personal information.
- Right of nondiscrimination: consumers have the right not to be discriminated against for exercising any of their rights under the law.
In addition to these rights that are explicitly stated in the CCPA/CPRA, consumers also have the right to data portability. Where a consumer has exercised their right to know and access personal information, businesses must present the consumer’s specific personal information in a “structured, commonly used, machine-readable format.”
Obligations under the California Consumer Privacy Act (CCPA) Rules
Businesses have specific CCPA/CPRA obligations to protect consumers’ personal data, ensuring transparency and accountability in their data handling practices.
Notices required under the CCPA/CPRA
The CCPA/CPRA requires businesses to provide two distinct notices to consumers: a notice at collection and a privacy policy.
A notice at collection must be displayed to consumers at or before the point where the business collects their personal information. This notice must clearly list:
- categories of personal information collected, including sensitive personal information, if any
- purposes for which personal information will be used, including sensitive personal information, if any
- whether personal information or sensitive personal information is sold or shared
- how long the business will retain the personal information and sensitive personal information
- If the business sells or shares personal information, the notice must include a link with the specific words “Do Not Sell Or Share My Personal Information”, enabling consumers to easily opt out of such transactions.
The notice at collection should contain a link to the business’s privacy policy.
The CCPA privacy policy must include:
- a description of consumers’ privacy rights and how to exercise them
- categories of personal information collected, sold, or shared in the preceding 12 months
- categories of sources from which personal information is collected
- business or commercial purpose for collecting, selling, or sharing personal information
- categories of third parties to whom personal information is disclosed
Businesses commonly make their privacy policy accessible on their websites, typically found via a link in the footer so that consumers can easily find and review the privacy policy.
Consent requirements under the CCPA/CPRA
In most cases, the CCPA/CPRA does not require explicit consent from consumers for the collection, use, or sharing of their personal information. It operates on an opt-out model, where consumers are assumed to consent to data use unless they choose to opt out. There is an exception for the personal information belonging to minors:
- For minors aged 13 to 16, businesses must obtain explicit, opt-in consent from the minor before selling or sharing their personal information
- For minors under 13 years of age, businesses must obtain explicit consent from a parent or guardian before collecting or selling their data
Consumers have the right to opt out of the sale and several other uses of their personal information and to limit the use or disclosure of sensitive personal information.
Opt-out requests under the CCPA/CPRA
Businesses must provide options for consumers to opt out of:
- sale or sharing of their personal information (and targeted advertising and profiling under the CPRA)
- use or disclosure of their sensitive personal information for unauthorized purposes
The law mandates specific ways for businesses to provide consumers with opt-out options.
- Through a clear and conspicuous link on the business’s homepage titled “Do Not Sell Or Share My Personal Information,” which directs consumers to a page from which they can opt out of the sale or sharing of their personal information.
- Through a clear and conspicuous link titled “Limit The Use Of My Sensitive Personal Information,” which enables consumers to limit the use or disclosure of their sensitive personal information.
- If a business prefers, it can use a single link that combines both functions, as long as it effectively enables consumers to opt out of both, the sale, sharing, targeted advertising, or profiling from their personal information, and limiting the use or disclosure of their sensitive personal information.
Businesses must also respect universal opt-out mechanisms, such as Global Privacy Control (GPC) signals, through which consumers can set their consent preferences once and communicate them automatically across various websites and online services.
Consumer requests for right to know, correct, and delete
Consumers have the right to request information about the personal data collected about them, as well as to correct inaccuracies or to delete that data.
The law requires businesses to provide at least two designated methods for consumers to submit their requests, which must include a toll-free telephone number. For businesses that operate exclusively online and have a direct relationship with consumers, an email address is sufficient.
If a business maintains a website, it should enable consumers to submit requests for information, correction, and deletion directly through the site.
Consumers can request data that was collected up to 12 months prior to the date of their request. Businesses have 45 days from the date of the request to disclose the requested information, and they may seek an extension of an additional 45 days under certain circumstances
While businesses may require consumers to login to an existing account to verify identity and submit a request, they cannot require consumers to create a new account for this purpose.
Contracts under the CCPA/CPRA
Businesses that collect consumers’ personal information sometimes sell or share consumers’ personal information with a third party, or disclose the personal information to a service provider or contractor for business purposes.
The CCPA/CPRA requires businesses to enter into agreements with these third parties, service providers, or contractors. The agreement must outline that:
- the personal information is sold, shared, or disclosed only for limited and specific purposes
- the third party, service provider, or contractor must comply with the CCPA/CPRA obligations applicable to them
- the third party, service provider, or contractor must provide the level of data privacy protection required by the law
- the business is entitled to take “reasonable and appropriate steps” to ensure that any third party, service provider, or contractor uses the personal information shared in a way that aligns with the business’s CCPA/CPRA obligations
- the third party, service provider, or contractor must inform the business if it cannot meet its legal obligations
- the business has the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of personal information, after providing notice
Contracts with service providers and contractors must also prohibit them from:
- selling or sharing personal information
- retaining, using, or disclosing personal information for any purpose other than that specific in the contract
- combining the personal information received from the business with personal information received by any other means, except for purposes exempted under the law
Data security under the CCPA/CPRA
Businesses that collect consumers’ personal information are obligated to safeguard the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. The CCPA/CPRA requires businesses to implement “reasonable security procedures and practices” for this purpose.
Data minimization under the CCPA/CPRA
Under the CCPA/CPRA, businesses can collect, use, store, and share consumers’ personal information only to the extent needed to achieve the original purpose for collecting the information, or for another compatible purpose. The personal information must not be processed in ways that conflict with the original purposes.
This requirement is a key aspect of data minimization, which means that companies must limit their handling of personal data to what is essential for the intended purposes.
The CPPA, in its Enforcement Advisory No. 2024-1, has highlighted the various CCPA regulations that reflect the principle of data minimization by prohibiting businesses from requiring consumers to share additional information “beyond what is necessary.”
Enforcement and penalties under the California Consumer Privacy Act (CCPA)
The CCPA/CPRA has certain unique characteristics when it comes to enforcing the state’s consumer privacy law.
Unlike most states, where the Attorney General has sole enforcement authority, California permits both the Attorney General and CPPA to enforce the law. However, the CPPA cannot limit the Attorney General’s authority and must stay an administrative action or investigation when requested. A business cannot be penalized by both the Attorney General and the CPPA.
Violations of the CCPA/CPRA attract civil penalties of up to:
- USD 2,663 per non-intentional violation
- USD 7,988 per intentional violation and violation involving the personal information of minors
The CCPA/CPRA is also the only consumer privacy law in the US that grants consumers a private right of action, although it is limited to specific situations. Consumers can sue businesses in the event of a data breach or personal security information breach, which occurred because the business failed to implement reasonable security measures to protect the personal information and that results in non-encrypted or non-redacted data being stolen.
Consumers must give businesses 30 days to cure the violation in the event of a data breach before they can bring an action against the business. Of note is that when the CCPA came into effect, the Attorney General also provided a 30-day cure period; however, that has now sunset.
Consumers can bring an action:
- to recover damages between USD 107 and USD 799 per incident, or actual damages suffered, whichever is greater
- for injunctive or declaratory relief
If a consumer believes their rights, other than those arising out of a data breach, have been violated, they may file a complaint with the Attorney General or the CPPA.
GDPR vs. CCPA: a summary
The EU’s General Data Protection Regulation (GDPR) and the CCPA/CPRA are landmark regulations when it comes to protecting data privacy.
The GDPR is considered one of the most stringent data protection regulations worldwide, and has influenced many other regulations, such as Brazil’s General Data Protection Law (LGPD) and the CCPA.
The CCPA was the first state-level consumer privacy law passed in the US and has many unique provisions, such as dual enforcement and private right of action.
We look at the two regulations side by side to examine some of the similarities and differences.
CCPA | GDPR | |
---|---|---|
Scope and applicability | Applies to for-profit businesses that collect personal information from California residents and either: – have annual gross revenues exceeding USD 26,625,000 for the previous calendar year – receive, buy, or sell personal information of 100,000 or more consumers or households – earn more than half of their annual revenue from the sale of consumers’ personal information It applies to any business that meets these conditions, regardless of where the business is located (extraterritoriality). | Applies to any entity that processes the personal data of individuals located in the EU/EEA and either: – offers them goods and services – monitors their behavior Like the CCPA, it applies regardless of where the business is located (extraterritoriality). The GDPR applies to non-profit organizations and government agencies as well as for-profit businesses. |
What it protects | Personal information of California residents, known as consumers, even if they are temporarily outside the state. Personal information includes that which can be linked to a consumer or a household. | Personal data of individuals located in the EU territory, known as data subjects. Applies to individuals only and does not extend to households. |
Consent | Operates on an opt-out consent model and doesn’t require prior consent to collect and process data in most cases. Consumers can opt out of the use of their data in specific cases. | Operates on an opt-in consent model, meaning that organizations cannot collect or process data unless the user gives their explicit consent. |
Legal bases | There are no specific legal bases for collecting personal information. | Personal data can only be collected if there is a legal basis: – consent – to perform a contract – legal obligation – to protect vital interests – in the public interest – legitimate interest |
Enforcement authority | California Attorney General and California Privacy Protection Agency (CPPA). | Data Protection Authorities (DPA) of the EU Member States. |
Private right of action | Consumers can directly sue businesses only in the event of a data breach caused by a failure to take security measures, in specific circumstances. | Data subjects can lodge complaints with the DPA in their state and receive compensation if they have suffered material or non-material damage. |
Civil penalties | Up to USD 2,500 per non-intentional violation and USD 7,500 per intentional violation, and statutory damages for data breach. | Up to 2 percent of annual turnover or EU 10 million, whichever is higher, for certain violations. Up to 4 percent of annual turnover or EU 20 million, whichever is higher, for more serious violations. |
What does the CCPA/CPRA mean for companies’ websites?
If a business meets one of the CCPA/CPRA thresholds and has an online property, it must take several steps to meet CCPA/CPRA obligations.
- The website must present visitors with a notice at collection that lists the categories and purposes of the personal data collected, whether personal information is sold or shared, and how long the business will retain the personal information.
- The website must include a privacy policy that informs consumers of their privacy rights and how to exercise them, as well as the business’ privacy practices in more detail.
- If the business sells or shares personal data, it must present a link titled “Do Not Sell Or Share My Personal Information” to enable users to opt out of the sale of their personal data. It must also present a link titled “Limit The Use of My Sensitive Personal Information” to enable users to opt out of the use of their sensitive personal information.
- For personal information of minors, businesses must obtain explicit consent from the consumer (between 13 and 16 years) or their parent or guardian (when the minor is below 13 years) before their personal information can be shared or sold.
Businesses can use a consent management platform (CMP) like Usercentrics CMP to achieve CCPA compliance.
A CMP enables websites to display cookie consent banners with straightforward links or buttons that enable users to opt out of data processing. It can also handle cookies and other tracking technologies, blocking their use when a consumer exercises their right to opt out.
CMPs also help websites provide clear information to users about the types of data being collected, the purposes for collection, and the third parties that may receive this data, in accordance with the CCPA/CPRA and other data privacy laws.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023, and is one of the increasing number of statewide laws in the US that aim to protect the rights of consumers whose data is processed by businesses.
When it was passed, the UCPA was the fourth piece of legislation of its kind in the US. Lawmakers were able to draw on earlier regulations, like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA), which were both based on the first and most stringent US privacy law: the California Consumer Protection Act (CCPA).
With this foundation, the UCPA strikes a finer balance between consumer rights and business responsibilities. Overall, the narrower scope of its definitions and compliance requirements means that it can be seen as “lighter” and more business-friendly than the majority of other state-level data privacy laws in place.
What is the Utah Consumer Privacy Act?
The UCPA gives consumers in Utah a degree of control over how businesses are able to collect and use their data. Under the UCPA, individuals have the right to know if a business is processing their personal data, to access and have that data deleted, and to opt out from their data being sold.
Unlike other similar data privacy laws, the UCPA doesn’t place limits on the data that businesses can gather and what they can do with it. The responsibility for minimizing the collection and processing of data rests with the consumer.
UPCA summary
The UCPA protects the privacy rights of Utah residents and establishes data privacy responsibilities for companies that operate in the state and process the data of the nearly 4 million individuals who live there.
It requires businesses that collect data to protect the confidentiality and integrity of that data to reduce the risk of harm associated with processing it. Organizations must also provide consumers with clear and accessible privacy notices and inform them about how they can opt out of the sale of their data.
Like other US state laws, the UCPA uses an opt-out model for user consent, rather than the opt-in model in place for regulations such as the General Data Protection Regulation (GDPR).
This means that consumers’ personal data can be collected, sold, or used for targeted advertising without first obtaining their explicit and informed consent. The only exception here relates to children’s data. In that case, consent must be obtained from a parent or legal guardian.
Unlike most US data privacy laws, the UCPA does not require prior consent for the processing of data categorized as sensitive. Companies just need to notify consumers about collection and use and provide an opt-out option.
The sale of data is one of the key focuses for the UCPA. The Act defines any “exchange of personal data for monetary consideration by a controller to a third party” as a sale.
This definition doesn’t include non-monetary exchanges, which means that it doesn’t apply to data sharing among businesses, differentiating it from the CCPA and California Privacy Rights Act (CPRA).
However, consumers do have the right — and must be provided with the option — to opt out of the sale of their data or its use for targeted advertising. If a consumer exercises this right, their data can no longer be used.
Updates to the UCPA
On March 13, 2024, Utah became the first state to enact an AI-focused consumer protection law. The Utah Artificial Intelligence Policy Act (UAIP), which came into effect on May 1, 2024, modifies the UCPA and places certain duties on businesses using generative AI in the course of their business.
The act focuses mainly on businesses operating in regulated industries, i.e. those where a person requires a license or state certificate to work. These businesses must disclose to customers that they are interacting with generative AI or materials that are created by generative AI.
It also requires businesses in non-regulated sectors to disclose the use of this technology if asked or prompted by a customer. However, it’s not clear what mechanisms an organization must put in place to field these requests or how the disclosure should take place.
The UAIP has also created an Office of Artificial Intelligence Policy that is tasked with setting up an Artificial Intelligence Learning Laboratory Program. The goal is that this AI Lab will support AI-related regulation and development within the state.
Definitions under the Utah Consumer Privacy Act
The UCPA applies to controllers or processors of consumer data. It defines these terms as follows.
Controller under UCPA
Controller means “a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.” (Section 101.12 UCPA)
Processor under UCPA
Processor means “a person who processes personal data on behalf of a controller.” In relation to controllers and processors, “person” includes natural persons or commercial or noncommercial entities, including third parties, that process data and meet the applicability criteria. (Section 101.26 UCPA)
Consumer under UCPA
Consumer means “an individual who is a resident of the state acting in an individual or household context” who is not “acting in an employment or commercial context.” (Section 101.10 UCPA)
Personal data under UCPA
“Personal data” refers to “information that is linked or reasonably linkable to an identified individual or an identifiable individual.” (Section 101.24 UCPA)
There are specific forms of personal data that can make an individual directly identifiable (e.g. a name or email address), while others may not qualify on their own (e.g. an IP address). However, it’s important to note that non-identifying data may become identifying when it’s aggregated with other kinds of personal data.
Exclusions to the definition of personal data
The UPCA sets out a number of exclusions in relation to personal data. This includes information that:
- is publicly available
- has been deidentified or anonymized
- relates to groups of consumers and has been aggregated to the extent that individuals cannot be identified
Sensitive data under UCPA
Unlike some other data privacy laws, the UCPA does not require businesses to obtain consent for processing sensitive personal data.
However, controllers do have to clearly notify consumers and provide the opportunity for them to opt out of having their sensitive personal data processed before such data is collected and processed. Like non-sensitive data, consumers can also opt out of processing for sensitive data later, at which point processing must cease.
The Act (Section 101.32 UCPA) defines “sensitive data” as personal data that includes or reveals:
- racial or ethnic origin (unless processed by a video communication service or by a licensed healthcare provider)
- religious beliefs
- sexual orientation
- citizenship or immigration status
- medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
- genetic or biometric data (if the processing is for the purpose of identifying a specific individual)
- geolocation data (if the processing is for the purpose of identifying a specific individual)
Who must comply with the Utah Consumer Privacy Act?
Similar to other data privacy laws, the UCPA has provisions that provide rights to consumers and place obligations on businesses, provided that they meet certain criteria.
UCPA applies to businesses that:
- Operate in Utah, either by conducting business there or by offering a product or service to consumers who reside in the state.
- Meet the annual earnings and data processing thresholds, meaning they report revenue of USD 25 million and either
- control or process the data of 100,000 consumers
or
- derive more than 50 percent of gross revenue from the sale or control of personal data of 25,000 or more consumers
The UCPA differs from some of the other data privacy laws as entities have to meet multiple criteria for it to apply. This narrows its scope. For example, the revenue threshold will exclude smaller SMEs from qualifying. Many of the more recently passed US state-level privacy laws do not include a revenue-centric threshold, though Utah is one of the earlier ones that does.
Unsure if the UCPA applies to your business? Use our UCPA checklist to understand if the Act applies to your business, and what you need to do to be compliant.
Exemptions to Utah Consumer Privacy Act compliance
Organizational exemptions
In addition to organizations that fall below the revenue or processing volume thresholds, the UCPA exempts a number of other entities, including:
- institutions of higher education
- nonprofit organizations
- government organizations and contractors
- Indigenous groups
- air carriers
- organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
- financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
Data exemptions
The UCPA does not apply to information that’s already subject to the following regulations:
- Driver’s Privacy Protection Act (DPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Employment exemptions
Data processed or maintained during the course of an individual’s employment is exempt from the UCPA.
This covers instances when an individual is applying for a job, as well as when they are “acting as an employee, agent, or independent contractor of a controller, processor, or third party,” provided that the data is “collected and used within the context of that role” (Section 102.2(o)(i) UCPA).
Consumer rights under the Utah Consumer Privacy Act
Consumers have four primary rights under the UCPA: access, deletion, portability, and opting out.
- Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data
- Right to deletion of personal data, if the data subject directly provided the data to the controller
- Right to portability, obtaining a copy of their personal data from the controller, in a format that is:
- portable to a technically reasonable extent
- readily usable to a practical extent
- enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
- Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising
Key differences with other privacy laws
While these rights are similar to those given to consumers under other data privacy laws, both within the US and globally, UCPA does not create other common rights, such as the right to appeal and the right to correct (to request and have omissions or inaccuracies rectified).
In addition to these exclusions, the UCPA does not provide for a private right of action (the ability for an individual consumer to sue a controller for noncompliance or a data breach). To date California is the only state that allows for this. Consumers also cannot use a violation of the UCPA to support a claim under other Utah laws.
What’s more, controllers under the Utah privacy law aren’t required to recognize “universal opt-out signals” as a method for consumers to opt out of data processing. This excludes global privacy control (GPC) measures, where users can set their consent choices once and have them respected across all other sites and properties on which they are active, instead of having to specify their choice at every online property they visit.
What are controllers obliged to do under the Utah Consumer Privacy Act?
Under the UCPA, data controllers must outline exactly how consumers can submit a request and exercise their rights related to their data. They must also respond to any requests within 45 days.
Transparency under the UCPA
Controllers must provide consumers with a privacy notice or policy that is “reasonably accessible and clear.” This notice would typically appear on a business’s website and must include:
- categories of personal data processed by the controller
- categories of personal data the controller shares with third parties
- categories of third parties with whom the controller shares personal data
- a clear explanation of how consumers can exercise their rights, including the right to opt out
- “clear and conspicuous” disclosure if personal data is sold to a third party or used for targeted advertising
A consent management platform (CMP) can make this easier for you. With the right tool, you can stay compliant by generating an accurate, comprehensive, and up to date privacy policy and notify consumers about any data collection that’s taking place.
Consumer requests under the UCPA
Consumer requests must be fulfilled free of charge to the consumer, unless the request is:
- the second or subsequent request within the same 12-month period
- “excessive, repetitive, technically infeasible, or manifestly unfounded” (Section 203.4.(b)(i)(A) UCPA)
- reasonably believed by the controller to have the primary purpose of “something other than exercising a right” (Section 203.4.(b)(i)(B) UCPA)
- intended to harass, disrupt, or impose undue burden on the resources of the controller’s business
Controllers must take action and notify the consumer of their actions within 45 days of receiving a request. If the controller cannot or will not respond to or fulfill the consumer’s request, e.g. if the consumer’s identity cannot be reasonably verified, they must communicate this during that same 45-day period.
However, there are exceptions. The response period can be extended by another 45 days if reasonably necessary, for example, if the request is very complex or the controller is dealing with a high number of requests.
Where there is an extension, the consumer must be informed within the initial 45 days. The notification must include reasons for and the length of the delay.
Unlike some other laws, the UCPA does not have an appeal process for consumers whose requests are denied.
Data security under the UCPA
Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that have been “designed to protect the confidentiality and integrity of personal data.” (Section 302.2(a) UCPA)
This applies both to the controller and any third party services they use.
Third-party data processing under the UCPA
Controller organizations may use third parties to process data on their behalf, so long as there is a contract in place.
The contract must include data processing instructions, as well as some of the same information that must be outlined in the consumer notification, including:
- the nature and purpose of the processing
- the type of data to be processed
- the duration of processing
- all parties’ rights and obligations, including a duty of confidentiality
- a provision that requires the processor to have a written contract with any subcontractor engaged to process personal data that mirrors the obligations on the processor
Under the UCPA, controllers don’t have to evaluate the risks of their data processing activities via data protection assessments. What’s more, a contract between a controller and processor does not need to stipulate that the processor must comply with any reasonable data privacy audits set in motion by the data controller.
Processing of children’s personal data under the UCPA
The processing of children’s data is the only activity under the UCPA that requires explicit consent. Under the Act, a child is defined as an individual known to be under the age of 13.
Controllers must obtain verifiable parental or guardian’s consent prior to processing and process the data in accordance with the Children’s Online Privacy Protection Act (COPPA).
Nondiscrimination under the UCPA
Controllers may not discriminate against any consumer who exercises their privacy rights. Examples of potential discrimination include:
- denying goods or services
- charging a different price or rate for goods or services
- providing a different level of quality for goods or services
However, a controller is allowed to offer “a different price, rate, level, quality, or selection of a good or service to a consumer” (Section 302.4(b) UCPA) if that customer has opted out of targeted advertising, or if the offer relates to the consumer voluntarily participating in the controller’s loyalty program.
Enforcement of the Utah Consumer Privacy Act
Enforcement authority
The Utah attorney general has full enforcement authority of UCPA. However, the Division of Consumer Protection is responsible for administering consumer complaints and has the authority to investigate alleged violations.
Investigations and cure period
Where authorities find reasonable cause or evidence of a violation, it’s referred to the Attorney General. If the Attorney General pursues the investigation, their office must provide the data controller or data processor with a written notice about the violation.
The UCPA provides the offending party with a 30-day “cure” period. This is a grace period during which the controller is given the opportunity to rectify any violation and provide a statement to the Attorney General about what has been done to resolve the violation and ensure it won’t be repeated. Unlike many US data privacy laws, the UCPA’s cure period does not sunset.
Damages and fines
In cases where punitive action is required, for example, if the controller or processor fails to resolve, or repeats the violation after providing a written statement to the contrary, the Attorney General can initiate an enforcement action. This includes damages and fines up to USD 7,500 per violation.
Consent management and the Utah Consumer Privacy Act
The UCPA uses an opt-out model to regulate data collection and processing in the state of Utah. As a data controller in Utah, you’re not required to obtain data subjects’ consent before collecting personal data, unless that data belongs to a child.
However, you are required to give consumers a clear notification that their data is being collected, inform them about their rights, and provide them with the means to opt out, either before or at the point of collection and processing.
To achieve and maintain compliance, use a CMP. A robust CMP can automate the process of notifying customers about data processing, tailoring consent messages, and managing their opt-out choices. This makes it easier to achieve and maintain compliance with the UCPA and other US privacy laws like the CCPA/CPRA and VCDPA.
A robust CMP helps your business obtain consent in a transparent manner, enabling you to collect valuable data while building trust with your customers.
Navigating UCPA compliance
While the requirements for UCPA compliance are less demanding than similar laws’, the potential fines and damage to brand reputation that can result from noncompliance mean that businesses must still be diligent.
Usercentrics can help you adhere to regulatory requirements of laws like the UCPA with its all-in-one CMP that enables you to produce content for privacy notices in just a few clicks. What’s more, our platform simplifies consumer consent management and helps you personalize the consent experience for your users.
If you have questions or interest in implementing our CMP to help you achieve compliance with privacy laws in the US and around the world, talk to one of our experts.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
Minnesota became the nineteenth state in the United States to pass a consumer privacy bill with the Minnesota Consumer Data Privacy Act (MCDPA) when Governor Tim Walz signed it into law on May 24, 2024. The law goes into effect on July 31, 2025, with the compliance deadline extended to July 31, 2029 for postsecondary institutions regulated by the Minnesota Office of Higher Education.
We look at how the MCDPA protects consumers’ information, and the broader implications for organizations under its jurisdiction.
What is the Minnesota Consumer Data Privacy Act (MCDPA)?
The Minnesota Consumer Data Privacy Act (MCDPA) is a regulation designed to protect the privacy and personal data of Minnesota’s residents by regulating how data is collected, processed, and used. The state-level law imposes specific obligations on businesses that either operate in Minnesota or offer products and services to its residents, known as “consumers” under the law, and process their personal data.
Under the MCDPA, a consumer is “a natural person who is a Minnesota resident acting only in an individual or household context.” The law explicitly excludes any natural person acting in a commercial or employment context.
Like most other US states with similar laws, Minnesota follows an opt-out consent model. Businesses must clearly inform consumers about:
- what personal data they collect
- the purpose(s) for collecting this data
- any third parties with whom the data may be shared
- how consumers can opt out of the collection and processing of their personal data for specific purposes.
Who must comply with the Minnesota Consumer Data Privacy Act?
The Minnesota privacy law applies to businesses that operate in the state and produce products or services targeted at Minnesota residents, and during a calendar year:
- control or process the personal data of at least 100,000 consumers, except if the personal data is controlled or processed only for the purposes of completing a payment transaction
or - control or process the personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data
The MCDPA applies to any business that fulfills these conditions, regardless of where the business is located.
Minnesota data privacy law sets itself apart from some other state laws such as the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), as it does not require businesses to comply based on annual revenue alone.
Exemptions to Minnesota Consumer Data Privacy Act compliance
The Minnesota data privacy law exempts certain entities from complying, including:
- government entities
- federally recognised Indian tribes
- covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
- state or federally chartered banks or credit unions, or their affiliates or subsidiaries primarily engaged in financial activities
- insurance companies, insurance producers, third-party administrators of self-insurance, or their affiliates or subsidiaries primarily engaged in financial activities
- small businesses as defined under the U.S. Small Business Act, unless they sell consumers’ sensitive data without obtaining prior consent
- air carriers subject to the Airline Deregulation Act where the personal data collected relates to prices, routes, or services
- nonprofit organizations established to detect and prevent insurance fraud
Data that is exempt from the law includes:
- protected healthcare-related information, research data, and employment-related data
- data collected or maintained as emergency contact information for a natural person if used for emergency contact purposes only
- data created for or collected under several federal laws, including, among others:
- Gramm-Leach-Bliley Act (GLBA)
- HIPAA
- Health Care Quality Improvement Act
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
- Minnesota Insurance Fair Information Reporting Act
- Driver’s Privacy Protection Act
- Fair Credit Reporting Act (FCRA)
Definitions under the Minnesota Consumer Data Privacy Act
The Minnesota privacy law defines key terms that explain the types of data it covers and the data processing activities involved.
Personal data under the MCDPA
The Minnesota privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.
Common types of personal data that businesses collect include name, phone number, email address, Social Security number, or driver’s license number.
Sensitive data under the MCDPA
Sensitive data is personal data that could harm consumers if abused. Under the MCDPA, it includes:
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying an individual
- personal data collected from a known child (under 13 years of age)
- precise geolocation data that can accurately identify an individual’s specific location within an accuracy of more than three decimal degrees of latitude and
- longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates
Controller under the MCDPA
Controller under Minnesota’s privacy law is “a natural or legal person who, alone or jointly with others, determines the purpose and means of processing personal data.“
A controller, also known as a “data controller” under some laws, is responsible for protecting personal data under the law.
Processor under the MCDPA
A processor under the law is “a natural or legal person who processes personal data on behalf of a controller.”
Sale of personal data under the MCDPA
Sale of personal data means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.“
The MCDPA’s definition specifically excludes the following:
- disclosure of personal data to a processor that processes the personal data on the controller’s behalf
- disclosure of personal data to a third party for the purposes of providing a product or service the consumer has requested
- disclosure or transfer of personal data to the controller’s affiliate
- disclosure of information that the consumer has intentionally made available to the public through a mass media channel not restricted to a specific audience
- disclosure or transfer of personal data to a third party as an asset that is part of a proposed or completed merger, acquisition, bankruptcy, or other transaction
- exchange of personal data between the producer of goods or services and its authorized agents who sells these goods and services, to enable both parties to provide the goods and services
Targeted advertising under the MCDPA
The MCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”
Targeted advertising under the MCDPA does not include:
- ads based on activities within a controller’s own websites or online apps
- ads based on the context of a consumer’s current search query, visit to the website, or online app
- ads directed to a consumer in response to the consumer’s request for information or feedback
- processing of personal data solely for measuring or reporting ad performance, reach, or frequency
Consent under the MCDPA
The Minnesota privacy law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.”
Excluded from the definition are:
- acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
hovering over, muting, pausing, or closing a given piece of content - consent obtained through the use of dark patterns
Consumer rights under the Minnesota Consumer Data Protection Act
Consumers have several rights under the MCDPA that enable them to protect their personal data and control how it’s used, in particular:
- Right to access: consumers can confirm if the controller is processing their personal data and can access this data, with some exceptions
- Right to correction: consumers have the right to have any inaccurate personal data about them corrected, taking into account the nature of the personal data and purposes of processing
- Right to deletion: consumers can request the deletion of their personal data, with exceptions
- Right to data portability: where the processing is carried out by automated means, consumers can obtain a copy of their personal data that they previously provided to the controller, in a portable and readily usable format, with some exceptions
- Right to information: consumers can obtain a list of specific third parties to whom the controller has disclosed their, or any consumer’s, personal data
- Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
Consumers have the following additional rights if their data is used for profiling that affects legal decisions about them:
- to question the outcome of the profiling
- to know why the profiling led to that outcome
- if possible, to learn what actions they could have taken to achieve a different outcome and what they can do in the future to achieve such an outcome
- to review the personal data used in the profiling, and, if the decision was based on incorrect data, to correct this data and request a reevaluation of the profiling decision with the corrected data
There is no private right of action that gives consumers the right to directly sue a controller for violations of the Minnesota privacy law.
Controllers’ obligations under the Minnesota Consumer Data Privacy Act
Under the Minnesota data privacy law, controllers are required to meet specific obligations to protect consumers’ personal data.
Consumer rights requests under the MCDPA
Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. While consumers can be asked to log in to an existing account for identity verification, requiring them to create a new account is not permitted under the law.
Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If an extension is required, the controller must inform the consumer before the initial 45-day period expires.
If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision.
Controllers must respond to appeals within 45 days, and they may extend this period by an additional 60 days if reasonably necessary. If an appeal is denied, the controller must provide a written explanation with reasons for denial and inform the consumer how to submit a complaint to the Attorney General.
Controllers are required to maintain records of all appeals and their responses for a minimum of 24 months, and they must provide the Attorney General with copies of the records if requested.
Privacy notices under the MCDPA
Under the Minnesota data privacy law, controllers must publish a clear, accessible, and comprehensive privacy notice that includes the following information:
- categories of personal data processed
- purposes for processing personal data
- what rights consumers have under the law
- how consumers may exercise their rights
- how consumers may appeal the controller’s decision regarding a request
- categories of personal data sold to or shared with third parties, if any
- categories of third parties to whom the controllers sells or shares personal data, if any
- contact information for the controller
- a description of the controller’s retention policies for personal data
- date of the last update to the privacy notice
Controllers that sell consumers’ personal data to third parties, or process personal data for targeted advertising purposes or profiling, must disclose this in the privacy notice. They must also provide consumers with a prominent method to opt out of the sale, processing, or profiling for these purposes. A link provided for these purposes must use the words “Your Opt-Out Rights” or “Your Privacy Rights”.
Typically, the privacy notice or privacy policy is posted in a highly visible location on the controller’s website, such as the footer, ensuring it’s easy to locate. The MCDPA mandates that controllers use the word “privacy” in the link to the privacy notice on a website, mobile app’s app store page, or download page.
The MCDPA also requires controllers who maintain apps — whether they’re mobile, tablet, web, or smart device apps — to include a link to the privacy notice in the settings menu of the app.
If a controller doesn’t maintain a website, they must make the privacy notice accessible to consumers through the regular means of communication with them, which may include postal mail.
Purpose limitation under the MCDPA
The law requires controllers to disclose the specific purposes for which they are collecting personal data and to restrict their data collection to what is “adequate, relevant, and reasonably necessary” for these identified purposes. Controllers cannot retain personal data if it is no longer needed for the original purposes of collection and processing, unless the law requires or permits it in certain circumstances.
Data security under the MCDPA
Controllers have an obligation to protect the confidentiality, integrity, and accessibility of consumers’ personal data. The Minnesota data privacy law requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical security measures for this purpose, which are appropriate to the volume and nature of the personal data being processed.
Notably, Minnesota is the first state to mandate that controllers maintain data inventories to fulfill these requirements.
Compliance policies and data privacy and protection assessments under the MCDPA
Controllers are required to document a description of the policies and procedures adopted to comply with the MCDPA, including:
- name and contact information for the controller’s chief privacy officer, or, if one is not appointed, another individual with responsibility to monitor and achieve
- the controller’s compliance with the law
- description of the controller’s data privacy policies and procedures that enable controllers to fulfill their obligations under the law
- description of any policies and procedures established to:
- ensure that their systems are designed to comply with the law
- identify and provide personal data to a consumer as required under the law
- comply with the obligation for ensuring data security
- comply with the obligation for purpose limitation
- prevent data that is no longer required from being retained unless required by law
- identify and rectify violations of the law
The MCDPA also requires controllers to conduct and document a data privacy and protection assessment, known as a data protection impact assessment under some laws, when processing personal data:
- for the purposes of targeted advertising
- for sale
- classified as sensitive data under the law, including children’s data
- that presents a heightened risk of harm to consumers
- for profiling that presents a reasonably foreseeable risk of the following on consumers:
- unfair or deceptive treatment, or disparate impact
- financial, physical, or reputational injury
- physical or other intrusion into private affairs
- other substantial injury
Data privacy and protection assessments under the MCDPA must include the description of policies and procedures that the controller has adopted to comply with the law.
The Attorney General can request the controller to disclose a data privacy and protection assessment during its investigations into any alleged violations, and the controller is obligated to make it available.
The law considers data privacy and protection assessments or risk assessments conducted by a controller for compliance with other laws as valid if the assessments share a similar scope and effect.
Consent requirements under the MCDPA
Minnesota has adopted an opt-out model for processing personal data, consistent with the other US state-level privacy laws. This means that controllers can collect and process personal data without obtaining prior consent from consumers in most cases. However, an important exception exists for sensitive personal data, where controllers must obtain explicit consent before processing.
Controllers must clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling. Additionally, Minnesota law mandates that controllers provide an effective way for consumers to revoke previously given consent. This revocation mechanism must be as easy to use as the method used to give consent initially. Once consent is revoked, controllers are required to stop processing the relevant data as soon as practicable, and no later than 15 days after receiving the revocation request.
The MCDPA aligns with the Children’s Online Privacy Protection Act (COPPA) concerning children’s personal data, which is standard among US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as all personal data of children in this age group is classified as sensitive data under Minnesota law.
Controllers are prohibited from processing the personal data of consumers known to be between the ages of 13 and 16 for the purposes of targeted advertising or selling their data without obtaining prior consent from the individual.
Nondiscrimination under the MCDPA
The MCDPA explicitly prohibits controllers from discriminating against consumers who exercise their rights under the law. This means businesses cannot deny goods or services, charge different prices or rates for goods or services, or offer varying quality levels or experiences (e.g. website access) to consumers based on their choices to exercise their data privacy rights.
However, controllers may offer incentives, such as discounts or rewards, to consumers who voluntarily participate in activities involving the processing of personal data. These incentives must be reasonable and proportionate to avoid being considered coercive rather than optional and voluntary.
Certain website functions that rely on essential or necessary cookies may not operate effectively if a consumer declines these cookies. Such limitations are not regarded as discriminatory under the law.
Controllers are not obligated to provide a product or service that depends on personal data they do not collect or keep.
The MCDPA specifically prohibits controllers from processing personal data on the basis of certain characteristics, including, among others, race, ethnicity, religion, gender identity, familial status, or disability in a manner that unlawfully discriminates against consumers with respect to the provision of:
- housing, employment, credit, or education
- goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation
Data processing agreement under the MCDPA
The Minnesota privacy law requires controllers to enter into contracts with processors that govern data processing procedures. While the law does not explicitly use the term “data processing agreement,” this contract serves the same purpose as data processing agreements in other data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).
The contract or data processing agreement must clearly outline:
- instructions for processing data
- nature and purpose of processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
- processor’s duty of confidentiality
- conditions under which the processor may engage a subcontractor
Processors must assist controllers in meeting their obligations under the MCDPA, including ensuring security of personal data being processed.
Universal opt-out mechanism under the MCDPA
Similar to data privacy laws in states like California, Nebraska, and Texas, the MCDPA includes provisions for universal opt-out mechanisms, such as the Global Privacy Control (GPC). These mechanisms enable consumers to set their privacy preferences once via browser settings or extensions, and these preferences are then automatically applied to all websites and online services they visit.
Under the MCDPA, controllers must respect universal opt-out signals that express a consumer’s choice to opt out of activities such as targeted advertising or the sale of personal data. Controllers that recognize opt-out preference signals approved by other state laws or regulations will be deemed compliant with this requirement under the MCDPA.
The law requires that the mechanism a controller employs must:
- not unfairly disadvantage another controller
- require consumers to make “an affirmative, freely given, and unambiguous choice“ to opt out rather than use a default opt-out setting
- be user-friendly
- be consistent with other similar technologies or mechanisms
- enable the controller to determine whether the consumer is a resident of Minnesota, either through the consumer’s IP address or other means, and has made a
- legitimate opt-out request
Enforcement of the Minnesota Consumer Data Privacy Act
The Minnesota Attorney General has exclusive authority to enforce the MCDPA. While the law does not grant consumers a private right of action, they can still file complaints about alleged violations or denials of their privacy rights directly with the Attorney General’s office. Before initiating an enforcement action, the Attorney General must issue a written notice to the implicated party, detailing the alleged violations.
The MCDPA includes a 30-day cure period for organizations to address and rectify any alleged violations after receiving the notification. This cure period has a sunset date of January 31, 2026, after which this provision will no longer apply, and any cure period will be at the discretion of the Attorney General’s office.
Fines and penalties under the MCDPA
The Minnesota Attorney General can initiate enforcement actions against controllers or processors if they fail to remedy a violation within the 30-day cure period. An enforcement action might include seeking injunctive relief and/or imposing civil penalties, which can reach up to USD 7,500 per violation, along with recovering reasonable costs related to investigating the violation.
Consent management and the Minnesota Consumer Data Privacy Act
Like consumer privacy laws in other US states, the Minnesota privacy law adopts an opt-out consent model. This means businesses can collect and process personal data without obtaining prior consent, except for sensitive personal data and data belonging to children.
Consumers have the right to opt out of the collection and processing of their personal data for purposes such as sale, targeted advertising, or profiling. Businesses are required to clearly present this opt-out option on their websites, typically within the privacy policy or privacy notice.
Many websites use cookie consent banners that include clear links or buttons that enable users to opt out of data processing. A consent management platform (CMP) like Usercentrics CMP can automate this process by managing cookies and other tracking technologies and blocking their use until the consumer gives consent, or by enabling opt-out, depending on the relevant legal model.
CMPs also enable websites to offer clear information to users regarding the types of data collected, the purposes for collection, and the third parties that might receive this data, in line with the MCDPA and other data privacy regulations.
Since there is currently no unified federal privacy law in the US, businesses that operate around the country and/or internationally likely need to comply with multiple state and international privacy regulations. CMPs can assist in this by customizing cookie banners based on the user’s location, helping businesses meet the requirements of state-level laws like the MCDPA as well as international regulations such as the GDPR.
Preparing for the Minnesota Consumer Data Privacy Act
Businesses operating in Minnesota have until the effective date of July 31, 2025, to prepare for compliance with the MCDPA. Those that are already compliant with privacy regulations in other states may find themselves ahead, as there are several overlapping requirements. However, businesses must also prepare for specific MCDPA provisions, such as the obligation to maintain data inventories and to document data privacy policies and processes. Integrating a privacy by design approach not only benefits compliance efforts but also enhances overall organizational operations.
Companies must assess whether they meet the MCDPA compliance thresholds, and, if applicable, take steps to provide users with clear opt-out options and accessible privacy notices. Using a Consent Management Platform (CMP) like Usercentrics CMP can assist in managing cookies on websites and apps.
As the MCDPA adapts to technological advancements and shifts in consumer expectations, it is crucial for businesses to consult with qualified legal professionals or data privacy experts, such as a Data Protection Officer, to maintain compliance.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
The California Consumer Privacy Act (CCPA) set US standards for consumer privacy and data protection. It requires businesses that operate in digital markets to establish compliant data collection practices, communicate these to their customers, and implement measures to protect this data.
Meeting CCPA requirements can entail a large investment of time and resources, but failing to adhere to its provisions can be even more costly. The fines, legal fees, and loss of customer trust that stem from noncompliance are significant risks to your business’s bottom line.
Compliance tools are invaluable in helping you adhere to CCPA requirements. They simplify privacy compliance by streamlining consent collection, management, and signaling according to regulatory requirements, so that you can remain focused on your core business operations.
Our picks of the top CCPA compliance software:
Essential features for CCPA compliance solutions
Complying with the CCPA helps your business to protect consumer rights and build customer trust while also safeguarding it against various noncompliance risks, including CCPA class action lawsuits.
Using a robust CCPA compliance tool can help you to meet the requirements of this regulation and the California Privacy Rights Act (CPRA), which expanded and amended it. When choosing your platform, it’s important to evaluate the following features.
- Consent management: A consent management platform (CMP) enables you to securely collect, manage, and signal user consent in line with CCPA requirements.
- Sensitive data handling: Look for features that help identify, secure, and manage the processing of sensitive personal information.
- Data processing: Ensure there are mechanisms for monitoring and controlling the processing of personal data so it meets the CCPA’s transparency, purpose limitation, and data minimization requirements.
- Data privacy management: Make sure there are comprehensive privacy management tools available to maintain compliance documentation, automate scanning for technologies in use that require consent, keep consent notices up to date, and manage consent choices in real-time.
CCPA tool | Key features | Usability score | Recommended for |
---|---|---|---|
Usercentrics |
|
4.0/5 (Capterra) | Businesses of all sizes |
TrustArc |
|
4.1/5 (SoftwareReviews) | Small to medium-sized businesses |
OneTrust |
|
3.8/5 (Capterra) | Large corporations |
Osano |
|
4.6/5 (G2) | Freelancers |
iubenda |
|
4.5/5 (Capterra) | Small businesses |
Ketch |
|
4.5/5 (G2) | Agencies |
6 great tools for CCPA compliance
Maintaining compliance with the CCPA doesn’t have to be a daunting task. Here are six tools designed to help you adhere to stringent data privacy laws efficiently so you can focus on what you do best — run your business.
1. Usercentrics
Usercentrics is an all-in-one CMP that enables compliance with the CCPA, GDPR, and other major data privacy laws. It features more than 2,200 legal templates to save time and resources during implementation and maintenance.
This powerful solution integrates easily with popular content management systems (CMSs) and web builder platforms. It enables privacy compliance right out of the box, and you can also customize it extensively, from visual branding to regulatory coverage and more.
However, note that the extensive feature set can make it somewhat challenging for new users to master initially.
Top features
- DPS Scanner: Identify third-party cookies and other tracking technologies on your website to ensure that you’re informing users about the services in use and that you’re able to control them in line with users’ consent choices.
- Legal templates: Access 2,200+ ready-to-use or customizable legal templates to save time on setup, categorization, and maintenance.
- Google-certified: Comes with Google Consent Mode v2 integrated and ready to use.
- Cross-domain and cross-device consent: Improve user experience by obtaining consent for all your websites and apps with a single consent interaction.
- Robust analytics: Get a detailed view of user interaction and consent rates to drive informed decision-making and optimize opt-ins.
Pricing plans
Usercentrics offers a 30-day free trial, after which users can sign up for one of the following paid plans.
- Starter: USD 60/month for up to 50,000 sessions
- Advanced: USD 175–1,150/month for 50,000+ sessions
- Premium: Custom pricing
Full UI customization | Analytics data only available for 90 days |
Automated third-party cookie blocking | |
Flexible pricing and packages |

2. TrustArc

TrustArc provides businesses with automated privacy solutions to help them achieve compliance while increasing user trust. Once it’s up and running, the platform is easy to implement at scale, but you may have to invest significant time to overcome a learning curve to unlock its full potential.
Top features
- Auto-law identification: Gain a better understanding of privacy regulations and standards so you can maintain compliance.
- Trust Center: Display all CCPA-related data privacy information in one place to build trust with your customers.
- Multiple APIs: Integrate third-party applications and tools into your website with Rapid and REST APIs for compliant data collection.
Pricing plans
Contact TrustArc for pricing.
Google-certified CMP provider | Poor customer support, according to some users |
Easy to use (G2 user reviews) | |
Drag-and-drop customization |
3. OneTrust

With an extensive set of privacy management tools, OneTrust enables businesses to safely handle customer data while minimizing security, privacy, governance, and compliance risks. The tool’s automation features can reduce the complexity involved in staying compliant, but you may experience implementation challenges, according to some users.
Top features
- Data intelligence: Centralize and organize data to easily identify sensitive information and understand potential risks.
- Data mapping: Gain an understanding of how data flows through your organization to enable the implementation of CCPA-compliant measures at every stage of handling.
- Reporting and logs: Be prepared for an audit and equipped to show that your business is in compliance with CCPA requirements.
Pricing plans
Contact OneTrust for pricing.
Vendor risk management | Pricing information not publicly available |
Automated compliance assessments | |
Incident and breach management |
4. Osano

Osano enables more than 40,000 users to meet the requirements of data privacy laws. Although it offers an all-in-one solution that centralizes CCPA compliance management, some users note that customization options are limited.
Top features
- “No Fines, No Penalties” Pledge: Claim up to USD 200,000 compensation for any data privacy-related fines or penalties incurred while using Osano.
- Automated data request workflows: Collect, track, and fulfill customers’ requests to disclose, access, or delete the personal information you have on hand, as required by the CCPA.
- Regulatory alerts: Get updates about upcoming changes to the CCPA and other data privacy laws to stay ahead of requirements and maintain compliance.
Pricing plans
Osano has two self-service cookie consent packages:
- Free: USD 0/month for 1 user, 1 domain, and up to 5,000 visitors/month
- Plus: USD 199/month for 2 users, 3 domains, and up to 30,000/month
Contact Osano for pricing for the Privacy & Trust Assurance, Privacy Essentials, and Privacy Operations & Government plans.
Secure blockchain storage | Free plan only supports 5,000 monthly visitors |
Geolocation capabilities | |
Easy setup (G2 user reviews) |
5. iubenda
iubenda’s CMP offers what they refer to as attorney-level consent management tools that help businesses take the guesswork out of compliance. However, geolocation-based consent settings, which are important for tailoring consent banners to user location, aren’t available on all plans.
Top features
- Privacy policy generator: Produce legally compliant documents that detail your business’s data handling practices.
- Automatic policy updates: Be informed of regulatory changes with automatic policy updates drafted and implemented by attorneys.
- Consent database: Save and manage user consent choices as required by the CCPA and CPRA.
Pricing plans
iubenda provides a free plan for websites with fewer than 5,000 page views per month. They also offer a free 14-day money-back guarantee on their three paid packages. Pricing is as follows:
- Essentials: USD 5.99/month/site or app
- Advanced: USD 24.99/month/site or app
- Ultimate: USD 99.99/month/site or app
Automatic updates to maintain compliance | Only one language included with the Essentials plan |
Chat and email support | |
Centralized dashboard for managing multiple websites |
6. Ketch

Ketch is a design-first CMP that places emphasis on the look and feel of data privacy notices, as well as compliance requirements. This US provider’s no-code solutions are aimed at teams that don’t have much technical expertise, but some users note that the platform has a learning curve and its interface is sometimes confusing.
Top features
- Identity resolution: Recognize users across digital channels and devices and automatically apply their consent preferences.
- Ketch Smart Tag: Add privacy notices to your website with lightweight script that aligns with current web design best practices.
- Ketch permit vault: Access up to date records of your customers’ privacy choices and retrieve records of processing activities with one click.
Pricing plans
Ketch offers three plans at three different price points:
- Ketch Free: USD 0
- Ketch Essentials: From USD 350/month
- Ketch Pro: Contact Ketch for pricing
No-code solution | Free plan only supports 5,000 monthly visitors |
Easy to use (G2 user reviews) | |
Over 1,000 pre-built integrations |
How to stay CCPA-compliant with a consent management platform
Managing customers’ personal information, collecting user data, and implementing and maintaining data security in line with the CCPA is a complex and demanding task. A CMP reduces the burden of compliance by automating and streamlining the processes involved in data collection and helping to ensure that they adhere to regulatory standards.
With a CMP, businesses can efficiently establish whether they’re compliant with the CCPA and identify specific actions for achieving compliance. This significantly reduces the hassle and risk associated with adhering to this complex regulation.
Usercentrics for CCPA peace of mind
Complying with the CCPA requires a thorough understanding of the law’s detailed provisions around data collection, storage, and processing. What’s more, growing demands from consumers for the respect for and protection of their data mean that compliance is no longer just a legal requirement but a necessity for business success and longevity.
The recent introduction of the CPRA has further elevated these challenges, building on the CCPA’s requirements. As these laws continue to evolve, businesses need to remain agile and in the know in order to adapt to new guidelines and avoid costly financial and reputational damage.
Usercentrics’ CMP is designed to enable businesses to collect and manage user data in a transparent manner in order to meet the requirements of the CCPA and CPRA. Our Google-certified tool features an extensive library of more than 2,200 legal templates, a best-in-class DPS Scanner, and robust analytics for informed decision-making.
By integrating Usercentrics CMP into your tech stack, privacy compliance can be as seamless as it is robust, and you can align with current regulations, prepare for future changes, and protect your operations and your reputation.
The information presented in this article is accurate based on publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
Organizations collect vast amounts of data from their users, which ranges from personal information to website usage patterns to financial details. This data collection helps improve services, tailor experiences, and drive business growth. However, it can also bring significant risks related to data breaches and unauthorized access to or misuse of personal data.
A Data Protection Impact Assessment (DPIA) helps organizations identify these risks, implement necessary safeguards, and maintain regulatory compliance, specifically with the European Union’s (EU) General Data Protection Regulation (GDPR).
What is a Data Protection Impact Assessment (DPIA) and why is it essential for GDPR compliance?
A Data Protection Impact Assessment (DPIA) is a risk assessment process that helps organizations identify and reduce the risks to personal data they process. It involves examining how personal data is collected, handled, and stored, and ensuring there are adequate measures in place to protect individuals’ privacy and rights as they pertain to that data. Requirements for a DPIA are included in Art. 35 GDPR.
Conducting an effective DPIA enables organizations to detect and address potential problems at an early stage, helping prevent data breaches, avoid legal complications, and protect the organization’s reputation.
Who should implement a DPIA?
The GDPR can require the data controller to carry out a DPIA. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
While the data controller may appoint third-party data processors to carry out processing activities on its behalf, the responsibility for the DPIA remains with the data controller who is ultimately responsible for GDPR compliance and data security. The data processor should assist the controller in carrying out the DPIA by providing any necessary information, as required by Article 28(3)(f) GDPR.
If a Data Protection Officer (DPO) is appointed under the regulation, the controller must consult with the DPO when carrying out a DPIA. The advice given by the DPO and the decisions made by the controller should be documented within the DPIA.
The DPIA may be carried out by someone outside the organization, but the data controller remains accountable for ensuring that it is completed appropriately.
When is a DPIA required?
A DPIA is required whenever a processing activity, in particular using new technologies, triggers one of the obligations to conduct it under the law. Art. 35 requires a DPIA where data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” According to the guidelines issued by the Article 29 Working Party (WP29), the predecessor of the European Data Protection Board (EDPB), these rights and freedoms include the rights to data protection and privacy, and may also include:
- freedom of speech
- freedom of thought
- freedom of movement
- prohibition of discrimination
- right to liberty, conscience, and religion
The GDPR specifically requires controllers to carry out a DPIA when:
- there is a systematic and extensive evaluation of personal aspects of individuals, including profiling and automated decision-making
- sensitive data, or data related to criminal convictions and offenses, is processed on a large scale
- publicly accessible areas are systematically monitored on a large scale
A DPIA may be required in other cases, and the controller must evaluate whether processing activities may result in a high risk to the rights and freedoms of individuals. Some examples from the WP29 and Recital 75 GDPR include cases where the processing:
- involves the use of new technologies
- involves matching or combining datasets from two different processing operations
- involves personal data of vulnerable individuals, including children
- is done to track behavior, location, or movements
- may give rise to significant economic or social disadvantage, including identity theft or fraud, discrimination, or financial loss
- may prevent data subjects from exercising control over their personal data
A DPIA can address either a single processing operation or multiple operations that share similar characteristics in terms of their nature, scope, context, purpose, and risks.
Read about marketing data management now
Exclusions from the DPIA requirements
There are two circumstances when a DPIA is specifically not required under the GDPR:
- when the processing operations fall under a list established by a supervisory authority or Data Protection Authority of an EU member state as not requiring a DPIA
- when the processing has a legal basis in EU law or in the law of the member state that applies to the controller, and that law specifically regulates the processing activity
At what stage should a DPIA be carried out?
A DPIA should be carried out before any type of processing begins that is likely to result in a high risk, ideally during the early planning stages of the project, new feature, or new use case. This early assessment helps identify and manage potential risks even if some processing details are still being finalized.
DPIAs are an ongoing activity, and the controller’s obligation doesn’t end once the initial DPIA has been carried out. If data processing has commenced for specific purposes, but the conditions of processing — such as purpose or type of personal data collected — change significantly and are likely to result in a high risk to individuals’ rights and freedoms, the controller must revisit the DPIA before these new processing conditions are implemented. If a DPIA was not initially required before data processing began but changes in processing conditions make it necessary, then it must be conducted when those new conditions arise.
What are the DPIA requirements under the GDPR?
There are certain minimum regulatory requirements for what a DPIA must include. The key components of a DPIA are:
- systematic description of the processing operations, including the nature, scope, context, and purposes of the processing
- assessment of whether the processing operations are necessary and proportional in relation to the purposes, to evaluate whether the same objectives can be met with less data or through less intrusive means
- identification and assessment of the likelihood and severity of potential risks to data subjects’ rights and freedoms
- measures to address and mitigate the risks, including safeguards and security measures such as encryption, access controls, and regular audits to protect personal data and demonstrate compliance with the GDPR
DPIAs under US law
There is no comprehensive federal data privacy law in the US, and a number of states have enacted laws to protect the personal data — often referred to as “personal information” in some laws — of their residents.
Many of these US state-level data privacy laws require controllers to conduct DPIAs. While there may be some variations among state laws, they are usually required in the following cases:
- processing of personal data for the purposes of:
- targeted advertising
- profiling
- sale of personal data
- processing of sensitive data (which usually includes children’s data)
- processing activities that present a heightened risk of harm to consumers
What constitutes “sensitive data” or “sensitive personal information” may differ across various laws, so controllers must ensure they follow the specific requirements of each applicable law.
States that require these assessments include Colorado, Texas, Maryland, Connecticut, Virginia, Nebraska, Oregon, and Tennessee, among others. California requires a DPIA under the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).
DPIA procedure
The GDPR doesn’t specify a procedure for conducting a DPIA, giving controllers the flexibility to approach it in a way that effectively assesses risks and informs data processing decisions. The basic steps to conduct a DPIA are as follows.
1. Identify if a DPIA is required
The first step is to determine whether a DPIA is necessary before data processing activities begin. It may not be immediately clear if a DPIA is necessary, and controllers might realize it partway through the project. In such a case, controllers must ensure the DPIA is completed before they begin any processing activities or begin collecting data.
2. Consult the DPO, if appointed
Art. 35(2) of the GDPR makes it mandatory to consult the DPO if the organization has appointed one. The DPO’s advice must be documented in the DPIA and, if the advice is overruled, the DPIA must explain why.
3. Identify all parties to be consulted
Controllers must list all internal and external stakeholders to be consulted. This includes data processors and data subjects or their representatives. The DPIA must include their feedback on the processing activities and, if feedback is disregarded, why.
4. Document the nature, scope, context, and purposes of the data processing
Controllers should list all the data processing activities, including why and how the data is being processed. This should cover, among other things:
- what types of personal data are being collected and processed, including whether the data is sensitive, the volume of data, and how long it will be retained
- the source of the data, and whether it will be shared with any third parties
- how much control data subjects will have over the data, and whether any new technologies will be used in processing
- the intended effect on data subjects and benefits for the controller
5. Assess the necessity and proportionality
The GDPR requires controllers to evaluate whether the data processing is necessary and proportional to achieve the intended purposes, including determining the lawful basis for processing. Controllers should consider what information will be shared with data subjects in their privacy policy, how to achieve data minimization and data quality, and how international transfers will be handled.
6. Identify and assess potential risks
Controllers are required to identify and evaluate the potential risks to data subjects’ rights and freedoms, and outline measures to mitigate these risks. They must assess the likelihood and severity of each risk, considering factors like the nature of the data, the context of processing, and the potential impact on individuals. Controllers should develop a risk mitigation plan that includes specific measures such as encryption, anonymization, access controls, and regular security audits.
7. Validate and sign the DPIA
Controllers must validate and sign the DPIA once it is completed. This involves recording who approved the protection measures and any residual risks. Documenting the decision-making process and identifying those responsible for its implementation and authorization provides a clear record of the approval process.
There is no official template from the EDPB, and controllers that need structure or guidance to get started may use templates from Data Protection Authorities such as France’s National Commission on Informatics and Liberty (CNIL) or the UK’s Information Commissioner’s Office. Although the EU GDPR doesn’t apply to the UK post-Brexit, the UK GDPR is nearly identical to the EU version and includes the same provisions for DPIA requirements.
Conclusion and next steps
Conducting a DPIA is a vital practice for safeguarding personal data, maintaining data subjects’ trust, and avoiding reputational damage. By conducting a DPIA, organizations can identify and mitigate potential risks, ensuring that data processing activities are both secure and compliant.
Organizations should consult a qualified legal professional, privacy expert, or DPO to ensure compliance with the GDPR’s DPIA requirements and to implement the necessary safeguards effectively.
The Digital Markets Act (DMA) became enforceable in March 2024, targeting seven large digital platforms — designated as “gatekeepers” — that operate in the EU, European Economic Area (EEA), and UK. These companies wield significant economic power due to their widely used services, extensive customer bases, and dominant market positions.
Under the DMA guidelines, only gatekeepers are explicitly required to comply with the Act’s stringent rules. However, due to the nature of these products, they also pass some of the privacy requirements on to third-party companies using their services to help ensure privacy compliance in their full tech and business ecosystems.
As a result, businesses operating in the EU, EEA, and UK that collect personal data and use gatekeepers’ platforms, must align their practices with DMA requirements or risk losing access to gatekeepers’ services.
We take a look at the practical effects of the DMA on third-party companies and provide step by step instructions for implementing digital tools with your tech stack that will enable you to comply with data privacy requirements in the DMA, continue growing your digital marketing efforts, and maintain trust with your users.
The European Digital Markets Act (DMA) requirements: the basics
The DMA was passed in November 2022, coming into force in May 2023, though there was a grace period before enforcement began in early 2024.
Its mandate includes enabling healthy competition in digital markets for smaller, non-gatekeeper companies; greater transparency and choice for consumers; more stringent data privacy requirements; and more open digital markets.
“Third-party companies are required to follow the guidelines of the gatekeepers, which are about providing a fair competitive market environment and prevention of market abuse. Therefore the gatekeepers adjusted their platform services on aspects like fair access, transparency, data portability and therefore non-exclusivity and so on. The users of the platform services have to comply,” explains Tilman Harmeling, Senior Expert, Privacy at Usercentrics.
The Act’s requirements are similar in many respects to those of the EU’s General Data Protection Regulation (GDPR), but are broader in some ways, addressing additional access to and uses of end users’ personal data.
Designated gatekeepers had until March 6, 2024 to comply with the DMA’s requirements. Those that haven’t met the regulation’s requirements can be fined up to 10 percent of their annual global turnover, or up to 20 percent for repeated infringements. Booking.com was not designated as a gatekeeper until May 2024, so has until November 2024 to comply with the DMA.
The European Commission (EC) can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.
European authorities have already shown that they’re serious about ensuring gatekeepers’ compliance with the DMA. In a recent investigation into Apple’s steering practices related to its App Store (deemed a “core platform service”), the EC has warned Apple that it will have to pay a fine — which might be in the range of EUR 35.4 billion, or 10% of its total global turnover — if it does not allow users and app developers to make use of application marketplaces other than its native store by March 2025.
Facebook parent company Meta has also already been charged with violating the DMA, which could result in penalties in the tens of billions of dollars.
To maintain access to gatekeepers’ platforms, companies that do business in the EU, EEA, and UK that involve processing consumers’ personal data will also need to follow DMA guidelines set by the gatekeepers in line with the Act.
For these companies, failure to meet the requirements that the gatekeepers set would potentially mean loss of access to key features of gatekeepers’ platforms and services, like personalization functionality for advertising. This could result in a significant loss of data, audience, and revenue.
The DMA was passed along with the Digital Services Act (DSA) in the Digital Services Act package. Learn about the key differences between the Digital Markets Act and the Digital Services Act: DMA vs DSA.
What companies does the Digital Markets Act designate as gatekeepers?
Gatekeeper organizations are characterized as such because of their size, the size of their audiences and customer bases, as well as the global influence of the platforms and services they own. The EC has designated seven of these organizations:
- Alphabet (parent company of Google and YouTube)
- Amazon
- Apple
- Booking.com
- ByteDance (parent company of TikTok)
- Meta (parent company of Facebook, Instagram, and WhatsApp)
- Microsoft (parent company of LinkedIn)
What are the gatekeepers’ core platform services?
The gatekeepers provide 23 identified core platform services (CPS). Each is required to comply with the DMA requirements due to their enormous reach and audience size, as well as the amount of data generated.
- Intermediary platforms: Amazon Marketplace, App Store, Booking.com, Google Maps, Google Play, Google Shopping, Meta Marketplace
- Social networks: Facebook, Instagram, LinkedIn, TikTok
- Online advertising services: Amazon, Google, and Meta
- Operating systems: Google Android, iOS, iPadOS, Windows PC OS
- Web browsers: Chrome and Safari
- Large communication services: Facebook Messenger and WhatsApp
- Search engine: Google
- 1 video sharing platform: YouTube
Third-party companies that use these CPS also need to comply with the providers’ DMA guidelines or risk losing access to gatekeepers’ platforms and services, as well as the data, audience access, and revenue they generate.
Read about marketing compliance checklist now
Digital Markets Act (DMA) requirements for third-party companies using gatekeepers’ core platform services
The DMA requirements have a trickle-down effect on the many companies that use the gatekeepers’ core platform services, if they collect and process user data for their own operations and that data is used on gatekeeper services, or access data collected by the gatekeepers.
These companies must fulfill certain conditions set by gatekeepers in line with the Act. As the GDPR already requires organizations that collect and use personal data to obtain prior consent (opt in) from users of these platforms and services in the EU, EEA and UK, meeting these DMA conditions can be relatively straightforward.
“Art. 5 (2) DMA: Gatekeepers must ensure that valid consent is obtained when users/companies of gatekeepers’ core platform share end users’ data. As a result, the responsibility for valid consent has been partially transferred to the gatekeepers, if their services are used,” explains Tilman.
In practice, third-party organizations need to obtain and store valid user consent, and signal it to gatekeepers’ services to control what personal data they collect. The most streamlined way to do this is using a consent management platform with tools like Google Consent Mode integrated.
How does the Digital Markets Act impact user privacy and consent?
The DMA guidelines for user privacy and consent are similar to the requirements under the GDPR and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before, or at the point when, any personal data is collected.
Users must also be able to change their consent preferences or withdraw consent at any time, and gatekeepers must be able to prove consent from direct and third-party users in the event of an audit by data protection authorities.
Consent management to enable Digital Markets Act (DMA) compliance
The Digital Markets Act requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:
- process personal data for providing advertising service using CPS
- combine personal data from CPS with data from other CPS or services provided by the gatekeepers
- cross-use personal data from CPS in other services provided by the gatekeeper or CPS
and/or
- sign end users in to other services in order to combine personal data
Companies using Google services must also support the most up to date version of Google Consent Mode.
A consent management platform (CMP) like Usercentrics CMP enables companies to notify users about DMA cookies use, provide consent options, store this information securely, and signal these actions to third parties, like the gatekeepers.
What are third-party companies’ rights under the Digital Markets Act?
In addition to the DMA requirements regarding the rights and protections for end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.
- enable the use of third-party apps on gatekeepers’ operating system(s)
- enable access to data generated on CPS
- not rank gatekeepers’ services more favorably ranked than third parties’
- not track end users outside of the gatekeepers’ CPS for the purpose of targeted advertising without obtaining consent
- enable pre-installed apps to be uninstalled
- enable settings to be changed on operating systems or browsers that lead to the gatekeepers’ products and services
- enable business users to offer their products and services on third-party platforms or their own platform for the same price as on the gatekeepers’ platforms and services
- provide advertisers and publishers information about advertisements placed, remuneration and fees, and metrics free of charge
“The DMA provides third-party companies with several rights, including fair access to platforms, interoperability, data portability, transparency, equal treatment, access to data, non-exclusive contracts, and the ability to contest gatekeeper decisions.
“These rights aim to create a more competitive and fair digital marketplace by preventing gatekeepers from abusing dominant positions and ensuring that third-party companies can compete on equal terms. These rights can be found in Chapter 3 of the DMA,” says Tilman.
Learn more: See the European Commission’s published list of “do’s and don’ts” for gatekeepers
How can companies obtain and store valid consent under the Digital Markets Act?
The DMA guide for valid consent largely aligns with the GDPR and many other data privacy laws. Practically, consent needs to be given freely in advance and must be explicit, informed, and granular, while also being documented and easy to withdraw.
How to make your website compliant with the Digital Markets Act (DMA) requirements
Because full privacy compliance in digital ecosystems where the gatekeepers’ platforms are dominant is pretty much the requirement, third-party companies that rely on gatekeepers’ platforms and services to do business in the EU/EEA and UK pretty much also have to comply with the DMA.
Fortunately, due to their existing adherence to the GDPR’s provisions, many companies that attract users from within the EU, EEA and UK already meet the DMA’s guidelines. However, many organizations with users in these regions still don’t comply with GDPR and therefore won’t comply with the DMA.
Companies that want to ensure their digital practices are in line with both of these digital privacy laws, and that are concerned with protecting revenues, can do so by following a few simple steps.
Step 1: Implement a Consent Management Platform (CMP)
One of the key DMA requirements is obtaining and managing user consent for data processing activities.
Here, it makes things much easier to have a CMP to help you collect, store, and signal user consent in a way that meets the Act’s trickle-down requirements.
Learn more about how the DMA law affects user privacy and consent management.
A high performance CMP will enable you to obtain informed consent from your users by notifying them about what data is being collected, for what purposes, as well as how it will be stored and whether third parties — like the gatekeepers — will have access to it.
You want to be able to quickly and easily implement and customize your CMP for your websites, apps, and other platforms.
In addition to customizing the data processing services in use on your sites and apps, as well as the regulations covered that are relevant to your company’s operations, you want to ensure the look and feel of your data privacy notices are aligned with your company branding, hence the importance of robust customization features.
Usercentrics is a market-leading web consent management platform (CMP) offering seamless integration with the most popular web content management systems (CMS) and other website builder platforms. It’s designed for technical and non-technical teams, so setup and customization are user-friendly and save you time and resources.
Usercentrics CMP enables stringent regulatory compliance with the DMA and other data privacy regulations to help ensure that you are able to maintain access to gatekeepers’ platforms and services without disruption.
To integrate Usercentrics into your website, follow these steps:
- Sign up for a Usercentrics account and enjoy a 14-day free trial.
- Generate the CMP script and privacy policy text tailored to your website.
- Paste the Usercentrics CMP script into the source code of your website. The designated area for this depends on the CMS you use.
- Save the changes and publish your website.
By integrating Usercentrics CMP, you can easily manage user consent preferences, provide transparent information about data processing activities, signal consent information to third-party services, and achieve and maintain compliance with the DMA and GDPR without the need for considerable tech or legal resources.
Step 2: Customize your consent banner
To enhance user experience and comply with DMA requirements, it’s important to customize the cookie consent banner on your website.
Usercentrics provides full customization options to optimize your user interface and messaging while matching the design and branding of your website. Follow these steps to customize the cookie consent banner.
- Access your Usercentrics account and navigate to the customization settings.
- Customize the banner appearance, including colors, fonts, logo, and layout.
- Add a clear and concise message explaining the purpose of DMA cookies and other data processing activities.
- Specify the different types of cookies used on your website and their respective purposes.
- Ensure Google Consent Mode is switched on to optimize your opt-in rates and gain Google ad conversion insights. On Usercentrics CMP, it’s switched on by default for new installations.
- Enable the necessary controls for users to manage their consent preferences easily.
By providing a user-friendly and informative cookie consent banner, you can demonstrate your commitment to user privacy and compliance with the DMA privacy law.
Step 3: Optimize user experience for consent management
Consent management should be a seamless and intuitive process for your website visitors. Here are some tips to optimize the user experience (UX) for consent management:
- Prominent placement: Display the cookie consent banner in a prominent location when users arrive on your website. Note: You can’t block website access and make users’ access to your site dependent on their acceptance of cookies.
- Simple communication: Use clear and concise language to explain the purpose and implications of data processing activities.
- Equal representation: Ensure that “accept” and “deny” options are equally accessible, no dark patterns or hidden options.
- Granular control: Provide granular consent options for users to choose their consent preferences, such as allowing or denying specific categories of cookies.
- Flexible interface: Implement an easy to access and use interface for users to change their consent preferences at any time.
- Regular revisions: Regularly review and update your privacy policy to ensure it accurately reflects your data processing practices. You can use Usercentrics privacy policy generator for this.
By prioritizing UX in consent management, you can foster trust with your users and encourage them to engage with your website while complying with the DMA, which also helps boost your consent rates over time
Step 4: Monitor and audit Digital Markets Act compliance
Compliance with the DMA’s requirements is an ongoing process that requires continuous monitoring and auditing. Here are some best practices to help ensure ongoing compliance.
- Conduct periodic audits to ensure that your website accurately reflects your current data processing activities and requirements of relevant regulations and guidelines.
- Regularly review and update your consent management settings based on changes in regulations or your data processing practices.
- Maintain secure, detailed records of user consent and be prepared to provide proof of compliance if requested.
- Stay informed about any updates or guidance from regulatory authorities regarding the DMA, other relevant laws, and consent management.
By proactively monitoring and auditing your privacy compliance efforts, you can address any potential issues promptly and demonstrate your commitment to data protection.
Final tips for website owners to comply with DMA-related privacy requirements
Read about cookie consent tips now
Compliance with the Digital Markets Act’s privacy requirements is essential for any company that makes use of services provided by the EC’s designated gatekeepers. Given the dominance and reach of these platforms, failure to do so can result in the significant loss of data, audience, and revenue.
Fortunately, complying with the DMA is made easier with a robust and scalable CMP. These platforms help third-party companies obtain the necessary consent from their users and signal it to companies like Google for advertising and other services.
This helps organizations to maintain access to gatekeeper services, grow revenue with successful and data-driven campaigns, and build trust with customers as a result of their data privacy practices.
We strongly recommend consulting with legal and data privacy experts for your privacy compliance operations. However, implementing Usercentrics CMP helps to greatly reduce the resource needs and complexities of meeting the DMA’s and gatekeepers’ requirements.
Our out of the box solution is Europe’s leading CMP. Our state of the art technology scans for and detects all cookies and other trackers in use on your website, enables collection, storage and signaling of valid user consent, and automates processes to enable ongoing compliance with the DMA and GDPR. All this helps to ensure that you can maintain access to gatekeepers’ platforms and services without disruption.
On April 4, 2024, Kentucky became the fifteenth state in the United States to enact a consumer privacy bill with the passing of House Bill 15, the Kentucky Consumer Data Protection Act (KCDPA). The law goes into effect on January 1, 2026 and gives organizations close to two years to prepare for compliance.
We look at the KCDPA, who it applies to, how it protects consumers, and how organizations can prepare for compliance.
What is the Kentucky Consumer Data Protection Act?
The Kentucky Consumer Data Protection Act (KCDPA) aims to protect the privacy and personal data of the state’s 4.5 million residents by regulating how it is collected and used. It sets obligations on businesses that operate in Kentucky or produce products or services consumed by its residents and process their personal data.
The KCDPA protects the personal data of residents acting in “an individual context” and not for commercial or employment purposes and defines them as “consumers”.
Like most other US states with consumer privacy laws, Kentucky follows an opt-out consent model. Businesses must clearly explain to consumers:
- what personal data they collect
- why they collect it
- third parties they share it with
- how consumers can opt out of its collection and processing for certain purposes
Definitions under the Kentucky Consumer Data Protection Act
The KCDPA defines key terms concerning the data it protects and data processing activities.
Personal data under the KCDPA
The Kentucky privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.
Common types of personal data that businesses collect include name, phone number, email address, account name, IP address, passport number, or driver’s license number.
Sensitive data under the KCDPA
Sensitive data under Kentucky’s privacy law is personal data that could harm consumers if abused and includes:
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying a specific natural person
- personal data collected from a known child (under 13 years of age)
- precise geolocation data that can accurately identify an individual’s specific location within a radius of 1,750 feet (533.4 meters)
Consent under the KCDPA
The Kentucky data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”
Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
Controller under the KCDPA
A controller under the law is “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.“
A controller, often referred to as a “data controller” in some regulations, is responsible for protecting personal data and must comply with the legal requirements for data protection.
Processor under the KCDPA
A controller may share personal data it collects with a third party for processing purposes. This third-party is known as a processor under the Kentucky privacy law and is defined as “a natural or legal entity that processes personal data on behalf of a controller.”
Sale of personal data under the KCDPA
The Kentucky privacy law defines sale of personal data as “the exchange of personal data for monetary consideration by the controller to a third party.“
Sale does not include disclosure of personal data:
- to a processor that processes the personal data on the controller’s behalf
- to a third party for the purposes of providing a product or service the consumer has requested
- or its transfer:
- to the controller’s affiliate
- to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction
- that the consumer intentionally made available to the public through a mass media channel not restricted to a specific audience
Many other US state-level privacy laws define sale as the exchange of personal data “for monetary or other valuable consideration” by the controller or third party. The KCDPA, like the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA), requires monetary consideration for the exchange of personal data to be considered sale.
Non-monetary consideration does not constitute sale under the Kentucky privacy law.
Targeted advertising under the KCDPA
The KCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interests.”
The definition excludes:
- ads based on activities within a controller’s own websites or online apps
- ads based on the context of a consumer’s current search query, visit to the website, or online app
- ads directed to a consumer in response to the consumer’s request for information or feedback
- processing of personal data solely for measuring or reporting ad performance, reach, or frequency
Who must comply with the Kentucky Consumer Data Protection Act
The Kentucky privacy law applies to businesses that operate in the Commonwealth of Kentucky or produce products or services aimed at its residents and which, during a calendar year:
- controlled or processed the personal data of at least 100,000 consumers
or
- controlled or processed the personal data of at least 25,000 consumers and derived more than 50 percent of gross revenue from the sale of personal data
Unlike some other US state laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the KCDPA does not require businesses to comply based on revenue alone.
Exemptions to compliance with the Kentucky Consumer Data Protection Act
The Kentucky data privacy law exempts certain entities and types of data from compliance. Entity-level exemptions include, among others:
- city or state agencies or state political subdivisions
- financial institutions or affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
- covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
- nonprofit organizations, including nonprofit controllers that process personal data solely to help:
- law enforcement agencies investigating suspected insurance-related crimes or fraud
- first responders dealing with catastrophic events
- higher education institutions
- small telephone utilities
Data-level exemptions include, among others:
- protected healthcare-related information, health data, and patient identifying information
- data processed or maintained as emergency contact information for a natural person and used for emergency contact purposes
- data created for or collected under several federal laws, including, among others:
- Health Care Quality Improvement Act
- Patient Safety and Quality Improvement Act
- HIPAA
- Fair Credit Reporting Act (FCRA)
- Combat Methamphetamine Epidemic Act
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
Consumer rights under the Kentucky Consumer Data Protection Act
Consumers have several rights under the Kentucky privacy law to protect their personal data.
- Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, unless doing either requires the controller to reveal trade secrets
- Right to correction: consumers can have inaccuracies in their personal data corrected, taking into account the nature of the personal data and purposes of processing
- Right to deletion: consumers can request controllers to delete any personal data provided by, or obtained about, them, with exceptions
- Right to data portability: consumers can obtain a copy of their personal data that they previously provided to the controller, in a ready usable format, with some exceptions
- Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale, use in targeted advertising, or profiling in furtherance of “decisions that produce legal or similarly significant effects” concerning them
There is no private right of action — or right to directly sue a controller — under the KCDPA.
Controllers’ obligations under the Kentucky Consumer Data Protection Act
Organizations subject to KCDPA compliance have several obligations under the law to protect consumers’ personal data.
Privacy policy under the KCDPA
Controllers must publish a privacy notice, or, similarly, privacy policy, that informs consumers about:
- categories of personal data the controller processes
- purpose(s) for processing personal data
- method of exercising their rights under the law and how to appeal the controller’s decision regarding a request
- categories of personal data shared with third parties, if any
- categories of third parties who receive personal data, if any
Controllers must clearly inform consumers if they sell personal data to third parties or process it for targeted advertising purposes. Unlike the CCPA, Florida Digital Bill of Rights (FDBR), and Texas Data Privacy and Security Act (TDPSA), the Kentucky privacy law doesn’t require any specific wording to be used to disclose this information. Controllers must also advise consumers how they can opt out of sale or processing for targeted advertising.
The privacy notice must be accessible, clear, and meaningful. It is usually published through a link on the controller’s website, like in the footer, to ensure that consumers can access it from any page.
Consumer rights requests under the KCDPA
Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. Consumers may be asked to log in to an existing account for identity verification, but they can’t be required to create a new account solely for this purpose.
Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If they need an extension, the controller must inform the consumer before the initial 45-day period expires.
If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision. Controllers must respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer a method to contact the Attorney General online to submit a complaint.
Purpose limitation under the KCDPA
Controllers are required to disclose the purpose(s) for which they collect personal data, and the KCDPA requires them to limit the personal data they collect to only what is “adequate, relevant, and reasonably necessary” for the purposes.
Controllers cannot process personal data for any purposes other than those that are disclosed to consumers. If the purpose of data processing changes, they must inform consumers about the new purpose and obtain consent for processing their data, if applicable.
Data security under the KCDPA
Controllers must ensure the confidentiality, integrity, and accessibility of the personal data they collect and process. The Kentucky data privacy law requires them to establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the volume and nature of the personal data.
Data protection assessments under the KCDPA
The Kentucky privacy law requires controllers to conduct and document a data protection impact assessment (DPIA) when processing personal data:
- for the purpose of targeted advertising
- for sale
- for the purpose of profiling that presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of or disparate impact on consumers
- financial, physical, or reputational injury
- physical or other intrusion into consumers’ private affairs
- other substantial injury to consumers
- that is classified as sensitive data under the law, including childrens’ data
- presents a heightened risk of harm to consumers
DPIAs are classified information under the law and are exempt from disclosure, public inspection, and copying. However, the Attorney General can request the controller to disclose a DPIA during its investigations into any alleged violations, and the controller must make it available in this circumstance.
If a controller has already conducted a DPIA for other laws or regulations, and it is similar in scope and effect to what is required under the law, the controller can use that DPIA to comply with the KCDPA.
DPIAs shall be required for data processing activities on or after June 1, 2026.
Consent requirements under the KCDPA
The KCDPA primarily follows an opt-out model for personal data processing, like the other US state-level data privacy laws. This means that, in most cases, businesses can collect and process personal data without needing prior consumer consent. An exception to this is processing that involves sensitive data, and controllers must obtain explicit consent before its processing.
Controllers are required to clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling.
Unlike several other privacy laws, the Kentucky privacy law does not require controllers to recognize consumer consent preferences communicated through a universal opt-out mechanism such as Global Privacy Control (GPC).
With respect to children’s data, the KCDPA aligns with the Children’s Online Privacy Protection Act (COPPA), as is standard among the US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as the Kentucky privacy law considers all personal data of children under this age as sensitive data.
Nondiscrimination under the KCDPA
The KCDPA explicitly prohibits businesses from discriminating against consumers who exercise their rights under the law. Businesses cannot deny goods or services, charge different prices, or offer varying quality levels to these consumers. However, they may offer different prices, rates, levels, quality, or selections of goods or services to consumers if the offer is related to a voluntary loyalty, rewards, premium features, discounts, or club card program in which the consumer participates.
If a consumer chooses not to allow their personal data to be collected, processed, or sold, businesses cannot deny them access to their website. However, certain website features requiring essential cookies may not function properly if those cookies are declined. This limitation is not considered discrimination under the law.
Businesses are not required to offer a product or service that requires personal data they do not collect or maintain. They are also required to comply with state and federal discrimination laws and cannot process personal information in violation of these laws.
Data processing agreement under the KCDPA
The Kentucky privacy law requires controllers and processors to enter into contracts that govern data processing procedures. This contract is known as a “data processing agreement” under the European Union’s General Data Protection Regulation (GDPR) and Virginia’s CDPA and must include:
- instructions for processing personal data
- nature and purpose of processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
Processors must ensure confidentiality of the personal data and that, at the controller’s direction or when the contract is complete, all personal data will be deleted or returned to the controller.
Under most data privacy laws, controllers are held accountable for the data processing actions, breaches, and violations by processors. However, the KCDPA provides two exceptions:
- if a controller or processor lawfully shares personal data with a third-party controller or processor, they are not liable for any violations by the recipient, provided they were unaware of any intent to break the law at the time of sharing
- if a controller or processor lawfully receives personal data, they are not responsible for any legal violations committed by the party that disclosed the data
The Nebraska Data Privacy Act (NDPA) contains a similar provision regarding controllers’ ultimate accountability for data processing activities.
Enforcement of the Kentucky Consumer Data Protection Act
The Kentucky Attorney General has the exclusive enforcement authority under the KCDPA. Consumers do not have a private right of action, but they can report potential violations or denials of their privacy rights directly to the Attorney General’s office.
Before initiating an enforcement action, the Attorney General must provide written notice to the implicated party, detailing the alleged violations and offering a 30-day cure period for organizations to address and resolve any issues. This cure period, which is a permanent aspect of the law, enables companies to rectify problems and implement measures to prevent future breaches.
Organizations found in violation must inform the Attorney General in writing of their corrective actions and confirm that future breaches will not occur.
Fines and penalties under the KCDPA
The Attorney General can initiate a civil action seeking damages against organizations that do not cure the violation within the 30-day period or breach the written statement they provide. Violations of the Kentucky privacy law may result in civil penalties of up to USD 7,500 per violation.
Consent management and the Kentucky Consumer Data Protection Act
The KCDPA adopts an opt-out model for data privacy, which allows businesses to collect and process personal data without requiring prior consent from individuals. However, exceptions are made for sensitive personal data and data belonging to children, where prior consent is mandatory. This approach is consistent with other US state-level data privacy laws.
Consumers must be able to opt out of data collection and processing for purposes such as sale, targeted advertising, or profiling. Businesses are required to make this opt-out option clearly available on their websites, usually through the privacy policy or privacy notice.
Websites often use consent banners on their websites that include clear links or buttons enabling users to opt out of data processing. Consent management platforms (CMPs) like Usercentrics CMP automate this process by managing cookies and other tracking technologies, ensuring they are blocked until the consumer gives consent, where this is required by law. CMPs also provide transparent information about the types of data collected, the purposes for which it is collected, and any third parties with whom the data is shared.
In the absence of a single federal privacy law in the US, businesses operating across the US and/or internationally may need to comply with various state and international privacy laws. CMPs assist by customizing cookie banners based on the user’s location, ensuring adherence to state-level laws like the KCDPA and international regulations like the GDPR.
Updates to the Kentucky Consumer Data Protection Act
Even before the KCDPA comes into effect, Kentucky legislators have passed a bill to update its requirements. Governor Andy Beshear signed HB 473 into law on March 15, 2025.
There are two healthcare-related updates. One is that information collected by health care providers that are acting covered entities under HIPAA, and that maintain protected health information according to HIPAA requirements, are exempt from relevant KCDPA requirements.
The second is that information maintained in limited data sets by entities covered by HIPAA in accordance with relevant HIPAA requirements is also exempt from relevant KCDPA requirements.
The other update limits the requirement for completing a Data Protection Impact Assessment (DPIA) in profiling cases to only those cases with unlawful disparate impact (the potential for disproportionate harm or disadvantage to members of a protected group).
These updates go into effect when the rest of the Kentucky Consumer Data Protection Act does, on January 1, 2026.
Preparing for the Kentucky Consumer Data Protection Act
Businesses operating in Kentucky have until 2026 to comply with the KCDPA. Companies already adhering to privacy laws in other states will find that much of their existing compliance work aligns with the KCDPA requirements. Businesses that meet the compliance thresholds set by the law must be prepared to offer users clear opt-out options and accessible privacy notices. Implementing privacy by design improves all aspects of organizational operations, not just compliance with regulations.
As the KCDPA adapts to new technologies and shifting consumer expectations, it is strongly recommended for businesses to seek guidance from a qualified legal professional or data privacy expert, such as a Data Protection Officer, to achieve and maintain compliance.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
The Colorado Privacy Act (CPA), effective from July 1, 2023, aims to protect the personal data of Colorado residents by imposing compliance responsibilities on businesses operating in the state. These businesses must provide clear notices about data collection practices and offer opt-out options for data processing, emphasizing the need for a reliable compliance solution to mitigate risks and focus on core operations.
Influenced by the California Consumer Privacy Rights Act (CCPA) and similar laws, the CPA includes unique thresholds and consumer rights, such as the right to opt out of data sales and targeted advertising, access, correct, and delete personal data, and data portability. Unlike other state laws, the CPA also mandates opt-in consent for processing sensitive data and imposes stricter data minimization requirements.
Compliant data is a critical business resource
Compliance is crucial for companies to avoid fines, data loss, and reputational damage while leveraging privacy practices to build user trust, enhance engagement, and boost revenue. The CPA’s comprehensive approach underscores the growing importance of privacy compliance in today’s data-driven market.
These steps will help you achieve compliance with the Colorado Privacy Act (CPA), which applies to and protects residents of Colorado. The checklist also includes recommended best practices for data privacy-related user experience.
Step 1: Determine if your company is required to comply.
If your for-profit organization:
- processes the personal data from at least 100,000 Colorado consumers or
- processes the personal data from at least 25,000 Colorado consumers and
- receives a discount on goods or services from selling personal data.
Important to know: The CPA is effective July 1, 2023 and does not apply retroactively.
Step 2: Create a comprehensive Privacy Policy.
- Purpose: Inform consumers at or before the point of data collection:
- categories of personal data processed
- purposes for which data is processed
- categories of personal data that the controller shares with third parties, if any
- categories of third parties the controller shares personal data with, if any.
- Rights: Inform website visitors of their privacy rights and how to exercise them, including contact information and how a consumer may appeal a controller’s decision with regard to the consumer’s request.
- Language: Ensure the Privacy Policy is clear and easy to understand.
- Implementation: Make information about privacy and user options, like consent opt-out, available via a banner or pop-up for when users visit your site, e.g. with a Consent Management Platform.
Step 3: Inform users about their rights.
Consumers’ rights under the CPA:
- Right to Access
- request and receive confirmation whether a controller is processing their personal data
- Right to Correction
- updates or corrections to inaccuracies in personal data collected
- Right to Deletion
- personal data that has been collected about them (with exceptions)
- Right to Data Portability
- copy of personal data must be provided in a portable and readily useable format
- Right to Opt Out
- of processing of personal data for the purposes of sale, targeted advertising, or profiling for decisions that would affect the consumer in a legal or similarly significant way
- Right to Non-discrimination
- for exercising privacy rights
- Right of Minors
- consent must be obtained from a parent/guardian if the data subject is a child (under age 13) as regulated by the Children’s Online Privacy Protection Act (COPPA)
- Right to Restrict Use of Sensitive Personal Information
- limit or refuse the collection or use of personal data the law classifies as sensitive
Step 4: As a best practice, review and update your Privacy Policy or Notice every 12 months.
- Review your operations and potential changes in the law every 12 months. Updating your Privacy Policy information and the effective date. Effective date should be updated even if you don’t make any other changes to the Policy.
- Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
- Data sold: List all the categories of personal information that your business has sold in the past 12 months.
Step 5: Enable clear options when consent is required.
- When: If the personal data collected is sensitive or that of a child.
- Availability: Easily accessible on your website.
- Method: Via the use of a Consent Management Platform (CMP).
Step 6: Authenticate consent or opt out of collection of sensitive personal data or data from minors.
- Sensitive Personal Data: Provide clear options to opt-out and store preferences for processing sensitive personal data.
- Consent for Children: Obtain consent from a parent or legal guardian for collection of personal data if the data subject is 13 or younger.
Step 7: Enable consumers to make Data Subject Access Requests (DSARs)
- Provide one or more contact options, e.g. toll-free phone number, web form, email.
- Set up a system to enable submission of DSARs.
Step 8: Set up a system to verify Data Subject Access Requests (DSARs)
- Enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency.
- Set up a system to enable submissions for verification requests.
- If your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.
Step 9: Keep track of Data Subject Access Requests (DSARs)
- Set up a system to track all requests.
- Time period: keep records of all requests and your business responses for 2 years.
Step 10: Fulfill Data Subject Access Requests (DSARs)
- Standard time period: within 45 days.
- Extended time period: up to 90 days.
Get all the details about the Colorado Privacy Act (CPA) in our comprehensive overview.
The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, aims to protect Utah residents’ personal data by granting rights to access, delete, and control their data, while imposing transparency and security obligations on businesses. Companies operating in Utah or targeting its consumers must comply if they meet certain thresholds, including designating a data privacy officer, conducting audits, and responding to consumer requests promptly.
Unlike California’s CCPA/CPRA, the UCPA uses an opt-out model for data processing and does not require explicit consent for processing sensitive data but mandates clear notifications. Understanding and adhering to these specific compliance requirements is crucial for mitigating legal risks, building user trust, and enhancing revenue, making it essential for businesses to stay informed and adjust their practices accordingly.
Compliant data is a critical business resource
These steps will help you achieve compliance with the Utah Consumer Privacy Act (UCPA), which applies to and protects residents of Utah. The checklist also includes recommended best practices for data privacy-related user experience.
Step 1: Determine if your company is required to comply.
If your for-profit organization:
- has gross annual revenue that exceeds USD 25 million for the preceding year, and
- processes the personal data from at least 100,000 Utah consumers, or
- processes the personal data from at least 25,000 Utah consumers, and
- derives at least 50 percent of annual revenue from selling personal data.
Important to know:: The UCPA is effective December 31, 2023 and does not apply retroactively.
Step 2: Create a comprehensive Privacy Policy.
- Purpose: Inform consumers at or before the point of data collection:
- categories of personal data processed by the controller
- purposes for which data is processed
- categories of personal data that the controller shares with third parties, if any
- categories of third parties the controller shares personal data with, if any.
- Rights: Inform website visitors of their privacy rights and how to exercise them.
- Language: Ensure the Privacy Policy is clear and easy to understand.
- Implementation: Make information about privacy and user options, like consent opt out, available via a banner or pop-up for when users visit your site, e.g. with a Consent Management Platform.
Step 3: Inform users about their rights.
Consumers’ rights under the UCPA:
- Right to Access
- inquire and receive confirmation whether personal data is processed and receive access to it
- Right to Deletion
- personal data that has been collected about them (with exceptions)
- Right to Data Portability
- copy of personal data must be provided in a portable and readily useable format
- Right to Opt Out
- of processing of personal data for the purposes of sale or targeted advertising
- Right to Non-discrimination
- for exercising privacy rights
- Right of Minors
- consent must be obtained from a parent/guardian if the data subject is a child (under age 13) as regulated by the Children’s Online Privacy Protection Act (COPPA)
- Right to Restrict Use of Sensitive Personal Information
- option to opt out the collection or use of personal data the law classifies as sensitive
Step 4: Review and update your Privacy Policy or Notice every 12 months.
- Review your operations and potential changes in the law every 12 months. Updating your Privacy Policy information and the effective date. Effective date should be updated even if you don’t make any other changes to the Policy.
- Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
- Data sold: List all the categories of personal information that your business has sold in the past 12 months.
Step 5: Enable clear options when consent is required
- When: If the personal data collected is that of a child.
- Availability: Easily accessible on your website.
- Method: Via the use of a Consent Management Platform (CMP).
Step 6: Authenticate consent or opt out of collecting sensitive personal data or data from minors.
- Sensitive Personal Data: Provide clear options to opt out and store preferences for processing sensitive personal data.
- Consent for Children: Obtain consent from a parent or legal guardian for collection of personal data if the data subject is 13 or younger.
Step 7: Enable consumers to make Data Subject Access Requests. (DSARs)
- Provide one or more contact options, e.g. email, toll-free phone number, or web form.
- Set up a system to enable the submission of DSARs.
Step 8: Set up a system to verify Data Subject Access Requests (DSARs)
- Enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency.
- Set up a system to enable submissions for verification requests.
- Suppose your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty. In that case, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.
Step 9: Keep track of Data Subject Access Requests (DSARs)
- Set up a system to track all requests.
- Time period: keep records of all requests and your business responses for 2 years
Step 10: Fulfill Data Subject Access Requests (DSARs)
- Standard time period: within 45 days.
- Extended time period: up to 90 days.
Get all the details about the Utah Consumer Privacy Act (UCPA) in our comprehensive overview.
If your company has customers in Brazil – the largest country in both Latin and South America – or plans expansion there, and you collect or process personal data, you need to comply with the Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law in English.
After presidential review, the LGPD became law on September 18, 2020. Its enforceability was backdated to August 16, 2020. The main goal of the Law was to unify 40 different Brazilian laws that regulate the processing of personal data. The good news is: if you are already compliant with the GDPR or POPIA, then you have already done a great deal of the work necessary to comply with LGPD.
Compliant data is a critical business resource
To help you achieve LGPD compliance, follow these steps:
Step 1: Identify if your organization needs to comply.
- Your business processes the personal data of people in Brazil, regardless of where your business is located.
Step 2: Create a comprehensive Privacy Policy.
- Ensure it is easy to find, read, and understand for the average user.
- Inform about who has access to personal data collected (e.g. from cookies).
- Implementation: make the information and consent preferences about data processing available in a Privacy Banner when users visit your site. A Consent Management Platform ensures that you can include all necessary information and obtain required consents.
Step 3: Inform users about their rights.
- Inform users about the nine fundamental rights that data subjects have under Article 18 of the LGPD, e.g. right to erasure, right to be informed, and right to object.
Step 4: Inform users that you use cookies or other tracking technologies.
- Ensure that you inform users of your intentions at or before the point you start collecting data.
- Particularly inform users about:
- The specific purpose of the processing;
- The type and duration of the processing;
- The identity of the controller and their contact information;
- The shared use of data by the controller, and the purpose;
- The responsibilities of the agents that will carry out the processing;
- The data subject’s rights, with explicit mention of the rights listed in Art. 18 of the LGPD.
- Include this information in your Privacy Policy.
Step 5: Explain in the first layer of the privacy banner what your cookies or other web technologies are doing and why.
- Inform users about the purpose of each cookie or web technology separately to ensure you obtain specific and granular consent for each cookie objective. Users must have the option to grant or withdraw consent for each purpose.
- It should be stated in the first layer of the Privacy Banner.
Step 6: Obtain users’ voluntary and informed consent to store cookies on their device(s) and enable refusal of consent or adjustment of preferences in the future.
- Necessary where cookies involve the collection and processing of personal data from users (e.g. if the information can be linked to a particular individual’s identity).
- Consent must be freely given: Equal presentation and accessibility of “Accept” and “Reject” buttons. Refusing consent must be an equally accessible option.
- Consent must be easy to withdraw: in the second layer users have to have the option to withdraw their consent.
- Documented: You have the burden of proof of consent in the case of an audit.
Step 7: Collect and process data only after obtaining valid consent.
- Ensure that no cookies are loaded until users have given consent.
- Once valid consent has been obtained, you can collect and process personal data for the purposes for which you informed users (i.e. using the web technologies to which they consented).
Step 8: Document and store consent received from users.
- Comply with documentation obligations to ensure you can verify users’ consent in case of complaint or audit by Brazilian data protection authorities.
Step 9: After opt out, ensure that no further data is collected or forwarded.
- Ensure that from the moment of the objection on, no further data is collected or forwarded. This includes declined consent for new users or updated consent preferences for existing users.
LGPD Cookie Requirements
Cookies covered by LGPD
Identifiable data is protected by the LGPD. Thus, cookies and other tracking web technologies – that collect data that can be associated with a natural person – are subject to privacy compliance obligations under the law. E.g. the information is linked or linkable to a particular user, IP address, device, or other specific identifier.
Brazilian Internet Act
The Brazilian Internet Act has provisions concerning the storage, use, disclosure, and other treatment of data collected on the Internet. Also, the established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile devices and the Internet.
Violations can be subject to civil punishment under the National Data Protection Authority. Fines can be up to 2 percent of annual revenue for the preceding year, up to BRL 50 million, as well as full or partial suspension of data processing activities.
Requirements for the LGPD (Brazil) | Is Usercentrics compliant? |
---|---|
Freely given and informed consent is necessary | |
The purpose has to be provided (first layer of the privacy banner) | |
The recipient has to be named (second layer of the privacy banner) | |
Withdrawal of consent has to be possible (second layer of the privacy banner) | |
Options to grant or decline consent must be equal | |
Proof that consent has been given must be stored | |
The option to give or withdraw granular consent for each data processing purpose has to be provided |
DISCLAIMER
These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation. Please consult a qualified lawyer should you have any legal questions.